How-to Compliance

The SMB Domain Security Checklist: 5 Things to Do This Week

Domain security advice usually targets enterprises with full security teams. Here's the pragmatic version for small-to-mid-sized businesses: five things you can do this week, in order, that close 80% of the risk.

May 19, 2026 · 5 min read

TL;DR

  • 1 Eight controls cover most domain-security risk for an SMB: register obvious variants, publish DMARC + SPF + DKIM, monitor lookalikes, enforce TLS via MTA-STS.
  • 2 Most SMBs ship 0 of the 8 because each one looks like infrastructure work — but each is a 30-minute task.
  • 3 A continuous monitoring tool keeps the checklist enforced after the initial setup, since DNS + senders drift over time.

What it does

Domain security for an SMB doesn't require an enterprise budget; it requires running through a short checklist of controls once and then keeping them up to date. The full checklist is eight items, each a 30-60 minute task. Done, they cover most realistic domain-risk for a typical SMB. Skipped, each one is the kind of gap a single phishing campaign exploits.

Most SMBs ship 0 of the 8 because each looks like infrastructure work, and there's no obvious moment to do it. The pattern: the team adopts Google Workspace or M365, ships email, never publishes DMARC, never registers defensive domains, never monitors for lookalikes. Six months later a phishing campaign uses their brand to harvest customer credentials, and the cleanup costs are 100x what the prevention would have.

A continuous monitoring tool keeps the checklist enforced after the initial setup, since DNS records drift, ESPs change, and sender IPs rotate over time. The setup-once-then-forget model fails for any of these controls.

How it works

  1. 1

    <strong>Register the obvious defensive variants.</strong> Top 5-10 typos, your .com's .co/.io/.net/.app, common combosquats. ~$200/year for 15-20 domains. See <a href="/learn/defensive-registration" class="text-brand-600 hover:underline">defensive registration playbook</a>.

  2. 2

    <strong>Publish SPF on the apex.</strong> One TXT record listing each ESP via <code>include:</code>, ending in <code>~all</code>. Stay under 10 DNS lookups. Use the <a href="/tools/spf-generator" class="text-brand-600 hover:underline">SPF generator</a>.

  3. 3

    <strong>Enable DKIM signing in each ESP.</strong> CNAME-delegated DKIM so each ESP signs with your <code>d=</code>. Most major ESPs make this a 3-record setup. Use the <a href="/tools/dkim-generator" class="text-brand-600 hover:underline">DKIM generator</a> per provider.

  4. 4

    <strong>Publish DMARC at <code>p=none</code> with reporting.</strong> Watch reports for 14+ days, fix any aligning failures, then ramp through <code>p=quarantine</code> to <code>p=reject pct=100</code>. The full ramp is its own playbook — see <a href="/learn/dmarc-rollout" class="text-brand-600 hover:underline">DMARC rollout</a>.

  5. 5

    <strong>Publish MTA-STS in enforce mode + TLS-RPT.</strong> Force TLS on inbound mail, get visibility into failures. Cheap-defense control with high prevention value against downgrade attacks.

  6. 6

    <strong>Start continuous lookalike monitoring.</strong> Daily or hourly scans across hundreds of variants, signal-scored. PhishFence's free tier covers 1 domain — enough for most single-brand SMBs.

  7. 7

    <strong>Set up Slack / webhook alerts.</strong> Detections delivered where the team already works. Without routing, alerts sit in an email inbox no one checks.

  8. 8

    <strong>Document the takedown workflow.</strong> Who files which report, where the registrar-abuse contacts live, where evidence gets stored. Five minutes to write down; saves hours during an actual incident.

Common pitfalls

  • <strong>Doing 1-2 controls and stopping.</strong> The 8 work together. SPF + DMARC without DKIM means most legitimate mail fails alignment. Monitoring without takedown workflow means alerts you can't act on.

  • <strong>Setting up DMARC at <code>p=none</code> and never escalating.</strong> Monitoring without enforcement still lets attackers spoof your domain. Escalate or the control is decorative.

  • <strong>Registering defensive domains and letting them lapse.</strong> A dropped defensive registration is worse than no registration — drop-catch services grab it within minutes. Auto-renew + calendar reminders.

  • <strong>Buying enterprise tools for SMB threat models.</strong> $20K/year tooling for a 5-employee SMB is procurement theater. The middle of the market (PhishFence and equivalents) hits the same checklist for 1-2 orders of magnitude less.

  • <strong>No quarterly review.</strong> SPF includes change, new ESPs get added, DKIM keys rotate. Without a recurring review the configuration drifts.