What to prioritize first

• Impersonation protection: detect look-alike domains and fake “CEO” emails.
• Safe links / attachment scanning: reduce risky clicks and malware delivery.
• DMARC/SPF/DKIM alignment: reduce spoofing of your domain (where applicable).
• MFA enforcement: phishing becomes less damaging when logins can’t be reused easily.

How to avoid user frustration

• Start with a baseline policy, then tune false positives over 2–4 weeks.
• Use clear quarantine workflows and fast release/allowlisting.
• Protect high-risk users (executives, finance, HR) with stronger policies.

A quick “health check” for your environment

• Do you have MFA enforced for all users?
• Can external forwarding rules be created freely?
• Do you have spoof/impersonation protection configured?
• Are risky sign-ins and alerts being monitored?

If you’re unsure, a quick baseline review usually finds fast wins.