Red Sift’s definitive guide to email security
How secure are your emails?
The truth? Not very, particularly with the rise of AI-enhanced phishing and spoofing attacks that continue to evolve in 2026, costing companies millions.
Email security technologies come in many forms. But ultimately, all have a common set of goals: keeping the volume of spam emails down, detecting threats, and stopping them from reaching your inbox.
More often than not, these technologies work by looking for the most common traits of a malicious email - like a blacklisted IP address or a suspicious domain - and then blocking it from reaching your inbox. Exact domain impersonation is when an attacker uses your domain to send a fraudulent email.
All email security measures (apart from DMARC - more on that later!) are ineffective at spotting a malicious email when it appears to come from a legitimate domain.
This is because of a flaw in Simple Mail Transfer Protocol (SMTP) - the internet standard for transmission of electronic messaging. In October 2008, the Network Working Group officially labeled it ‘inherently insecure’. They said that anyone could impersonate a domain and use it to send fraudulent emails pretending to be the domain owner. This vulnerability remains unchanged in 2026, which is why domain authentication has become a requirement rather than a recommendation.
Can anyone pretend to be you in an email?
Yes. Anyone with a very basic knowledge of coding can learn the steps required to impersonate someone’s email identity. All it takes is a quick Google search. The result is an email that looks legitimate and doesn’t have the typical indicators of a phishing attack, such as a suspicious email address. A recipient email server will then allow this email into an individual’s inbox (if the right security measures are not in place). It’s then hard for them to see that the email is, in fact, a phishing attack using a spoofed domain.
What’s a spoofed domain?
A spoofed domain is a deceptive website or email address created to resemble a legitimate domain. There are various types of spoofing techniques, such as:
- Exact domain impersonation - when an attacker spoofs your exact domain only. For example, yourcompany.com
- Lookalike domain - when an attacker registers a domain that is so similar to the original domain, it makes it difficult to spot. This is also referred to as typosquatting. For example, yourc0mpany.com
- Subdomain spoofing - when an attacker creates a legitimate-looking subdomain page where they might set up a malicious form that harvests credentials. For example, login.yourcompany.com
What is email phishing?
Email phishing is when an attacker or ‘bad actor’ sends fraudulent emails pretending to be from a reputable organization, with the purpose of getting the recipient to reveal sensitive information like bank details or personal data. Sometimes, phishing emails are sent with the intention of deploying malicious software to the victim’s infrastructure.
Phishing attacks continue to increase year over year. APWG's latest data shows that organizations face more sophisticated and frequent attacks in 2026 than ever before, with attackers leveraging automation and social engineering at scale.
What is social engineering?
A traditional phishing attack usually involves one fraudulent email being sent to multiple recipients. However, phishing attacks are becoming increasingly personalized thanks to the rise in social engineering, the practice of using psychological tactics to get victims to divulge sensitive information. There’s much more information readily available online, and attackers can use this to craft more specific and targeted attacks.
What is business email compromise (BEC) and how do you combat it?
Business Email Compromise (BEC) is an umbrella term that describes phishing attacks that target an organization by impersonating its domain. While some phishing attacks focus on the consumer, bad actors know that there is much more to be gained by targeting an organization. The attacker relies heavily on Social Engineering and crafts a phishing email designed to look like one from someone inside the business (usually the CEO). The main aim of this type of attack is to steal money or sensitive data.
BEC attacks remain one of the most costly threats facing organizations in 2026. According to recent industry analysis, BEC attacks (a type of Social Engineering attack) remain remarkably efficient and lucrative for cybercriminals. These attacks continue to constitute more than 50% of all Social Engineering incidents.
The types of attacks that come under the umbrella term Business Email Compromise include:
Ransomware
Ransomware is malicious software that encrypts files or locks down computer systems, demanding payment (a ransom) for their release.
CEO Fraud
When the attacker poses as the CEO or another senior executive and targets employees.
Invoice or Vendor Fraud
When the attacker tries to trick the recipient into paying an invoice or multiple invoices.
Data Theft
An attack targeting those with access to Personally Identifiable Information (PII), such as HR managers.
Account Compromise
Account compromise refers to unauthorized access to a user's account by a third party, often resulting in the theft of sensitive information or misuse of the account for malicious purposes.
Phishing attacks have varying levels of sophistication
It’s not surprising that many users are deceived by phishing emails. When done well, they can be almost impossible to spot. Organizations that experience phishing attacks haven’t necessarily done anything wrong, and the attacker doesn’t even need access to their systems to carry one out. But regardless, many governments and regulators consider organizations to have a responsibility to safeguard their customers against phishing attacks. So organizations that haven’t taken appropriate measures to safeguard their customers may be liable for a data breach - and penalties.
