The Very Good Email Guide to Email Security

Protecting yourself from phishing, spoofing, and scams

Email is one of the most important communication tools in our daily lives — but it’s also one of the most abused.

Every day, billions of fake and fraudulent emails are sent around the world. Some try to steal your passwords. Others impersonate your bank. Some look like they come from your own colleagues.

The good news? Understanding a few simple concepts can dramatically reduce your risk. This guide explains what to watch out for — and what good email security looks like behind the scenes.

guide to email security

1. The Three Big Threats

Phishing

Phishing emails try to trick you into doing something — clicking a link, entering your password, or handing over personal details. They often look very convincing, pretending to be from your bank, a delivery company, HMRC, or even a colleague.

Classic signs of a phishing email:

  • A sense of urgency: “Your account will be suspended in 24 hours!”
  • A link that doesn’t match the real company’s website
  • A request to “verify” your password or bank details
  • Poor spelling or slightly off branding
  • An email address that looks almost right, but not quite (e.g. support@amaz0n.com)

Spoofing

Here’s an uncomfortable truth about email: anyone can type any “From” address they like. It’s a bit like writing any return address on an envelope — nothing stops you writing “10 Downing Street” even if you live in a flat in Manchester.

Scammers exploit this to send fake emails appearing to come from your bank, a supplier, or even your own CEO asking for an urgent payment. This is why invisible security systems working behind the scenes are so important.

Scams and Fraud

Not all malicious emails are after your password. Some target money directly — fake invoices from suppliers you actually use, or “CEO fraud” where someone impersonates a senior person to authorise a payment.

These attacks are often carefully researched and can look surprisingly professional. Always verify unusual requests — especially financial ones — through a separate channel, like a phone call.

 

2. Practical Tips for Everyone

Stop and think before you click. If an email feels urgent or unusual, that’s a red flag. Scammers rely on panic.

Check the sender’s actual email address. The display name might say “HSBC” but the real address could be from a completely unrelated domain.

Hover before you click links. On a computer, hovering over a link shows where it actually leads. If it looks suspicious, don’t click.

Never give out your password via email. No legitimate company will ever ask for your password in an email.

Use strong, unique passwords. And enable two-factor authentication on your email account wherever possible.

Check your spam folder occasionally. Legitimate emails sometimes land there — especially booking confirmations and receipts.

Report suspicious emails. In the UK, you can forward them to report@phishing.gov.uk.

 

3. The Invisible Shields: How Email Security Works Behind the Scenes

Understanding it helps explain why some emails get blocked, and why companies with good email setups are safer to receive email from.

Three key technologies do the heavy lifting:

SPF: The Approved Sender List
Think of SPF (Sender Policy Framework) like a guest list at a club door. A company publishes a list of the mail servers that are allowed to send email on their behalf. When an email arrives, the receiving system checks: is this email coming from an approved server? If not, it’s treated with suspicion — and may be flagged or rejected.

DKIM: The Tamper-Proof Seal
DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email. Think of it like a wax seal on an old letter — if it’s intact when it arrives, you know the message is genuine and hasn’t been tampered with in transit. If a scammer tries to modify the email after sending, the signature breaks.

DMARC: The Enforcement Officer
DMARC is the glue that holds SPF and DKIM together. It lets a company say: “If an email claiming to be from us fails these checks, reject it outright.” Companies with strong DMARC policies are actively protecting their customers from impersonation.

More information on these technologies can be found in our Email Authentication Explained article.

 

4. Quick Reference: Spot the Red Flags

The Bottom Line

Email fraud is real and growing — but it’s not something to be afraid of. A little awareness goes a long way. The most important things to remember:

  • Slow down when an email creates a sense of urgency
  • Check who the email is really from
  • Never click links or open attachments you weren’t expecting
  • When in doubt, go directly to the company’s website or call them

And if you’re responsible for sending emails on behalf of a business, make sure your email is properly set up with SPF, DKIM, and DMARC — not just for security, but to ensure your legitimate messages actually reach your customers.