Email Security for SMB: What Brokers Ask For and What to Actually Buy
Email is still the #1 attack path for SMBs and the first thing cyber insurance brokers ask about. This is the practical buy list, written for owners who do not have an in-house security team.
The 5-step email security checklist
- 1
Turn on MFA for every email mailbox
Microsoft 365 and Google Workspace both enforce this for free. Most insurance applications now decline coverage without it.
- 2
Enable anti-phishing and impersonation protection
Look for vendors that score sender domains, sandbox attachments, and rewrite suspicious links at click time, not just on delivery.
- 3
Publish SPF, DKIM, and DMARC records
Brokers will ask. DMARC at p=quarantine or p=reject signals that you control your sending domain and proves it to underwriters.
- 4
Enable mailbox auditing and 90-day retention
If a mailbox is compromised, the auditor needs to know what was accessed. Free in M365 Business Premium and Google Workspace Business Standard.
- 5
Train every user on phishing, every quarter
A 10-minute interactive course beats a once-a-year PDF. Most insurance carriers want evidence of training cadence, not just a policy.
If you take wire transfers, do this first
Business Email Compromise (BEC) is the single most expensive SMB cyber loss class in 2026. Add an out-of-band verbal verification step for any wire transfer over $5,000 and require dual approval inside your accounting tool. Software alone will not catch it.
Frequently asked questions
Is built-in Microsoft 365 / Google Workspace email security enough for SMBs?
It is enough to pass most underwriting questions, but only if you actually turn the controls on. Defaults leave MFA optional, DMARC unset, and link rewriting off. Add a third-party anti-phishing layer if your business takes wire transfers or processes invoices.
Do brokers really check DMARC?
Yes. Most cyber insurance applications in 2026 either ask for the DMARC record directly or run an automated lookup before issuing a quote. A missing or p=none record will trigger a follow-up question and may delay the quote.
What is the cheapest credible email security upgrade?
Move every mailbox to Microsoft 365 Business Premium or Google Workspace Business Standard, enforce MFA, and publish DMARC at p=quarantine. That covers ~80% of broker checklists for under $25 per user per month.
Pick the next step
Value Aligners matches SMBs to vetted security vendors for free. Pick the path that fits where you are today.