Email Security Checklist: SPF, DKIM, DMARC and MFA Explained
Email is the front door to most small businesses — and the most common way they get compromised. This checklist covers the protections that matter most, in plain English.
Email authentication (stopping impersonation)
SPF, DKIM, and DMARC are DNS records that tell receiving mail servers which senders are allowed to use your domain and what to do with mail that fails the check. Without them, anyone can send email that appears to come from your business.
- SPF record exists and lists only your real sending services
- DKIM signing is enabled in your email platform
- DMARC record exists — start with monitoring (p=none), then move towards quarantine or reject
- Old or unused sending services removed from SPF
- Lookalike domain check performed for your business name
Account protection
- MFA enforced on every mailbox, starting with owners, admins, and finance
- Admin accounts separated from daily-use accounts
- Unique passwords via a password manager
- Recovery phone/email on each account verified and current
- Former staff accounts disabled, not just 'unused'
Quiet compromise indicators
- Review mailbox forwarding rules — hidden auto-forwards are a classic post-compromise move
- Review third-party app access granted to mailboxes
- Check sign-in activity for unfamiliar locations
- Confirm no unexpected mailbox delegates exist
General guidance only, drawn from practical experience and aligned with public Australian guidance from the ASD's Australian Cyber Security Centre (cyber.gov.au) and ACCC Scamwatch (scamwatch.gov.au). Check those sources for current official advice. This guide is not legal advice.