SecureMyEmails Check your domain →

Is Your Business Email Secure? Find Out With SecureMyEmails.com

Published April 1, 2026

What "Secure Email" Actually Means

When we say a business email isn't secure, we don't mean someone has broken into your inbox. We mean something quieter, and in some ways more dangerous. Your domain can be used to send email that looks exactly like it's from you, without anyone ever touching your password.

The technical term is email spoofing. The practical consequence is that your clients, suppliers, and prospects can receive convincing fraudulent emails purporting to come from your domain, asking them to update payment details, click a link, or confirm information, and there's nothing stopping it unless you've configured three specific DNS records: SPF, DKIM, and DMARC.

The uncomfortable truth: If you've never deliberately configured DMARC enforcement on your domain, your domain is almost certainly open to impersonation right now. This is true regardless of how good your Microsoft 365 subscription is, how strong your passwords are, or how recently you ran a security audit.

Why "IT Has Sorted It" Is Usually Wrong

The most common thing business owners tell us when we raise email security is: "Our IT team handles that." Often they're right, but right about a different problem. IT teams are typically focused on inbox security: spam filtering, MFA, endpoint protection. Email authentication is a separate configuration, done on your domain's DNS records, and it frequently gets missed.

The giveaway is DMARC. SPF is usually in place because many email platforms prompt you to add it during setup. DKIM is often configured too, for the same reason. But DMARC, the record that actually enforces what happens when an email fails authentication, is missing or set to monitoring-only (p=none) on the majority of small business domains we check.

A DMARC record set to p=none does nothing to stop spoofing. It's monitoring with no action. Your domain remains fully impersonatable.

The Three Things That Are Most Commonly Missing

When a business runs the SecureMyEmails check for the first time, the most frequent gaps we see, in order of severity:

  1. DMARC missing or set to p=none. Either no DMARC record at all, or a DMARC record that monitors without enforcing. This is the highest-impact gap: without DMARC enforcement, your domain can be spoofed regardless of SPF or DKIM.
  2. DKIM not configured. Emails from your domain aren't cryptographically signed. Receivers can't verify the message came from your systems or wasn't tampered with in transit.
  3. SPF too permissive or outdated. The SPF record exists, but it lists mail servers that are no longer in use, or uses +all which allows any server to send as your domain, the opposite of what you want.

What I See When Businesses First Check

The businesses that surprise me most are the ones with competent IT support and a fully-managed Microsoft 365 environment, and still no DMARC enforcement. They've done the sensible things: MFA is on, there's a helpdesk, they have an AV product. But email authentication is a DNS configuration that lives outside Microsoft 365 itself, and it often doesn't get touched unless someone specifically goes looking for it.

The 60-second check below shows you exactly where you stand. The result isn't a generic pass/fail. It's a score and a specific list of what's missing, in plain English, in the order it matters. That's the starting point for a sensible conversation with your IT team.

What You Can Do Right Now

Run the free check. It reads your domain's public DNS records, no access to your systems required, and gives you a score alongside a plain-English breakdown of what's in place and what's missing. It takes 60 seconds, and the result tells you whether there's a problem worth addressing.

If there is, you have two options: share the results with your IT team and ask them to action the specific fixes listed, or book a free 20-minute call to go through them together and build a prioritised action list.

Email security doesn't require a project or a budget. It requires someone to make three DNS record changes and confirm they're working. The check tells you whether that's happened.

Ready to Check Your Email Security?

Get your security score and action plan in 60 seconds. No credit card required.

Run the Security Check

Originally published on: Good Choice IT

This article is republished with permission from Good Choice IT, with a canonical link preserving SEO credit to the original source.