In the last decade, a series of email protocols have been introduced by industry leaders to try and improve email security, but email impersonation bypasses many of these. By 2026, proper implementation of DMARC enforcement has become the standard defense against domain impersonation, with major inbox providers requiring it for bulk email senders.
Dive into the next chapter to gain a quick understanding of these protocols and what they protect against.
Frequently asked questions: Email security guide
All email security measures (apart from DMARC) are ineffective at spotting a malicious email when it appears to come from a legitimate domain. This is because of a flaw in Simple Mail Transfer Protocol (SMTP). In October 2008, the Network Working Group officially labelled it 'inherently insecure', stating that anyone could impersonate a domain and use it to send fraudulent emails pretending to be the domain owner.
Anyone with a very basic knowledge of coding can learn the steps required to impersonate someone's email identity through a quick Google search. The result is an email that looks legitimate without typical phishing indicators. With 3.4 billion phishing emails sent every day, email systems remain the prime target for cybercriminals.
SPF (Sender Policy Framework) verifies that an email is sent from an IP address authorised by the sending domain's SPF record through a DNS TXT record listing authorised mail servers.
DKIM (DomainKeys Identified Mail) uses a cryptographic signature, validated via a public key in DNS, to confirm that the email's content hasn't been altered and comes from an authorised domain. Both are essential to email security, but neither prevents exact impersonation.
While the protocols tell the recipient who the email is from, the recipient has no instruction to act on this knowledge. Major inbox providers now require SPF and DKIM for bulk email senders in 2026.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's an outbound email security protocol that allows domain owners to tell receiving inboxes to reject spoof emails. DMARC works by combining the results of SPF and DKIM to determine if your email is authentic and authorised.
The DMARC policy (defined by the "p=" tag in your DNS record) then tells recipient servers what to do with it. DMARC stops exact domain impersonation by instructing recipient servers not to accept any emails which aren't authenticated. In 2026, DMARC has become a standard requirement for organisations sending bulk email.
The SPF specification limits DNS lookups to 10. If your SPF record exceeds this, SPF will fail. The SPF mechanisms counted are: a, ptr, mx, include, redirect and exists. In reality, 10 lookups aren't enough because most businesses use multiple email-sending tools.
G Suite alone takes up 4 DNS lookups, add in HubSpot for marketing which uses 7 lookups and you're already over the limit. As soon as you go over 10 SPF lookups, your email traffic will begin to randomly fail validation. This is why organisations in 2026 are shifting to dynamic SPF management rather than trying to manually maintain flattened records.
Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents interception by cybercriminals. SMTP alone does not provide security, making it vulnerable to man-in-the-middle attacks where communication is intercepted and possibly changed.
Additionally, encryption is optional in SMTP, meaning emails can be sent in plaintext. Without MTA-STS, an attacker can intercept the communication and force the message to be sent in plain text. In 2026, MTA-STS has become a standard security control for organisations handling sensitive communications.
By implementing DMARC you benefit from stopping phishing attempts that appear to come from you, stronger customer trust, reduced cyber risk and compliance with bulk sender requirements from Google, Yahoo and Microsoft.
DMARC strengthens compliance with PCI DSS 4.0 and enhances overall organisational resilience against evolving cyber threats. Once at p=reject (enforcement), DMARC blocks vendor fraud, account takeovers, and email spoofing by stopping bad actors from using your domain to send phishing emails and carry out Business Email Compromise (BEC). According to Verizon's 2025 Data Breach Investigations Report, BEC attacks constitute more than 17-22% of all Social Engineering incidents.
Red Sift OnDMARC accelerates the DMARC journey with automated sender discovery, prescriptive fixes, anomaly detection, and role-based access for global teams. By 2026, leading platforms enable enterprises to reach p=reject enforcement in 6-8 weeks rather than the six month timelines once typical.
One of the most commonly reported benefits of OnDMARC is an average time of 6-8 weeks to reach full enforcement. The platform's powerful automation continuously analyses what's going on across your domain, surfacing alerts for where and how to make necessary changes. Within 24 hours of adding your unique DMARC record to DNS, OnDMARC begins to analyse and display DMARC reports in clear dashboards.
Major email providers including Microsoft, Google, and Yahoo now mandate DMARC for bulk senders (organisations sending 5,000+ emails per day) as of 2024-2025, and these requirements have become standard in 2026.
Beyond inbox provider requirements, certain industries and government regulations are moving toward mandating DMARC. U.S. federal agencies are required to use DMARC, as are DORA regulated payment processors. Additionally, DMARC implementation strengthens compliance with regulations including PCI DSS 4.0, GDPR, and NIS2. For cybersecurity, email security and IT teams, ensuring your organisation's email security aligns with international best practices and requirements is essential.