Skip to main content
How-to Compliance

The SMB Domain Security Checklist: 5 Things to Do This Week

Domain security advice usually targets enterprises with full security teams. Here's the pragmatic version for small-to-mid-sized businesses: five things you can do this week, in order, that close 80% of the risk.

May 19, 2026 · 5 min read

TL;DR

  • 1 Five controls cover most domain-security risk for an SMB: publish DMARC, verify SPF + DKIM on every sender, scan for lookalikes, defensively register the obvious typosquats, and turn on monitoring.
  • 2 Most SMBs ship 0 of the 5 because each one looks like infrastructure work, but each is a 30-minute task.
  • 3 A continuous monitoring tool keeps the checklist enforced after the initial setup, since DNS and senders drift over time.

What it does

Domain security for an SMB doesn't require an enterprise budget; it requires running through a short checklist of controls once and then keeping them up to date. The full checklist is five items, each a 30-60 minute task. Done, they cover most realistic domain-risk for a typical SMB. Skipped, each one is the kind of gap a single phishing campaign exploits.

Most SMBs ship 0 of the 5 because each looks like infrastructure work, and there's no obvious moment to do it. The pattern: the team adopts Google Workspace or M365, ships email, never publishes DMARC, never registers defensive domains, never monitors for lookalikes. Six months later a phishing campaign uses their brand to harvest customer credentials, and the cleanup costs are 100x what the prevention would have.

A continuous monitoring tool keeps the checklist enforced after the initial setup, since DNS records drift, ESPs change, and sender IPs rotate over time. The setup-once-then-forget model fails for any of these controls.

How it works

  1. 1

    <strong>Register the obvious defensive variants.</strong> Top 5-10 typos, your .com's .co/.io/.net/.app, common combosquats. ~$200/year for 15-20 domains. See <a href="/learn/defensive-registration" class="text-brand-600 hover:underline">defensive registration playbook</a>.

  2. 2

    <strong>Publish SPF on the apex.</strong> One TXT record listing each ESP via <code>include:</code>, ending in <code>~all</code>. Stay under 10 DNS lookups. Use the <a href="/tools/spf-generator" class="text-brand-600 hover:underline">SPF generator</a>.

  3. 3

    <strong>Enable DKIM signing in each ESP.</strong> CNAME-delegated DKIM so each ESP signs with your <code>d=</code>. Most major ESPs make this a 3-record setup. Use the <a href="/tools/dkim-generator" class="text-brand-600 hover:underline">DKIM generator</a> per provider.

  4. 4

    <strong>Publish DMARC at <code>p=none</code> with reporting.</strong> Watch reports for 14+ days, fix any aligning failures, then ramp through <code>p=quarantine</code> to <code>p=reject</code>, publishing each stricter policy in <code>t=y</code> test mode first if you want a dry run before enforcing. The full ramp is its own playbook; see <a href="/learn/dmarc-rollout" class="text-brand-600 hover:underline">DMARC rollout</a>.

  5. 5

    <strong>Publish MTA-STS in enforce mode + TLS-RPT.</strong> Force TLS on inbound mail, get visibility into failures. Cheap-defense control with high prevention value against downgrade attacks.

  6. 6

    <strong>Start ongoing lookalike monitoring.</strong> Daily or hourly scans across hundreds of variants, signal-scored. PhishFence's free tier covers 1 domain, enough for most single-brand SMBs.

  7. 7

    <strong>Set up Slack / webhook alerts.</strong> Detections delivered where the team already works. Without routing, alerts sit in an email inbox no one checks.

  8. 8

    <strong>Document the takedown workflow.</strong> Who files which report, where the registrar-abuse contacts live, where evidence gets stored. Five minutes to write down; saves hours during an actual incident.

Common pitfalls

  • <strong>Doing 1-2 controls and stopping.</strong> The five work together. SPF + DMARC without DKIM means most legitimate mail fails alignment. Monitoring without takedown workflow means alerts you can't act on.

  • <strong>Setting up DMARC at <code>p=none</code> and never escalating.</strong> Monitoring without enforcement still lets attackers spoof your domain. Escalate or the control is decorative.

  • <strong>Registering defensive domains and letting them lapse.</strong> A dropped defensive registration is worse than no registration: drop-catch services grab it within minutes. Auto-renew + calendar reminders.

  • <strong>Buying enterprise tools for SMB threat models.</strong> $20K/year tooling for a 5-employee SMB is procurement theater. The middle of the market (PhishFence and equivalents) hits the same checklist for 1-2 orders of magnitude less.

  • <strong>No quarterly review.</strong> SPF includes change, new ESPs get added, DKIM keys rotate. Without a recurring review the configuration drifts.