How to Protect Your Company Email from Phishing: A Practical Guide

Phishing is the number one attack vector for businesses. Over 90% of data breaches start with a phishing email. The good news: effective defense does not require enterprise-grade budgets. Here is a practical, layered approach that works for businesses of any size.

Layer 1: DNS authentication (free, 30 minutes)

Before anything else, make sure your domain has proper email authentication. This prevents attackers from spoofing your domain to send fake emails that appear to come from your company.

SPF (Sender Policy Framework)

A DNS TXT record that lists which servers are allowed to send email for your domain. Any server not on the list fails the SPF check.

v=spf1 include:_spf.google.com include:_spf.cleanbox.to -all

The -all at the end means "reject everything not explicitly authorized." Use this instead of ~all (soft fail) for maximum protection.

DKIM (DomainKeys Identified Mail)

A cryptographic signature added to outgoing emails. Receiving servers verify the signature to confirm the email was not modified in transit. Your email provider (Google Workspace, Microsoft 365, etc.) handles the signing — you add the public key to DNS.

DMARC (Domain-based Message Authentication)

Tells receiving servers what to do when SPF or DKIM fails: none (do nothing), quarantine (put in spam), or reject (bounce it). Start with monitoring and move to reject:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

For a deep dive, see The Complete Guide to Email Authentication and our helpdesk article on SPF, DKIM, and DMARC.

Layer 2: Inbound email filtering

DNS authentication stops spoofing of your domain. But most phishing comes from other domains. You need inbound filtering to catch it.

Provider-level filtering

Google Workspace and Microsoft 365 include decent spam and phishing filters. Make sure they are enabled and configured:

• Google Workspace: Admin Console → Apps → Gmail → Safety → enable all phishing protections
• Microsoft 365: Security → Policies → Anti-phishing → enable impersonation protection

Pre-delivery relay filtering

For an additional layer, route your email through a filtering service before it reaches your mail server. Cleanbox Relay does this: change your MX records to point to Cleanbox, and every inbound email passes through spam scoring, virus scanning (ClamAV), IP blacklist checking, and your custom filter rules before delivery.

This catches threats that your email provider's filter misses, because the two systems use different detection methods. Layered filtering means a phishing email has to evade both systems to reach a user.

Layer 3: Employee training (ongoing)

Technology catches most phishing. Humans catch the rest. Train your team to recognize:

• Urgency and pressure — "Your account will be closed in 24 hours"
• Mismatched URLs — Hover over links before clicking. Does the domain match the claimed sender?
• Unexpected attachments — Especially .zip, .exe, .docm, .xlsm files
• Requests for credentials — No legitimate service asks for your password via email
• CEO fraud / BEC — "This is urgent, wire $50,000 to this account" from a spoofed executive address

See The Anatomy of a Phishing Email for visual examples and a detailed checklist. Share it with your team.

Layer 4: Technical controls

• Multi-factor authentication (MFA) on all accounts — Even if credentials are phished, the attacker cannot log in without the second factor
• Separate aliases per department — Use sales@, support@, billing@ aliases rather than exposing personal addresses
• Limit who can receive external email — Internal-only accounts do not need to receive from outside the organization
• Disable auto-loading of remote images — Prevents tracking pixels and reduces phishing effectiveness

The stack in summary

No single layer is sufficient. The combination is what makes your business resilient to phishing.