For most technology teams, email is infrastructure. It is assumed to be working, assumed to be secure and largely ignored until something goes wrong. That assumption is understandable. It’s also where a significant number of serious security incidents begin.
The gap between “email is set up” and “email is set up well” is wider than most organisations realise, and the consequences of that gap have become increasingly costly.
The attack surface most teams underestimate
Email remains the primary vector for phishing, business email compromise and credential theft. This is not because attackers lack imagination; it is because email works. It reaches people directly, it carries authority and it is easy to spoof when the underlying configuration is weak.
This is especially true as social engineering and CEO scams become more sophisticated, often targeting organizations that haven’t prioritized digital security hygiene. Domain-based authentication protocols — SPF, DKIM and DMARC — exist specifically to address this. They allow receiving mail servers to verify that an email claiming to come from your domain was actually sent by you. Without them, your domain can be impersonated with relatively little effort. Customers, partners and suppliers can receive convincing emails purporting to be from your organisation, with no indication that anything is amiss.
NCSC email security guidance covers exactly this ground, with clear implementation guidance for each protocol. It is worth reading for any team that has not reviewed its domain authentication setup recently.
Where the configuration debt tends to accumulate
Growing teams move quickly. Email gets stood up early, often with default settings, and rarely revisited. By the time an organisation has thirty people, there may be multiple mail-sending services attached to the domain. You may be sending email from CRM platforms, marketing tools and transactional email providers which haven’t been properly authorised in the DNS records. DMARC, if it exists at all, is frequently sitting in monitoring mode with no enforcement policy in place.
This is not an edge case. It’s the norm for teams that have been focused on product rather than security hygiene.
What a properly configured setup looks like
A well-configured business email environment covers a few core areas. Authentication records are correctly published and enforced. DMARC reporting is active, so the team has visibility into where mail is being sent from their domain. Access is controlled through single sign-on or strong multi-factor authentication, and offboarding removes access promptly. And the email provider itself offers encryption and data residency options appropriate for the clients being served.
For agencies and product studios working with clients in regulated industries, that last point matters more than it might initially appear. Clients increasingly ask about security posture during procurement, and email infrastructure is part of that picture.
The business case beyond security
There is also a commercial dimension. A misconfigured email domain affects deliverability. Outbound emails land in spam. Proposals go unread. Follow-ups disappear. The damage is invisible until someone thinks to check.
Teams that treat email infrastructure with the same rigour applied to their application stack tend not to encounter these problems. Those that treat it as a commodity utility tend to discover the difference at an inconvenient moment.
Getting the setup right is not a large project. For most organisations, it is a focused half-day of work with lasting returns. The question is whether it gets scheduled before something forces the issue, or after.
