Email Security Best Practices

55% of all email is spam. 76% of organizations fall prey to phishing. How will your organization avoid becoming the next statistic?

Email-based attacks are among the most prevalent cybersecurity risks faced by organizations of all types. Emails are used to deliver malware, steal passwords, initiate ransomware attacks, trick users into authorizing payments, and implement a variety of other nefarious schemes.

Protect Your Organization By Following These Email Security Best Practices

You can fight back against hackers and scammers by implementing a strong defense.

Start With A Great Email Spam Filter

One of the most important components in your email security plan is a proven email spam filter. A good filter can block 90%+ of malicious emails before they’re even delivered.

Enforce Password Standards

One simple way organizations fall prey to hackers is through hacked email addresses. If one of your employees sets their password as 12345, it’s trivially easy for a hacker to gain access to their email address. From there, they can cause all sorts of mayhem – from scamming other employees to attacking your website to gaining access to banking or other online accounts. Ensure that email passwords are chosen based of password best practices:

  • Minimum of 12 characters – longer is better
  • Mix of letters, cases, numbers, and characters
  • Avoid commonly used passwords
  • Avoid passwords compromised in other data breaches
  • Don’t re-use the same password for other accounts

Implement SPF & DKIM

Believe it or not, a semi-technical attacker can send an email that looks like it came from any email address they want. For example, I could send you an email that appears to have been sent by “[email protected]”.

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are two different technical defenses against spoofed emails like that. SPF & DKIM records let specify who is allowed to send emails from If my email server isn’t on the list (hint: it’s not!) your email server would be able to identify my email as spoofed and reject it.

Get Visibility With DMARC

Domain Message Authentication Reporting & Conformance (DMARC) is a system that let’s email server admins see what servers are sending out emails from their domains. In other words, you can use DMARC to see if scammers are sending emails that look like they’re coming from your domain.

Train Employees In Email Security

When it comes to email security, people are the weakest link. Most email attacks are designed to trick the user into opening a file, taking an action, or clicking a link that is unsafe. So one of the best practices to increase email security is to provide regular training to your employees on topics such as:

  • How to determine the true sender of an email
  • Red flags to watch out for
  • When it’s OK to open an attachment
  • And more…

Email Signing Certificates

Email signing certificates are a great way to help users identify the true sender of an email. An email certificate offers several email security benefits:

  • Shows a verified symbol in the recipient’s inbox
  • Allows the recipient to verify the person who sent it
  • Optionally encrypts email contents to protect passwords and other data from interception
  • Helps fight CEO fraud, spearphishing, and other targeted email attacks