Technopark SMEs: email security essentials (MFA + SPF/DKIM/DMARC) — POPIA-aware starter guide
Technopark SME email security: MFA plus SPF/DKIM/DMARC basics, quick checks, low-effort wins, and a POPIA-aware incident plan.
· Digissential Team · 2 min read
TL;DR: Turn on MFA for every mailbox/admin. Publish SPF, enable DKIM, and deploy DMARC (monitor → quarantine → reject). These cut spoofing, protect your brand and reduce risk under POPIA. We can set this up remotely for Technopark & CBD SMEs.
What these controls do (plain English)
- MFA (Multi-Factor Authentication) — Stops most password-only takeovers. Protect all users, especially admins and finance.
- SPF (Sender Policy Framework) — Tells the world which servers may send mail for your domain.
- DKIM (DomainKeys Identified Mail) — Cryptographic signature proving your mail wasn’t altered and really came from you.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — Policy that says “if SPF/DKIM don’t align with my domain, quarantine/reject it,” and sends you reports.
Quick checks (5–10 minutes)
-
MFA status
- M365: Enforce Security Defaults or Conditional Access; ensure all users have MFA (incl. shared/mailbox users via app passwords where needed).
- Google Workspace: Turn on 2-Step Verification and enforce for all.
-
SPF record
- Publish one SPF TXT record at root (e.g.,
v=spf1 include:spf.protection.outlook.com -all). Avoid multiple SPF records.
- Publish one SPF TXT record at root (e.g.,
-
DKIM
- Enable in M365/Google admin; publish the two CNAME records the console gives you; switch DKIM to ON.
-
DMARC
- Start with monitoring:
_dmarc.yourdomain.tld TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.tld; fo=1" - After fixing alignment, move to
p=quarantine, thenp=reject.
- Start with monitoring:
-
Disable legacy auth
- Block POP/IMAP/SMTP AUTH where possible; these bypass modern MFA.
Need a hand? Book a Remote support session.
Low-effort wins with big impact
- MFA everywhere (admins first), plus a break-glass admin with strong MFA and documented recovery.
- Single outbound path: send all mail via your main provider; avoid random third-party senders unless included in SPF and DKIM-signed.
- User display-name warnings: show “External” banners to reduce impersonation clicks.
- Finance playbook: require a second channel (call/SMS) for bank detail changes and urgent payment requests.
- Backups: ensure mail/calendar/Drive/OneDrive are backed up—malware and deletions still happen. See Cloud backup setup.
POPIA-aware posture (why it matters)
Email often contains personal information. Under POPIA you must secure it: strong access controls (MFA), minimal retention, and auditable changes. We document what we touch, restrict technician access, and store any logs/artifacts securely. Read more: Privacy.
If something slips through (first-hour plan)
- Isolate the account: reset password, revoke sessions/tokens, and disable external forwarding.
- Preserve evidence: note timestamps, IPs, suspicious rules.
- Enable litigation hold/retention temporarily if available.
- Reset MFA and re-enrol the user.
- Notify affected parties where appropriate; restore from backup if mailbox tampering occurred.
→ Need help now? Remote support session
Ready to harden in under an hour?
- Baseline hardening (MFA, legacy auth off, SPF/DKIM/DMARC) → Cybersecurity hardening baseline
- 3-2-1 backups + test-restore → Cloud backup setup
- Quarterly check-ups → Quarterly Device Health Check
- Hands-on help → Remote support session