Email Security: Phishing, Spoofing, Encryption & TLS

Email security protects two things: your recipients from criminals impersonating you, and your messages from being read or tampered with in transit. Email was not designed with security built in, so it is bolted on through authentication, encryption and a set of defensive standards. This hub explains how email security works in practical, standards-based terms — no fear-mongering, just what to configure and why.

The core threats and defenses

  • Spoofing & phishing — attackers send mail that appears to come from your domain. The defense is authentication: SPF, DKIM and especially DMARC at enforcement (p=reject) stop spoofers from using your domain.
  • Email encryption in transitTLS encrypts the connection between mail servers; MTA-STS and TLS-RPT enforce and report on it so messages cannot be silently downgraded to plaintext.
  • End-to-end encryptionS/MIME and PGP encrypt message contents so only the intended recipient can read them, for sensitive correspondence.
  • Brand protectionBIMI displays your verified logo on authenticated mail, helping recipients distinguish real messages from imposters.

Security and deliverability are the same project

The measures that secure your domain are the same ones that get you into the inbox. DMARC at enforcement stops spoofing and signals trust to mailbox providers; TLS and proper authentication are increasingly required to deliver at all. Configure the standards once in our authentication hub and you improve both security and deliverability together.

Start here

Dig into the three threats every organisation needs to address — each guide pairs the standards above with a practical defence plan:

For end-to-end confidentiality, go deeper with our dedicated encryption guides: S/MIME email encryption (the certificate-based standard built into Outlook and Apple Mail), PGP email encryption (the free, decentralised web-of-trust alternative), and our head-to-head S/MIME vs PGP comparison to choose between them.

Browse all email security articles →

Continue across the platform

ToolTrusted covers the whole email stack. Wherever you go next, it connects back here:

  • The ToolTrusted Platform — continuous monitoring, incidents, analytics, recommendations, benchmarking and automation.
  • How It Works — the whole Email Health journey — check, report, save, track and monitor.
  • Email Health Check — score your domain out of 100 across authentication, infrastructure, security and reputation.
  • Research & Benchmarks — original data on SPF, DKIM and DMARC across 10,000 domains.
  • Email Deliverability — reputation, warm-up, blacklists and inbox placement.
  • Email Authentication — SPF, DKIM, DMARC, BIMI and the full DNS stack.
  • SMTP Services — SES, Mailgun, Postmark and more, ranked on deliverability.
  • Email Verification — list cleaning and inbox-placement testing tools.
  • Email APIs — transactional and marketing APIs for developers.
  • Email Marketing — hands-on platform reviews, comparisons and best-of roundups.

Frequently asked questions

How do I stop criminals from spoofing my domain?

Publish SPF and DKIM, then deploy DMARC and move it to p=reject once you have confirmed all your legitimate mail passes. A DMARC policy at enforcement tells mailbox providers to reject mail that fails authentication — which is exactly what a spoofed message does. This is the single most effective anti-spoofing measure available.

Is email encrypted by default?

Most mail today travels over TLS-encrypted connections between servers, but TLS is opportunistic — it can be downgraded to plaintext without warning. MTA-STS closes that gap by requiring encryption for your domain. For true end-to-end confidentiality of message contents, you need S/MIME or PGP, which encrypt the message itself rather than just the connection.