Simple, actionable steps to keep your email secure, your domain protected, and your team safe from evolving threats in 2026
At KartHost, we see small businesses hit hard by email-based attacks every quarter. A quick review of your settings can stop most problems before they start. Use this checklist as your routine quarterly audit for Microsoft 365 or Google Workspace. Spend an hour every three months, involve your admin or our support team, and mark each item as done.
Authentication and Access Controls
- Enforce Multi Factor Authentication (MFA) everywhere: Require it for all users, with extra strict policies for admins and finance accounts. In Microsoft 365, use Conditional Access. In Google Workspace, enforce 2 Step Verification organization wide. Test recovery methods and generate backup codes.
- Review and limit admin roles: Only a few people should have full super admin or global admin access. Use role-based permissions for daily tasks. Check the admin audit logs for any unexpected role changes in the last quarter.
- Device hygiene and access policies: Ensure company devices are enrolled and compliant. Require MFA on mobile apps and block sign ins from unmanaged or risky devices. Review connected devices and revoke old sessions.
Domain and Email Authentication (SPF, DKIM, DMARC)
- Verify and update SPF records: Confirm your SPF record authorizes all legitimate senders and stays under the 10-lookup limit. Flatten if needed for multiple services. Test with online tools and review for failures.
- Enable and rotate DKIM: Make sure DKIM signing is active for your domain in both Microsoft 365 and Google Workspace. Rotate keys periodically and confirm all sending platforms use it.
- Set and monitor DMARC policy: Aim for at least p=quarantine with reporting enabled. Review aggregate reports weekly or quarterly for spoofing attempts. Progress toward p=reject once you have clean data.
- Check for proper alignment: Ensure your primary domain and any sending subdomains authenticate correctly to prevent spoofing of your brand.
Monitoring, Alerts, and Backup Options
- Enable and review security alerts: Turn on notifications for suspicious logins, malware detections, unusual admin actions, and bulk changes. In Microsoft 365, check the Security Center and sign in logs. In Google Workspace, use the Alert Center and Security Investigation Tool.
- Set up a backup MX record: Configure a secondary mail exchanger (often through your hosting provider) so email delivery continues if your primary service has temporary issues. Test failover quarterly.
- Scan for forwarding rules and risky permissions: Regularly audit inbox rules, auto forwarding to external addresses, and third-party app consents (OAuth). Remove anything unfamiliar.
- Test backups and recovery: Confirm email archiving or backups are running. Verify you can restore messages or accounts quickly after an incident.
Ongoing Habits and Team Practices
- Train your team quarterly: Run a quick phishing simulation or review red flags together. Remind everyone never to click links for password resets or payment changes without verification.
- Keep software and filters updated: Ensure built in spam, phishing, and malware protection is at the highest level (Defender for Office 365 or Google Advanced Protection where available).
- Document and test your incident response: Know who to contact and the first steps if something slips through.
How KartHost Helps You Stay Secure
Our KloudEmail solutions and Microsoft 365 management services include advanced threat protection, archiving, and expert guidance on these exact settings. Many clients on our VIP Care Plans let us run these quarterly reviews for them, handle DMARC monitoring, and keep everything optimized so they never have to worry about missing a step.
Whether you use our hosted email or manage Microsoft 365 and Google Workspace in house, our Tomball, Texas team is ready to help with one ticket. We review logs, tighten configurations, and make sure your setup matches current best practices.
Download this checklist, schedule your next review today, and turn email security into a simple habit instead of a crisis. Questions or need help walking through any item? Log into the KartHost Customer Center and open a ticket. We are here to keep your business protected.
