Email Filtering and Security Tools
Email Filtering and Security Tools

Photo by cottonbro studio on Pexels
While human awareness is your primary defense, technical tools form a critical second layer. Email filtering and security tools reduce the volume of phishing emails that reach your team, catch known threats automatically, and provide forensic data when incidents occur. The goal is not to replace human vigilance but to reduce its burden.
How Email Filtering Works
Email filters analyze incoming messages against multiple criteria before delivering them to the inbox. Modern filters use a combination of techniques: sender authentication checks (SPF, DKIM, DMARC) verify that the email came from the domain it claims to be from; reputation systems check the sender's IP and domain against databases of known malicious sources; content analysis scans the email body and subject for phishing patterns, suspicious links, and malicious attachments; and machine learning models identify novel phishing patterns that have not been seen before.
No filter catches 100% of phishing emails. A well-configured filter typically blocks 90-95% of phishing attempts. The remaining 5-10% that reach the inbox are why human training matters. Your filter and your people work together.
Essential Email Security Protocols
Three DNS records form the foundation of email authentication. Every business should configure these on its domain:
SPF (Sender Policy Framework): A DNS record that lists which IP addresses are authorized to send email from your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record. If the sending IP is not listed, the email is flagged or rejected. Without SPF, attackers can freely spoof your domain.
DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to your outgoing emails. The receiving server verifies the signature against your public key in DNS. DKIM ensures the email content has not been tampered with in transit and that it genuinely came from your domain.
DMARC (Domain-based Message Authentication): Ties SPF and DKIM together and tells receiving servers what to do if authentication fails. DMARC has three policies: none (monitor only), quarantine (send to spam), and reject (block entirely). Start with none to monitor, then move to quarantine, and eventually to reject. DMARC also sends reports showing which emails are failing authentication — invaluable for detecting spoofing attempts.
Recommended Email Security Tools
- Google Workspace / Gmail: Built-in phishing detection is strong. Enable "Security sandbox" for attachments and "Warn external sender" warning tags.
- Microsoft 365 / Defender for Office 365: Enable Safe Links (rewrites URLs to scan on click) and Safe Attachments (detonates attachments in a sandbox before delivery). Even Business Premium includes basic anti-phishing.
- ProtonMail / ProtonMail for Business: Strong built-in encryption and phishing protection; free tier available.
- Mimecast or Barracuda — Dedicated email security gateways for businesses needing more control; both offer small business tiers.
- MailGuard (mailguard.com) — Cloud email filtering with a free trial for small businesses.
Configuring Your Filter for Maximum Effectiveness
Review your email filter settings quarterly. Key configurations: enable URL rewriting so links are scanned at click-time, not just at delivery time (attackers sometimes make a safe link malicious after the email passes the filter); quarantine emails from newly registered domains (attackers frequently register domains less than 30 days before using them); flag external emails with a visible banner ("[External] This message came from outside the organization") so employees can apply extra caution; and enable attachment sandboxing for all file types, not just executables.
Key Takeaways
- Email filters block 90-95% of phishing; trained employees catch the rest
- SPF, DKIM, and DMARC are essential DNS records every business must configure
- Choose tools based on your email platform — Gmail and Microsoft 365 both offer strong built-in protection
- Review filter settings quarterly and enable URL rewriting, attachment sandboxing, and external sender warnings
Common Questions: Email Filtering and Security Tools
Q: What free email filtering tools are available for small businesses?
Several free tiers exist: Cloudflare Email Routing offers basic filtering at no cost. SpamAssassin is a free, open-source spam filter that can be self-hosted. Apache James provides a free mail server with built-in filtering. Google Workspace and Microsoft 365 both include robust built-in filtering that, when properly configured, catches the majority of phishing emails. For DNS-level protection, Cloudflare DNS and Quad9 offer free malicious domain blocking.
Q: What happens if we only rely on email filters without user training?
Email filters typically catch 90-95% of phishing emails, but the 5-10% that get through are often the most sophisticated and dangerous. Without trained users as the last line of defense, those phishing emails have free access to your organization. Filters also generate false positives, which can cause employees to ignore warnings if they see too many legitimate emails flagged. A layered approach—filters plus trained users plus incident response—is essential for comprehensive protection.
