Email Security 101

It doesn’t take an expert in cybersecurity to turn an email account into an impenetrable fortress. In fact, anyone can do it with a basic understanding of common email threats and techniques for stopping them in their tracks. This article will feature all of the information you need to strengthen the security of your mailbox.

1. Self-management

Using an email service offered by an unaffiliated company is an easy solution, but not necessarily one that gives you a lot of flexibility in setting up security mechanisms. On the other hand, a private email server is highly customizable and you can manage many more aspects of it, including access to logs, server rules and structure, and pathways for email delivery.

2. Encryption

The three standard protocols for sending/receiving mail are SMTP, POP3, and IMAP, but they do not have any encryption built-in by default. Subsequently, if you want the contents of your messages to be protected from unauthorized reading or modifying, encryption will be impossible. The three most common email encryption standards today are:

– TLS: provides authentication with the help of SSL certificates

– S/MIME: relies on a hierarchical certificate issued by a certificate authority

– PGP: provides accessible encryption with a public/private key pair

3. Authentication policy

There is not much that can be done about a breach once a hacker gains access to a mailbox, so making authentication impossible for them is of utmost importance. If you are the administrator of an email server or account, you can set strict authentication requirements like a strong password and MFA.

For the password, it should really be a passphrase (word combination/fragmented text), as a single word can be easily guessed through a dictionary attack. Further strengthening factors include long length, use of uppercase/lowercase letters, numbers and special symbols, and unpredictable substitutions of some symbols for others.

As for MFA, it stands for multi-factor authentication, and means that username + password is not sufficient for login. You also need to complete 1, 2, or more security challenges, such as inputting a login code sent to a mobile device, biometric scan, or voice analysis.

4. Spam filter

Most email services have a decent spam filter built in, but you can also customize the rules to designate which messages pass the text and have the privilege of making it into your mailbox.

Common filter triggers include:

  • Excessive volume of images in message
  • Message subject is fully uppercase
  • Message contains only plaintext/HTML, but not both
  • Text starts with “Dear..”

While the last trigger may be common in personal emails, it is important to understand that these factors are not necessarily disqualifying. Most filters will give a message points based on these factors, and if they pass a certain cumulative limit, then the message goes to spam.

5. Anti-malware

If you are using a public service for email, they will usually have a free or partially-free anti-malware scanner included that analyzes files and links. However, if you are managing your own server, you can integrate anti-malware software of your choice to scan inbound and outbound messages.