SMB1001: A cyber defense standard for small and medium businesses

SMB1001 is a cybersecurity standard designed for small and medium organizations. It gives companies a clear, tiered path to stronger security without the complexity or cost of enterprise frameworks. The result is practical protection, delivered in a way that makes sense.

If you want help aligning your or your customers’ email security with SMB1001, book a demo with Sendmarc and talk to one of our specialists.

Reserva una demo

What is SMB1001?

SMB1001 is a multi-level cybersecurity framework designed specifically for small and medium-sized businesses. It gives growing organizations a practical, phased path to stronger security.

SMB1001 was developed in 2023 and updated in October 2025. It originated in Australia and became a global standard in January 2025. The framework is maintained by Dynamic Standards International (DSI), a company focused on designing accessible cybersecurity guidance for SMBs.

Instead of setting a single benchmark that every business must meet immediately, SMB1001 uses a tiered model. This approach lets you progress to higher tiers as your security posture improves. Each tier builds on the last, moving from essential controls to more advanced, resilient practices.

SMB1001 certification shows that an organization:

  • Follows a recognized cybersecurity framework tailored to SMBs.
  • Has implemented defined controls and repeatable processes.

For customers, cyber insurers, and regulators, SMB1001 certification signals that a company takes cybersecurity seriously and has clear controls in place to manage risks.

How email security fits into SMB1001

Part of SMB1001 compliance includes securing email communications to prevent impersonation. Modern email authentication supports this and relies on three protocols:

  • Sender Policy Framework (SPF) identifies which servers are permitted to send email on behalf of a domain. Receiving email systems can use this information to verify whether a message was sent from an authorized source.
  • DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing messages. Receiving servers validate the signature using a public key. This confirms that the message hasn’t been altered and that it genuinely originates from a specific domain.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM. DMARC lets domain owners publish a policy that instructs receivers how to handle messages that fail authentication checks and provides reports so they can see who’s sending email on their behalf.

With SMB1001:2026, email authentication requirements are explicitly included in the standard:

Level 2

  • Requires a valid SPF record that lists all authorized email-sending services.

Level 3

  • Requires DKIM signing on all outbound emails.
  • Requires a DMARC record with a reporting address.
  • Requires a DMARC policy set to p=quarantine or p=reject.

This is where Sendmarc fits directly into your SMB1001 journey. To achieve and maintain compliance, you need to:

  • Know every service that sends email for a domain.
  • Configure SPF and DKIM correctly for each service.
  • Move DMARC from monitoring to enforcement without disrupting legitimate email.
  • Demonstrate that these controls are implemented, effective, and maintained over time.

Sendmarc helps you manage each of these steps with confidence, making the email-related requirements of SMB1001 far easier to meet.

How Sendmarc supports your SMB1001 journey

Sendmarc’s solution is designed to make email authentication practical for businesses of all sizes, as well as for the managed service providers (MSPs) that support them. Instead of manually interpreting DMARC XML reports or managing complex DNS updates, you get guided workflows and clear, ongoing visibility.

Sendmarc te ayuda a:

Gain visibility into all sending services

DMARC reports are collected, interpreted, and displayed in a user-friendly way, so you can immediately see all sources sending on behalf of a domain.

Configure SPF, DKIM, and DMARC safely

  • Step-by-step guidance helps you update DNS records without disrupting important emails such as invoices, password resets, or support tickets.
  • You can move from monitoring to DMARC enforcement (p=quarantine or p=reject) with confidence, easily aligning with SMB1001 level 3 requirements.

Monitor continuously and resolve issues quickly

  • Alerts notify you when there are configuration changes or new senders on a domain, so you can review and address them before they affect deliverability or security.
  • Historical reporting helps you show auditors and insurers that controls are correctly configured and consistently maintained over time.

For MSPs, Sendmarc makes it easier to manage multiple client domains in one platform, apply a consistent approach to email security, and provide clear, customer-friendly reporting.

Talk to our team to see how Sendmarc can help you support your SMB1001 certification goals, whether you’re securing your own domain or an entire client portfolio.

Reserva una demo

SMB1001 FAQs

What is SMB1001?

SMB1001 is a multi-level cybersecurity certification framework designed specifically for small and medium-sized organizations. The SMB1001 framework provides a structured and affordable way for smaller companies to develop and demonstrate cybersecurity maturity over time, instead of trying to comply with resource-heavy standards in a single step.

The tiers of SMB1001 represent progressive levels of cybersecurity maturity for small and medium-sized businesses. The framework uses five tiers – Bronze, Silver, Gold, Platinum, and Diamond. Each tier builds on the one before it, providing a clear path from baseline protections to advanced cybersecurity.

The difference between ISO 27001 and SMB1001 is that ISO 27001 is a comprehensive information security management standard that requires significant documentation, governance processes, and certain resources.

The SMB1001 adapts similar principles into simpler and more practical controls for small and medium organizations. SMB1001 offers a tiered approach with achievable requirements that smaller teams can implement and improve over time.

The difference between SMB1001 and the Essential Eight is that the Essential Eight outlines eight technical mitigation strategies focused on reducing common cyber risks, while SMB1001 is a full cybersecurity framework.

Essential Eight covers areas such as patching, multi-factor authentication, and backups. SMB1001 takes a broader approach that includes processes and technical controls such as email authentication with SPF, DKIM, and DMARC. SMB1001 also provides a multi-level certification path designed to be practical for small and medium-sized companies.

Recursos

Cumplimiento normativo de DMARC

Artículos de blog relacionados