Blog article

  • 8 minutes read
Author Profile Picture
  • Kiara Saloojee
  • DMARC Enthusiast

PII in email: What it is, why it matters, and how to protect it

Digital Lock Representing Pii Data Protection

Personally identifiable information (PII) is any data that can identify a person directly or indirectly. It includes obvious details such as names, ID numbers, and email addresses. It also includes less obvious data points like job titles, ZIP codes, and birth dates.

Email is still one of the most common places where businesses send, receive, and store PII. It is also one of the easiest places for that information to be exposed. Email was designed for open communication, and security controls were added later. That means the channel itself creates risk for organizations that handle sensitive customer or employee data.

For businesses, PII exposure in email isn’t only a technical problem. When attackers harvest PII through phishing, spoofed domains, or compromised mailboxes, the company whose brand is impersonated often carries the consequences.

These can include:

  • Compliance penalties
  • Loss of customer and employee trust
  • Financial damage

If you want a quick view of your domain’s exposure to cybercriminals, you can run a free scan with Sendmarc’s domain analyzer.

Check your domain

What is PII?

PII is information that can be used to identify, contact, or locate a specific person. Some data points reveal someone’s identity on their own. Others only identify when combined with additional information.

PII is separated into two groups:

1. Direct identifiers

Direct identifiers are data points that typically identify a person by themselves. Examples include:

  • Full name
  • Social Security number (SSN)
  • Phone number
  • Email address
  • Home address
  • Passport details
  • Bank account or card number

When several of these appear together in an email – for example, a salary slip that includes a full name, SSN, and bank details – the sensitivity increases.

2. Indirect identifiers

Indirect identifiers may not identify a person alone, but they can do so when combined with other information. These include:

  • ZIP code
  • Date of birth
  • Gender
  • Race or ethnicity
  • Job title and employer
  • IP addresses and device identifiers
  • Medical details

Because these identifiers appear in routine messages, people often underestimate how easily they can expose personal data without meaning to.

What PII doesn’t include

Anonymous or aggregated data that can’t be linked back to a specific person usually falls outside of PII. For example, “a male customer from Ohio” doesn’t contain PII on its own.

Business contact information, such as a work email address ([email protected]) or office phone number, often sits in a gray area. Many regulators won’t treat it as PII, as it technically relates to a person’s professional life rather than their personal life.

Where PII appears in business email

If you scan a typical corporate mailbox, you’ll find PII everywhere:

  • HR teams exchanging salary slips, contracts, and job applications
  • Finance sharing bank details, tax numbers, and customer invoices
  • Customer support processing home address or phone number updates
  • Healthcare and insurance exchanging highly sensitive medical information

This is why PII in email deserves specific attention in your security and compliance strategy. It directly affects your customers, employees, and company.

Why PII in email is so risky

To understand why sending PII via email is risky, it helps to remember how email was originally built.

Email was designed for open communication, not confidentiality. Encryption and authentication were added at a later stage. These controls aren’t always configured consistently across every system.

This creates several areas of risk.

Transmission risk

When an email is sent, it travels across several servers before it reaches the recipient. At any stage in that path, the message can be exposed if the connection isn’t secured, particularly on networks such as public Wi-Fi.

From a business perspective, this means that a message containing ID scans, bank details, or medical information could be sent in plain text, making it susceptible to interception and data tampering.

Storage and retention

Even when transmission is encrypted, long-term storage of PII in email is a major exposure point.

Emails and attachments remain in inboxes, sent items, and archives for years. They are also exported into offline files. Staff access them from laptops, mobile phones, and in some cases, personal devices. Each of these locations becomes an access point if an attacker can get into the device.

This can happen through:

  • Unattended or unlocked laptops
  • Phones without lock screens
  • Unencrypted devices

A single compromised mailbox can expose years of sensitive communication.

Human error

Email is a human-driven communication tool, so mistakes are unavoidable.

Common issues include sending an email to the wrong recipient, forwarding long threads without noticing that earlier messages contained PII, or accidentally attaching the wrong file. People often work quickly or switch between devices, which increases the chance of error.

Impersonation and phishing

If attackers can make an email appear as though it came from your domain, they can convince staff, customers, or partners to hand over PII willingly. Examples include:

  • HR impersonation emails asking employees to upload IDs to a fraudulent portal
  • Spoofed finance messages requesting updated bank details
  • Fake customer support emails directing clients to credential-harvesting login pages

Even if your infrastructure is secure, you still face a serious issue if someone can convincingly impersonate your domain and harvest PII in your name.

Assess how easily attackers can spoof your domain. Sendmarc’s free domain analyzer shows whether your current controls protect your organization against phishing.

