Email security against phishing, spam, and abuse
Published on July 3, 2026 9 min read
Email security in practice: spot phishing, keep spam out, and protect your domain with SPF, DKIM, and DMARC. A clear guide you can apply yourself.
Email security sounds technical, but at its heart it comes down to two things: keeping harmful messages out of your inbox, and stopping criminals from abusing your domain to deceive other people. This article explains how to recognise phishing, how to reduce spam, and how to make SPF, DKIM, and DMARC work together to protect your domain. You will also learn what the premium spam filter from LJPc hosting does and what steps you can take yourself today.
What is email security?
Email security is the set of measures that keep your email reliable and safe. It has two sides. The first is your own mailbox: you want to stop phishing, spam, and messages with harmful attachments before they cause damage. The second is your domain: you want to make sure nobody can send email in your domain's name without permission, because that leads to fraud and a damaged reputation.
No single measure covers everything. Good email security therefore works in layers: awareness among you and your colleagues, a strong spam filter that checks incoming mail, and DNS settings that prove an email really comes from you. In the rest of this article, we walk through those layers one by one.
How to recognise phishing
Phishing is an email that poses as a trusted sender to trick you into handing over a password or a payment, or into clicking a malicious link. Modern phishing looks professional and often no longer contains language mistakes, so do not rely on sloppy writing alone. Instead, watch for the following signs.
- A sender that is not quite right. The display address looks correct, but the domain name is spelled slightly differently (for example micros0ft.com with a zero), or the message comes from a free address when it should come from a company. Expand the sender's name to check the full email address before you do anything.
- Pressure and urgency. Phrases such as "act now", "your account will be suspended", or "pay within 24 hours" are designed to make you act without thinking.
- Links that lead somewhere else. Hover your mouse over a link without clicking and check the real destination. Be wary of shortened links, odd domains, and addresses made up only of numbers.
- Unexpected attachments. Do not open an attachment you did not ask for, especially unusual file types such as .html, .iso, .js, or .scr. If in doubt, ask the sender through another channel.
- A request for sensitive details. A trustworthy organisation will never ask you by email for your password or PIN, or ask you to buy gift cards.
- A generic greeting. "Dear customer" instead of your name can point to a message that was sent in bulk.
What to do with a suspicious email
- Do not click anything and do not open attachments.
- Do not reply and do not enter any details.
- When in doubt, verify through a known phone number or another route whether the message is genuine.
- Mark the message as phishing or spam, so your filter learns from it, and then delete it.
How to prevent and reduce spam
Spam is unsolicited bulk mail. You will never remove it completely, but you can cut the volume down considerably with a few habits.
- Use your hosting provider's spam filter. A filter on the server catches most of it before it reaches your mailbox.
- Do not publish your address in plain text. Spammers harvest addresses from websites automatically. Use a contact form instead, or write the address so bots cannot read it.
- Be careful with unsubscribing. For a newsletter you once signed up for, unsubscribing works fine. For obvious spam, clicking "unsubscribe" only confirms that your address is active. Mark those messages as spam instead.
- Use separate addresses or aliases. A separate address for sign-ups keeps your main address cleaner.
- Keep software up to date. Update your mail program and devices so known vulnerabilities are patched.
SPF, DKIM, and DMARC: three layers of defence
Recognising spam and phishing helps on the receiving side. But you also want to stop anyone from sending email that appears to come from your domain. Three DNS settings work together to do this: SPF, DKIM, and DMARC. They prove to receiving mail servers that a message really comes from you, and at the same time they improve the delivery of your own mail.
SPF: who may send on your behalf
With SPF, you set out which servers are allowed to send email on behalf of your domain. You publish this as a TXT record in your DNS. Receiving servers check whether the sending server is on that list. You can read more in our explanation of the SPF record. Note that SPF checks the sending domain behind the scenes and does not always survive when a message is forwarded.
DKIM: a digital signature
DKIM adds a digital signature to every outgoing message. The receiving server checks that signature against a key in your DNS and can be sure the message was not altered in transit and really comes from your domain. Unlike SPF, a DKIM signature stays valid even when a message is forwarded.
