From the first email sent in 1971 to today’s daily toll of 124 billion business emails and 111 billion consumer emails, the email has been a resounding success. But there’s been a downside to email as well: 85% of all email today is spam.

Whether you work for a venerable financial institution or a FinTech startup, you know that’s unacceptable. Receiving any spam at all that spoofs your company and annoys your customers is too much. Fraudulent email sent in your name can poison the customer experience and hurt your brand.

Email is still a vital tool in financial services. It’s used for two-factor authentication, transaction notifications, marketing, and other customer communications. So, getting email security right is vital. At stake are the loyalty of your customers and the credibility of your products and services.

Weeding Out Fake Addresses

The good news is that there are technology solutions to weed out spam before it reaches your customer’s inbox. Identifying fake email addresses is a common best practice.

In 2014, the Internet Engineering Taskforce (IETF) published an update to the original Sender Policy Framework (SPF) which was published in 2006, as a proposed open standard for email authentication. It’s been widely adopted ever since. The SPF standard enables the detection of blocking of fraudulent email addresses by verifying that incoming mail from a domain comes from an IP address that has been authorized by a domain’s administrators.

Spam problem solved? Many companies, financial institutions included, believe that it is, that having SPF in place is enough. But it isn’t.

However, unless you’re in the email business, chances are you might be unaware of what other solutions are available — and crucial — to prevent spam and email-based exploits today.

Verifying the Message Itself

SPF establishes a method for a receiving mail server to verify that an incoming email was sent from a host authorized by that domain’s administrators. But another technique, DomainKeys Identified Mail (DKIM), additionally verifies that the email came from an authorized mail server. DKIM lets you add a digital signature to the headers of every email message. This signature can then be validated against a public cryptographic key that is located in your organization’s Domain Name System (DNS) record. Before DKIM, mail systems had no way to verify the sending mail server; they had no choice but to deliver every message.

So, SPF ensures that “this domain is authorized to send from this host” and DKIM verifies that “this message wasn’t altered or had a virus attached to it” between sending and receipt. And now a more recent specification — Domain-based Message Authentication, Reporting and Conformance, (DMARC) — allows administrators to configure specific SPF and DKIM guidelines and generates a report that shows all sanctioned email and phishing attempts.

End-to-end Encryption

The third vital component of spam-proof email for the financial services industry is Transport Layer Security (TLS). TLS is a set of cryptographic protocols that provide further email security features such as private or secure connections for each session, authentication using public-key cryptography, and reliability through a message integrity check. A TLS feature called forward secrecy safeguards future use of the encryption keys.

Encryption is a must because some of your customers might be receiving and sending mail from channels with no security and no encryption. Providing encrypted channels for all of your company’s email is an extra safeguard against spam and cybercrime.

So, start using SPF records to identify authorized mail servers. Use DKIM to cryptographically sign email messages to ensure that they haven’t been changed en route. And provide TLS encryption to protect channels end-to-end.

Trust in financial services is table stakes. These three security measures will go a long way to helping you maintain that trust in all customer, partner, and inter-departmental email communications.