Perspectives Cyber and Technology Advisors Request Info
Blog

Email Authentication: The Boring Stuff That Still Breaks Businesses

Why this matters: Email misconfiguration is one of the fastest ways SMBs experience fraud without realizing it.

Email is still the easiest way into most organizations. Not because attackers are brilliant, but because basic email protections are missing or incomplete.

When we review small businesses and nonprofits, the same three gaps show up over and over:

  • SPF
  • DKIM
  • DMARC

Most leaders have seen these acronyms on cyber insurance applications or heard them mentioned by IT. Very few know what they actually do or whether they’re configured correctly. That gap is why email fraud, impersonation, and phishing keep working.

What These Controls Actually Do

SPF: Who’s Allowed to Send Email as You

SPF (Sender Policy Framework) answers one basic question: which systems are allowed to send email using your domain name. If someone tries to send an email pretending to be you from an unauthorized system, SPF helps the receiving mail server recognize that it’s fake.

DKIM: Proving the Email Wasn’t Altered

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing email. That signature tells the recipient the email actually came from your domain and the message wasn’t changed after it was sent.

DMARC: Seeing the Problem and Doing Something About It

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving systems what to do when checks fail. Just as important, DMARC gives you visibility. With DMARC reporting, you can see who is legitimately sending email on your behalf, who is trying to impersonate you, and which systems are misconfigured.

Why This Matters to the Business

  • Customers or donors receive phishing emails that look like they came from you
  • Invoice scams and wire fraud attempts become harder to spot
  • Legitimate emails land in spam or never arrive
  • Cyber insurance applications flag weak email controls
  • Vendors question your security posture

This isn’t an IT inconvenience. It’s a trust, financial, and reputational risk.

Why Organizations Get Stuck

Most organizations don’t ignore this on purpose. It gets messy when you have multiple third-party platforms sending email (marketing tools, CRMs, ticketing systems), older configurations that were never revisited, and fear that enforcing DMARC will break legitimate delivery.

What we see most often isn’t neglect. It’s avoidance: DMARC stays in monitoring mode forever, SPF grows until it quietly stops working, and DKIM gets enabled for one system but ignored elsewhere. Microsoft 365 and Google Workspace provide the tools, but they don’t configure this for you across every platform that sends email.

How PCTA Helps

We don’t treat email authentication as a checkbox. We help SMBs and nonprofits reduce email fraud risk by aligning what your organization does with what it documents for stakeholders like insurers and vendors.

Learn more about our Cybersecurity Advisory Services, our approach to Cybersecurity Risk Assessments, and how we support healthcare organizations through documented, risk-based programs (see our HIPAA physician practice case study).

The Bottom Line

If you’re not confident that SPF, DKIM, and DMARC are properly configured for your domain, that uncertainty itself is a warning sign. This isn’t cutting-edge security. It’s table stakes.

Ready to reduce email fraud risk? Visit perspectivescybersecurity.com to schedule a conversation.

Executive note: This is written for independent physicians, office managers, and practice leaders who need plain-language clarity, not more compliance noise.

Why the rules are changing and why it matters

Healthcare has become the top target for cyberattacks because patient data is valuable and downtime is devastating. Ransomware and data theft are no longer problems reserved for large hospital systems. They are hitting local offices every day.

Regulators have noticed a pattern in many smaller practices: outdated risk analyses, missing documentation, and no tested plan for when something goes wrong. The proposed HIPAA Security Rule updates are aimed at closing that gap by requiring more accountability and proof.

What is likely to change in plain English

Risk analysis has to be a living document. Many practices do an assessment once, file it away, and never revisit it. The direction of travel is clear: you will be expected to maintain a comprehensive, current view of risk across your environment, including every vendor that touches your data.

You need a fire drill for cyberattacks. If systems go down tomorrow morning, who makes the first call? Who talks to the insurance carrier? Who communicates with patients? Regulators want to see a documented incident response plan because “call IT and hope” is not defensible.

“Addressable” does not mean “optional.” If you do not implement a safeguard, you will need to document why it was not reasonable for your practice and what you did instead. Without that paper trail, you are exposed during an audit.

The real impact on your practice and your insurance

HIPAA fines can be painful, but they are often not the biggest cost. Investigations can lead to multi-year corrective action plans, which create federal oversight and a long administrative burden that typically lands on the office manager.

Insurance is also getting tougher. Underwriters are increasingly requiring proof of controls like multi-factor authentication, documented risk assessments, and staff training before they will even offer a policy. If you cannot substantiate what you said on an application, coverage can be delayed, restricted, or denied at the worst possible time.

Between legal fees, forensic work, system recovery, and patient notifications, even a small incident can quickly become a six-figure event. For an independent practice, that can be an existential hit.

Why your IT provider is not a total solution

This is one of the most common misunderstandings. IT providers and MSPs are often strong at technical tasks like firewalls, patching, and backups. HIPAA, however, is not purely a technology problem.

HIPAA compliance relies heavily on administrative safeguards: policies, training, governance, and leadership decisions. Most IT agreements do not cover those areas, and regulators will not fine your IT provider. They will fine you.

What you can do today

  • Update your risk analysis so it reflects how your practice and vendors actually operate today, not how you wish it worked.
  • Write and test an incident response plan that covers who calls whom, what gets documented, and how patient care continues during disruption.
  • Document decisions especially when a safeguard is not implemented. If it is not written down, it did not happen.
  • Train staff for phishing and common scams because that is still the easiest way in.
  • Make your IT provider prove recovery with a realistic restore test so you are not betting the practice on assumptions.

Final thoughts

These changes are a leadership challenge, not just a technical one. As a physician or office manager, you are a steward of extremely sensitive information. Protecting it is a matter of trust and business resilience.

Relying solely on an IT provider or a generic insurance policy is no longer enough. What you need is a plan you can defend.

Get clarity with a trusted advisor

If you are feeling overwhelmed by these changes or if your insurance renewal is getting harder each year, you do not have to figure it out alone.

Perspectives Cyber and Technology Advisors provides HIPAA security advisory for small medical practices. We work alongside your IT provider to handle the administrative and risk side of the house they typically do not cover. The goal is simple: a practical plan that reduces real exposure and stands up under scrutiny.

Schedule an Advisory Conversation

Official guidance and resources

If you want to review primary sources and official guidance, these references are a good starting point:

Here are the primary sources we track so you can validate expectations directly.

Disclaimer: The proposed HIPAA Security Rule updates discussed in this article are not yet finalized and remain subject to change. Final language, scope, and enforcement timelines may differ from what is currently proposed. Independent physician practices should monitor official guidance from the U.S. Department of Health and Human Services and consult qualified legal or compliance professionals before making decisions based solely on proposed regulatory changes.