Q: How do DMARC policies work and what should I set?
DMARC has three policies: p=none (monitor only, no action taken), p=quarantine (suspicious emails go to spam), and p=reject (suspicious emails are blocked entirely). Start with p=none to collect data on legitimate mail sources, then move to p=quarantine once you've identified all authorized senders, and finally p=reject for maximum protection. This phased approach prevents blocking legitimate emails while building toward full enforcement. Most providers offer free DMARC reporting through tools like dmarcian or Postmark's DMARC digest.
Q: How often should we update our email filtering rules?
Review filtering rules quarterly at minimum, and immediately after any successful phishing incident. Monitor filter reports weekly to identify new phishing patterns. Most modern email security platforms update their threat intelligence automatically, but custom rules—such as blocking specific sender domains or flagging keywords—need periodic review to ensure they remain effective and don't create excessive false positives that cause alert fatigue.
Email Filtering and Security Tools

Photo by cottonbro studio on Pexels
While human awareness is your primary defense, technical tools form a critical second layer. Email filtering and security tools reduce the volume of phishing emails that reach your team, catch known threats automatically, and provide forensic data when incidents occur. The goal is not to replace human vigilance but to reduce its burden.
How Email Filtering Works
Email filters analyze incoming messages against multiple criteria before delivering them to the inbox. Modern filters use a combination of techniques: sender authentication checks (SPF, DKIM, DMARC) verify that the email came from the domain it claims to be from; reputation systems check the sender's IP and domain against databases of known malicious sources; content analysis scans the email body and subject for phishing patterns, suspicious links, and malicious attachments; and machine learning models identify novel phishing patterns that have not been seen before.
No filter catches 100% of phishing emails. A well-configured filter typically blocks 90-95% of phishing attempts. The remaining 5-10% that reach the inbox are why human training matters. Your filter and your people work together.
Essential Email Security Protocols
Three DNS records form the foundation of email authentication. Every business should configure these on its domain:
SPF (Sender Policy Framework): A DNS record that lists which IP addresses are authorized to send email from your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record. If the sending IP is not listed, the email is flagged or rejected. Without SPF, attackers can freely spoof your domain.
DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to your outgoing emails. The receiving server verifies the signature against your public key in DNS. DKIM ensures the email content has not been tampered with in transit and that it genuinely came from your domain.
DMARC (Domain-based Message Authentication): Ties SPF and DKIM together and tells receiving servers what to do if authentication fails. DMARC has three policies: none (monitor only), quarantine (send to spam), and reject (block entirely). Start with none to monitor, then move to quarantine, and eventually to reject. DMARC also sends reports showing which emails are failing authentication — invaluable for detecting spoofing attempts.
Recommended Email Security Tools
- Google Workspace / Gmail: Built-in phishing detection is strong. Enable "Security sandbox" for attachments and "Warn external sender" warning tags.
- Microsoft 365 / Defender for Office 365: Enable Safe Links (rewrites URLs to scan on click) and Safe Attachments (detonates attachments in a sandbox before delivery). Even Business Premium includes basic anti-phishing.
- ProtonMail / ProtonMail for Business: Strong built-in encryption and phishing protection; free tier available.
- Mimecast or Barracuda — Dedicated email security gateways for businesses needing more control; both offer small business tiers.
- MailGuard (mailguard.com) — Cloud email filtering with a free trial for small businesses.
Configuring Your Filter for Maximum Effectiveness
Review your email filter settings quarterly. Key configurations: enable URL rewriting so links are scanned at click-time, not just at delivery time (attackers sometimes make a safe link malicious after the email passes the filter); quarantine emails from newly registered domains (attackers frequently register domains less than 30 days before using them); flag external emails with a visible banner ("[External] This message came from outside the organization") so employees can apply extra caution; and enable attachment sandboxing for all file types, not just executables.
Key Takeaways
- Email filters block 90-95% of phishing; trained employees catch the rest
- SPF, DKIM, and DMARC are essential DNS records every business must configure
- Choose tools based on your email platform — Gmail and Microsoft 365 both offer strong built-in protection
- Review filter settings quarterly and enable URL rewriting, attachment sandboxing, and external sender warnings
There are no comments for now.