DMARC: policy and reporting
DMARC ties SPF and DKIM to the visible sender domain and tells receiving servers what to do with mail that fails the check: do nothing, move it to spam, or reject it. You usually start with a relaxed policy (p=none) and tighten it step by step, first to quarantine and then to reject. DMARC also sends you reports, so you can see who is sending mail in your domain's name.
| Layer | What it does | Where it lives |
|---|---|---|
| SPF | Sets which servers may send on behalf of your domain | TXT record in DNS |
| DKIM | Adds a digital signature to outgoing mail | TXT record with a key in DNS |
| DMARC | Ties SPF and DKIM to your domain and sets the policy | TXT record in DNS |
These settings live in your domain's DNS, just like the MX record that determines which server receives your incoming email. Large providers now often require all three records. Google and Yahoo have asked bulk senders for SPF, DKIM, and DMARC since 2024, and Microsoft has done the same since 2025. Even a domain you never send mail from can be protected against abuse with a DMARC record.
The premium spam filter from LJPc hosting
LJPc hosting offers a premium spam filter that checks your incoming email before it reaches your mailbox. The filter assesses every message for suspicious characteristics, checks the sender with SPF, DKIM, and DMARC, and scans for viruses and known spam patterns. What happens next to a suspicious message depends on two parts: the quarantine and your allow and block lists.
What a quarantine is
A quarantine is a separate holding area for messages the filter finds suspicious. Such mail is not delivered to your inbox, but it is not deleted right away either. That keeps you protected from real spam, while a message that was held by mistake (a so-called false positive) is not lost. You can review the quarantine and still release a message to your inbox, or delete it for good. Many filters also send a periodic overview of what is being held in quarantine.
Allow lists and block lists
With an allow list (a list of trusted senders), you make sure messages from trusted addresses or domains always get through. With a block list (blocked senders), you always stop mail from certain addresses or domains. This lets you tune the filter to your situation: a supplier who keeps ending up in quarantine goes on the allow list, and a persistent spammer on the block list.
Secure your own email account
Abuse often starts with a hijacked account. As soon as someone can log in to your mailbox, they can send mail in your name and defraud your contacts. So protect your account properly.
- Use a strong, unique password. Do not reuse it anywhere else, and store it in a password manager.
- Turn on two-factor authentication (2FA). An extra code alongside your password keeps attackers out, even if your password leaks.
- Keep your devices and mail program up to date. Updates patch the vulnerabilities attackers use.
- Watch for suspicious sign-ins. If you get a notification about a sign-in you do not recognise, change your password straight away.
How to tackle email security yourself
If you want to start today, work through these steps:
- Teach yourself and your colleagues to recognise phishing by the signs above.
- Turn on the spam filter and set up your allow and block lists.
- Publish an SPF record, enable DKIM, and add a DMARC record.
- Secure every email account with a strong password and 2FA.
- Check your DMARC reports and tighten your policy step by step.
Can't work it out, or not sure about a message? Feel free to contact support, and we will take a look with you.
Frequently asked questions
What exactly is email security?
Email security is the set of measures that keep harmful messages such as phishing and spam out of your mailbox, while at the same time stopping criminals from abusing your domain to mislead others. It works best in layers: awareness, a spam filter, and the DNS settings SPF, DKIM, and DMARC.
How do I recognise a phishing email?
Watch for a sender address that is not quite right, for pressure and urgency, for links that point to a different destination, and for unexpected attachments. If you are asked for a password, a payment, or gift cards, that is a strong warning sign. Do not click anything, verify through another channel, and mark the message as phishing.
What is the difference between SPF, DKIM, and DMARC?
SPF sets which servers may send on behalf of your domain, DKIM adds a digital signature to your outgoing mail, and DMARC ties both to your visible sender domain and tells receiving servers what to do with mail that fails the check. Together they stop anyone from quietly sending email in your domain's name.
What happens to email in quarantine?
A message in quarantine has been held because the filter finds it suspicious. It is not in your inbox, but it has not been deleted either. You can review it and still release it if it turns out to be legitimate, or throw it away for good. That way you do not lose important mail to a false positive.
How do I stop my domain being used for spam?
Publish an SPF record, enable DKIM, and add a DMARC record so receiving servers can recognise forged mail sent in your domain's name and, once you tighten your DMARC policy, reject it. Also secure every email account with a strong password and two-factor authentication, because a hijacked account is a common route for abuse.
Is a spam filter enough to stop phishing?
A good spam filter stops a lot of phishing and spam, but no filter catches one hundred percent. So combine the filter with alert users and with SPF, DKIM, and DMARC on your domain. That combination of layers gives the best protection.