Email, a business essential for communication, remains a stubborn and alarmingly vulnerable paradox. A staggering 91% of cyber-attacks start with a phishing email, often delivered with an air of legitimacy that can fool even seasoned professionals. Spoofed sender addresses, malicious attachments, and deceptive URLs are the launchpads for data breaches, reputational damage, and multimillion-dollar fraud.
On GlobalSign’s latest Trust.ID Talk podcast, host Michelle Davidson welcomed email security expert Stefan Cink, developer of NoSpamProxy, and a longtime champion for smarter inbox protection. His message was clear;
“The problem isn’t just clever attackers, it’s avoidable mistakes made by organizations that overlook the finer details of email security.”
The Illusion of Perfection - Mind the Gap
Stefan emphasized a truth that’s easy to forget in pursuit of airtight solutions: no security system is perfect. There will always be gaps, tiny detection blind spots or momentary delays that adversaries can exploit. That's why having a "Plan B" is essential. For example, if malware arrives via a Word document attachment, one strategy is to convert the file into a PDF before delivering it to the user. This gives the recipient a chance to preview the content safely while the email gateway runs deeper scans in the background. If a threat is detected shortly after, the email can be blocked before it reaches the user’s inbox.
Reputation is Everything - Use the Right Checks
One of the most overlooked aspects of email security is the ease of address forgery. Anyone can technically send an email that looks like it’s from your CEO. And without safeguards, recipients won’t know the difference.
Protocols like SPF, DKIM, and DMARC act as a reputation shield. They let recipients verify that your emails genuinely come from you, not someone impersonating you with malicious intent. These checks don’t just validate authenticity; they send a broader signal of accountability. And in a time when inboxes are flooded with noise, trust is the ultimate currency.
Firewalls for Files - Flip Your Attachment Logic
Here's a twist that many security teams haven’t considered: when it comes to email, most systems focus only on denying macros or executable files and blocking certain types of attachments. This is similar to the way traditional firewalls work, where rule sets block everything except specific allowed traffic. Why not flip the paradigm and by default permit only the attachment types that are essential for your business, and block everything else? It’s a small shift that can drastically reduce risk exposure.
Security With Foresight
If you’re rethinking your email strategy, think in layers. Email security isn’t just about catching threats, it’s about thinking ahead. Whether it's inserting reputation protocols, converting risky file formats on the fly, or reimagining your attachment rules, the goal is clarity, consistency, and control. The adversaries may be persistent, but so is our capacity to evolve.
Baseline Requirements are Now Mission-Critical
As email threats grow more persistent and accessible, failing to implement the fundamentals is such as leaving your front door wide open and hoping no one walks in. Podcast guest Stefan Cink laid it out bluntly;
“Cybercriminals don't need to breach your firewall or hijack your VPN. They just need one email, with the right lure, to land in a target inbox.”
That's the chilling efficiency of email-based attacks. It’s direct, deceptively simple, and extremely effective.
In Germany, for instance, national agencies have published minimum requirements for email security, readily accessible to businesses of all sizes. These guidelines help companies establish a clear baseline for authentication, encryption, and overall defensibility. But these standards are only as strong as their adoption rate. Too often, businesses treat them as suggestions rather than necessities.
Implementing baseline measures, such as SPF, DKIM, and DMARC protocols, help ensure trust in digital communication, satisfying of compliance obligations, and denies adversaries their easiest entry point. In industries like finance and healthcare, where regulatory frameworks are increasingly strict, skipping these steps isn't just risky, it could be illegal.
Authentication and Encryption are More Than Buzzwords
These foundational measures create ripple effects across your entire email ecosystem. Proper authentication ensures that emails claiming to be from your organization can actually be verified. Encryption, meanwhile, shields sensitive content from interception or tampering. These are now mandatory cybersecurity capabilities.
If your organization hasn’t reviewed its email compliance requirements recently, now’s the time to do so. Regulations evolve, threat actors adapt, and yesterday’s safeguards can’t defend against tomorrow’s tactics.
The Three Pillars of Email Trust
Think of SPF, DKIM and DMARC as three pillars of email authenticity. Together, they act like a digital chain of custody, verifying where an email came from, what it says, and whether it's been tampered with en route.
With no friction, a threat actor can send a convincing email that appears to come from your domain. That’s why domain owners must actively publish records that declare which servers are authorized to send emails on their behalf.
- Sender Policy Framework - SPF is like a whitelist. It tells the receiving server which IP addresses are allowed to send email on behalf of your domain. If someone sends an email from an unlisted source, it’s flagged.
- DomainKeys Identified Mail - DKIM puts a digital signature on the content of your email, locking in the integrity of the message body. This means if a threat actor tries to stealthily edit an invoice or insert malicious links, the tampering can be detected. For transactional emails—think invoices, purchase orders, and sensitive internal documents—DKIM is a must-have.
- Domain-based Message Authentication, Reporting and Conformance - DMARC ties it all together. It lets domain owners dictate what should happen when SPF or DKIM checks fail; whether the email should be quarantined or rejected. If an email flunks both checks, it's likely forged and shouldn’t touch your network.
Adoption Is Climbing Thanks to Industry Giants
While these protocols have been around for years, their adoption has surged thanks to enforcement from major providers like Microsoft, Google and Yahoo. Today, sending mail to a Microsoft inbox without SPF and DKIM means your message may not even be delivered. These vendors are essentially nudging organizations to clean up their act, and it's working.
For businesses, it’s not just about security; it’s about deliverability. Without SPF, DKIM, and DMARC, emails can land in spam folders—or not land at all.
APIs and One Myth We Need to Bust
While these protocols provide the architectural backbone of email trust, emerging tools like API connectors are adding new layers of flexibility, responsiveness, and precision. Stefan Cink explains that while NoSpamProxy relies heavily on established standards rather than API hooks into mailbox providers, because they tend to shift frequently, APIs still play a critical role in synchronous communication and real-time threat detection.
For example, APIs make it possible to receive digital certificates instantly from trusted authorities such as GlobalSign, helping email optimization solutions automate certificate provisioning without adding complexity for admins. And for organizations with cloud-based threat monitoring systems, APIs enable lightning-fast malware detection, scanning messages the moment they enter the email gateway.
Encryption Doesn’t Have to be Intimidating
Encryption often gets treated like it’s reserved for cryptography specialists or compliance officers. But you don’t have to understand the math behind the algorithm, you just need to know which approach best suits your organization’s needs.
- Gateway-based encryption is typically enough for everyday business communications; think sales, marketing and support. In this model, the gateway handles certificates centrally, applying S/MIME signatures to outgoing messages so recipients can verify sender authenticity. It’s simple, scalable, and well-suited for compliance-driven industries.
- Client-based encryption requires storing certificates locally on every device from which a user might send email. That’s a heavier lift for IT teams, especially in Bring Your Own Device (BYOD) environments, where controlling endpoints becomes nearly impossible. This method might be necessary for high-sensitivity roles, say, a doctor handling personal health information, but for most organizations, gateway encryption strikes the right balance of security and manageability.
The biggest myth in email security is that encryption is too complicated to implement. In reality, with the right solution—like NoSpamProxy paired with automated certificate delivery via GlobalSign, encryption becomes nearly invisible to the end user and incredibly manageable for the administrator. Once configured, certificates flow into the gateway automatically, and protection becomes part of the system’s DNA.
Every Inbox Deserves Better
Email may never be bulletproof, but it can be far more trustworthy. By combining foundational protocols, real-time detection, flexible encryption, and smart vendor support, organizations can take back control of their inboxes—without burying users in complexity.