Analyze your domain
Digital Emails Around A Laptop

Practical checklist: How to protect PII in email

You can’t remove PII from email entirely, but you can reduce the risk with a few focused changes. Think about limiting how often PII is sent, improving how it’s protected when it must be sent, and strengthening the accounts that handle it.

1. Reduce the amount of PII sent by email

Start by questioning whether email is the right channel for data sharing. For high-risk data, secure portals, forms, or document upload tools are usually safer because they’re designed for sensitive information.

Where email is unavoidable, send only what’s needed. If a team is tempted to attach a full export from a system, consider whether they can create a more targeted report or share a link to the system instead.

2. Strengthen encryption and configuration

Work with your IT or security team to ensure that Transport Layer Security (TLS) is enforced for email in transit. You can do this with Mail Transfer Agent Strict Transport Security (MTA-STS), which can tell receiving servers to only use encrypted connections.

Tip: For especially sensitive workflows, add extra layers such as message-level encryption tools.

3. Standardize safer workflows for sending PII

Define what “good” looks like. Document which processes can use email for PII and which must use alternative channels.

Teams can create safer templates, standardizing the wording they use for common processes (like requesting documents or confirming details). The template includes the structure and instructions.

Clear examples also make it easier to spot unusual or malicious requests. When staff know what legitimate PII-related communication looks like, they’re more likely to question anything that seems out of place.

4. Train people to recognize PII and treat it carefully

Awareness training should go beyond general phishing examples.

It should help people:

  • Recognize what counts as PII
  • Understand your regulatory obligations
  • Know when they can and can’t send PII by email
  • Feel confident escalating unusual requests

Short, regular refreshers are often more effective than a single long training session each year.

5. Use strong technical controls around email access

Enforce multi-factor authentication for all users, but especially for administrators and executives. Set clear device security standards, such as full-disk encryption, strong screen locks, and remote wipe capabilities.

Finally, implement email authentication protocols so that receivers can verify that messages claiming to be from your domain are legitimate. This directly supports your efforts to prevent impersonation attacks that harvest PII.

How email authentication protects PII from impersonation

Many of the most damaging PII breaches begin with a simple tactic: A user receives an email that looks like it came from a trusted company and responds with sensitive information.

Email authentication protocols – Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) – are designed to make it much harder for attackers to use your domain in impersonation attempts.

  • SPF lets you define which servers are allowed to send email on behalf of your domain.
  • DKIM adds a digital signature to messages so recipients can verify that the content hasn’t been altered in transit.
  • DMARC lets you specify what should happen when a message fails SPF and/or DKIM checks and gives you visibility into all email sources.

When DMARC is properly enforced – with a policy of p=quarantine or p=reject – receiving systems can quarantine or block messages that claim to be from your domain but fail authentication. As a result, far fewer fraudulent “HR” or “support” emails make it into inboxes.

For PII protection, this matters. If attackers can’t convincingly impersonate your domain, it becomes much harder for them to:

  • Request identity documents from employees or customers
  • Collect bank and payment details through fake finance messages
  • Direct people to credential-harvesting pages that look like your login portal

How Sendmarc helps you protect PII by stopping domain abuse

Sendmarc helps businesses bridge the gap between theory and practice when it comes to email authentication and PII protection.

Sendmarc starts by giving you clear visibility into who’s sending emails on behalf of your domain. DMARC reports are collected and turned into simple, accurate views that separate legitimate senders – such as marketing platforms, CRMs, and ticketing systems – from unknown or unauthorized sources. This makes it easier to spot where impersonation or domain abuse may be coming from.

Sendmarc also helps you set up SPF and DKIM safely. Instead of trial and error in DNS, you get guided configuration, automated validation, and easier ongoing management. Misconfigurations that quietly cause messages to fail authentication are surfaced and resolved without guesswork.

With that foundation in place, Sendmarc supports a structured progression from monitoring to full protection. You begin with p=none to gather data, move to p=quarantine once your legitimate senders are properly authenticated, and eventually reach p=reject with confidence that your legitimate email will still be delivered. That final step is where spoofed messages are blocked outright, which directly reduces PII-harvesting phishing attempts.

Because email environments change constantly, Sendmarc also monitors for new or unusual activity. You are alerted when new services start sending from your domain or when DNS changes are actioned. This ongoing monitoring helps your defense keep pace with your updates.

All of this supports your broader privacy and compliance objectives. Regulators expect organizations to take reasonable technical measures to protect personal data. Reducing the risk of email impersonation and domain abuse is an essential part of meeting that expectation.

Book a demo to see how Sendmarc helps you stop spoofed emails that harvest PII — and safeguard your customers, employees, and brand.

Book a demo