Email remains the number one attack route used by cyber criminals. According to the UK Government’s Cyber Security Breaches Survey 2024, 79 per cent of medium-sized businesses and 88 per cent of large businesses identified phishing attacks in the past year.  

The data clearly shows that email security isn’t simply an IT problem; it poses a serious business risk.  

As cyber attacks grow in sophistication, your team are on the front line of defence. It used to be that colleagues could be warned “don’t click that dodgy link”, but it goes much deeper now with deception methods much more complex.  

We have produced our 2025 update on email security best practices for UK SMEs looking to reduce risk, stay compliant and empower growth. 

1. Implement AI-Driven Email Filtering 

Traditional spam filters are no longer enough. Today’s threats are smart, targeted and often indistinguishable from legitimate communications.  

Modern email filtering tools use AI and machine learning and can detect:  

• Business Email Compromise (BEC)  

• Language anomalies in phishing attempts  

• Brand impersonation and social engineering  

Look for a solution that will be capable of evolving with emerging threats and lets you see and manage every detail clearly. Prioritise platforms that integrate well with your existing systems and offer real-time insights. 

2. Enforce Email Authentication Protocols (SPF, DKIM, DMARC) 

If you’re not enforcing email authentication, you are making it easy for attackers to send fake emails that appear to come from your domain. 

• SPF (Sender Policy Framework) checks if emails come from authorised IPs.  

• DKIM (DomainKeys Identified Mail) ensures the message content hasn’t been altered in transit.  

• DMARC (Domain-based Message Authentication, Reporting & Conformance) ties them together and provides insight into spoofing attempts.  

Don’t forget your Domain Name System (DNS).  

Your email authentication lives in your DNS records and like any technical setup, it needs reviewing regularly. It’s not uncommon for a business to change providers, decommission websites or shift to new marketing tools but forget to update their SPF or DKIM records.  

Review your DNS at least quarterly to:  

• Remove obsolete mail servers or platforms  

• Ensure only current services are authorised  

• Validate that your DMARC policy is enforcing what you want it to  

If you’re not keeping your DNS clean, you are seriously undermining all your email security efforts. 

3. Enable Multi-Factor Authentication (MFA) for Email Accounts 

Even the best email filtering can’t help you if your credentials are stolen. 

By combining something you know (like a password) with something you have (like a smartphone), MFA significantly reduces the risk of unauthorised access, even if a password is stolen. It’s one of the most effective ways to protect against phishing, credential theft and other common cyber threats. 

According to Microsoft, MFA stops over 99 per cent of credential-based attacks. It’s simple, effective and should be non-negotiable for all users, especially leadership and finance teams. 

4. Deploy Email Encryption 

When sensitive data is emailed, like client details, contracts, personal records and so on, encryption is essential.  

Using end-to-end encryption or tools like Microsoft Purview Message Encryption (formerly Azure Information Protection) will help secure the data. 

5. Regularly Train Your Team (And Make It Relevant) 

People remain the biggest risk to your business’s security, but also offer the biggest opportunity.  

Carrying out modern phishing simulations, combined with engaging, bite-sized training, can dramatically reduce the risks of someone clicking on something they shouldn’t.  

Focus on:  

• Real-world scenarios tailored to job roles  

• Training finance and HR departments more frequently  

• Monthly or quarterly refreshers (not once-a-year tick-boxing) 

6. Implement Outbound Data Loss Prevention (DLP) 

Preventing outbound mistakes, like sending confidential data to the wrong client, should be a core part of your email security policy.  

DLP tools can:  

• Block sensitive data from leaving your organisation  

• Alert users in real-time to think twice  

• Help meet GDPR and industry compliance 

7. Use Conditional Access Policies 

Not every email access request should be treated equally.  

Set conditional access rules that take into account:  

• Location (e.g. only allow UK IPs)  

• Device health (e.g. must be compliant)  

• User risk level (flagged logins = blocked access)  

This will drastically reduce exposure to risks without limiting productivity. 

8. Review Email Logs and Alerts Weekly

Email security is not something you can just “set and forget”. Consider appointing someone to review:  

• Blocked phishing attempts  

• Unusual login locations  

• Authentication failures  

Automation can help, but having someone take responsibility to look over this is key. 

Final Thoughts  

Don’t forget, email security is no longer just about spam filters; it’s about protecting your reputation, your data and your people. If you’re not confident that your current setup reflects 2025’s best practices, it’s time to take stock.  

The reality? Most SMEs don’t have the time, internal expertise or headspace to keep up with the pace of change in cyber security.  

If staying safe sounds like too much work for your team, partner with an IT MSP like Edge IT, and we’ll take care of it for you. From setting up best-in-class email protection to proactively managing threats, we help UK businesses stay secure, compliant and focused on what they do best.