Building an Email Security Stack for Small Businesses in 2026
Enterprise companies spend six figures on email security. Small businesses spend nothing and hope Gmail catches everything. The right answer is somewhere in between — and costs less than you think.
The five layers
Effective email security is not one product. It is layers that complement each other, so a threat has to evade every layer to reach a human.
Layer 1: DNS authentication (free)
Set up SPF, DKIM, and DMARC on your domain. This is free, takes 30 minutes, and stops the most common form of email fraud: domain spoofing. Without these, anyone can send email that appears to come from your domain.
Action items:
- Publish an SPF record listing your authorized senders
- Enable DKIM signing through your email provider
- Publish a DMARC record starting with
p=quarantineand moving top=rejectonce you are confident - Monitor DMARC reports to catch misconfigured services
See The Complete Guide to Email Authentication for detailed instructions.
Layer 2: Email provider security (included)
Google Workspace and Microsoft 365 include robust spam and phishing filters. Make sure the security features are actually enabled:
- Google Workspace: Admin Console → Apps → Gmail → Safety. Enable all phishing and spoofing protections. Set the spam filter to "aggressive" for high-risk groups.
- Microsoft 365: Security Center → Email & Collaboration → Policies. Enable anti-phishing, safe attachments, and safe links.
Layer 3: Pre-delivery filtering ($35/mo+)
An MX relay service adds a second set of eyes before email reaches your provider. This catches threats that your provider's filter misses because the two systems use different detection engines and different threat intelligence.
Cleanbox Relay provides:
- Rspamd spam scoring with crowd-sourced sender reputation
- ClamAV virus scanning
- IP blacklist checking (Spamhaus, Barracuda, SpamCop)
- Per-address spam thresholds and quarantine
- Custom filter rules
The Advanced plan ($35/mo) includes 20 relay accounts. For a 10-person company, that is $3.50 per mailbox per month.
Layer 4: Account security (free - $3/mo)
Email security means nothing if account credentials are compromised:
- Multi-factor authentication (MFA) on every account. Use authenticator apps (Google Authenticator, Authy), not SMS. This is the single most impactful security measure you can take.
- Password manager for the team. Bitwarden Teams ($4/user/mo) or 1Password Business ($8/user/mo). Eliminates password reuse, the most common cause of account compromise.
- SSO (Single Sign-On) if your provider supports it. Centralizes authentication and makes offboarding immediate.
Layer 5: Human awareness (ongoing)
Technology catches 99.9% of threats. The remaining 0.1% targets humans. Establish a security culture:
- Share the phishing identification checklist with every team member
- Create a reporting channel — "If you are not sure, forward it to security@" with no blame for false alarms
- Review the quarterly DMARC reports for anomalies
- Simulate phishing occasionally (services like KnowBe4 or Gophish)
The complete stack with costs
| Layer | Tool | Monthly cost (10-person team) |
|---|---|---|
| DNS authentication | Your DNS provider | $0 |
| Email provider | Google Workspace / M365 | $60-120 (already paying this) |
| Pre-delivery relay | Cleanbox Advanced | $35 |
| Password manager | Bitwarden Teams | $40 |
| MFA | Authenticator app | $0 |
| Phishing simulation | Gophish (self-hosted) | $0 |
| Total additional | $75/mo |
$75/month for a 10-person team is $7.50 per employee. The average cost of a successful phishing attack on a small business is $25,000-100,000 (lost funds, remediation, downtime, reputation damage). This is not a cost question. It is a risk management question.
Quick wins (do these today)
- Check your SPF, DKIM, and DMARC records at learndmarc.com
- Enable MFA on every account that supports it
- Verify that your email provider's security settings are actually turned on
- Share the phishing checklist with your team
These four steps take less than an hour and eliminate the majority of email-based threats. Everything else is refinement.
