Whether you lead a small or medium business or are an employee, email configuration is a key component to ensuring that your organization is protected against various cyber threats. This publication aims to outline the basics of email configuration and to provide a broad understanding of the importance of safe email practices for your organization.
Reputable email service providers offer a range of security features, including automatic configuration with essential safety tools, activation options during setup and mitigation of common risks.
Keeping a corporate email inbox as clean and tidy as possible is important to avoid phishing and hacking. This means only conducting work-related correspondence on your organization’s domain and when possible, use separate devices to keep your work and personal email accounts separate. Consider the following when setting up your organization’s email.
On this page
- Threats to email applications
- Email best practices to support security and privacy
- What to do if your email has been compromised
- Learn more
Threats to email applications
Threat actors do not discriminate between large or small businesses – they target organizations of all sizes. Threat actors may leverage misconfigurations or gaps in cyber security protocols to advance their goals. They often target email systems with the aim of gaining unauthorized access, stealing sensitive information, or disrupting communication channels. The most common types of threats are outlined below.
Impersonation threats
This is when an unauthorized entity gains access to an organization’s email system or spoofs their email to carry out attacks against clients, vendors, and staff. Impersonation can involve creating email addresses similar to the legitimate source, with the intention of deceiving recipients.
Threat actors can also configure an email server’s display names to establish trust with targets and request sensitive information. This is also called email spoofing and is a type of phishing attack. Your organization may receive spoofed emails from unauthorized users, so it is important to verify the address and content before clicking on any embedded links.
Confidentiality threats
This involves unauthorized access, interception or manipulation of emails containing sensitive information. Along with using impersonation to acquire information through deception, threat actors can intercept email in transit, alter the contents of emails or use specialized software to copy sensitive emails to unauthorized domains. The consequences of such threats can range from financial losses to damage to an organization’s reputation.
Integrity threats
This can occur when a threat actor does any of the following:
- bypasses an intrusion detection system
- changes file configurations to allow unauthorized access
- alters system logs
- injects malware into the system
The result could be that your data is no longer consistent, accurate or trustworthy, or that the completeness and reliability of your systems are compromised.
Availability threats
This occurs when a threat actor deliberately disrupts an organization’s domain, rendering it unavailable or unusable. This often involves overwhelming the email system infrastructure and is commonly referred to as a denial-of-service attack (DoS).
DoS can be mitigated by outsourcing your email to secure servers, particularly those of reputable providers, as they are less susceptible to attacks. On-premises email servers without the proper security configuration are more susceptible to vulnerabilities. Using a reverse-proxy as an intermediary can improve performance, resilience, and protection against DoS attacks.
Other availability attacks include:
- domain name system (DNS) attacks which try to disrupt the DNS server to either redirect traffic or gain access
- expired domain takeover in which a threat actor hijacks an organization’s redundant domains to carry out a variety of attacks
Pixel tracking
Any email containing a logo or an image may include a 1x1 pixel with embedded code that can track the location and behaviour of the recipient. A unique URL is created for each user that logs and reports every time the message is opened or downloaded. To mitigate this, configure your inbox to not load external images. Although this makes the inbox less pleasing to the eye, it is safer. To ensure that you are not contributing to the problem, avoid using pixel tracking in your own email correspondence with clients.
Tracking pixels may be able to collect the following information depending on how they are configured:
- when the email was opened
- whether any links in the email were clicked (if links are controlled by sender)
- the recipient’s IP address
- the recipient’s email client and device type
- the recipient’s approximate location, which can be used for subsequent attacks
Email best practices to support security and privacy
The following are best practices and policies to implement in the workplace to complement email configuration controls.
Multi-factor authentication
Ensure employee and admin accounts have multi-factor authentication (MFA) activated. For more information, consult our steps for effectively deploying multi-factor authentication.
When possible, use phishing-resistant MFA, which mitigates risks such as push notification bombing. This is when a threat actor pushes multiple notifications to a device to overwhelm the user and force them to interact with a specific product, service, or website. Learn more about implementing phishing-resistant MFA from the Cybersecurity and Infrastructure Security Agency (CISA).
Account set up and authentication
Always change the default password and username on a new device. Ensure that users create and maintain strong passwords for their email accounts to prevent unauthorized access. Learn more about best practices for passphrases and passwords.
Domain name protection
Create a distinct domain for actions such as sending promotions and newsletters to a distribution list. This practice helps prevent important communications from being flagged as spam associated with the organization’s primary email domain.
Updates
Regularly check and install system updates to preserve security and activate auto-updating when possible. Keep email software and security applications up to date to address vulnerabilities and ensure the latest security features are in place. Learn how updates secure your device.
Virtual private network
Use a virtual private network (VPN). It acts as a tunnel that you can use to send and receive secure data on an existing physical network. A VPN can encrypt email traffic, including the IP address.
Encryption
Encrypt email content by applying 2 protocols: Transport Layer Security (TLS) and end-to-end encryption.
TLS is a protocol that encrypts messages between servers so that they do not get compromised in transit. TLS is a core email configuration used to ensure the privacy and integrity of an organization’s correspondence. However, while TLS can secure the initial transfer from the email client to the first server, there is no guarantee that subsequent transfers will employ TLS encryption.
End-to-end encryption is implemented between 2 users and ensures that the email is encrypted at the server level as well. It is encrypted at one end (by the sender) and decrypted only at the other end (by the recipient). For example, users need to obtain and install a digital certificate, which allows them to send and receive encrypted emails. Both the send and the recipient must have secure/multipurpose Internet mail extensions (S/MIME) configured. This will need to be set up by your organization.
Software
Install preventative security tools such as anti-virus and anti-malware software on corporate devices. These types of software can defend devices against viruses, Trojans, worms, spyware, and other malware.
Strong passwords
Ensure that users create and maintain strong passwords for their email accounts to prevent unauthorized access. Multi-factor authentication should be implemented wherever possible.
Security awareness training
Provide regular and updated training to all personnel. Awareness is the first step to combatting cyber threats. Consult our top 10 IT security action related to providing tailored cyber security training for more information.
Vendor security settings
If using a third-party email service provider, review and configure security settings offered by the vendor to align with your organization’s security requirements.
Email settings
Configure email settings to filter out spam.
Quarantine policy
Set up a quarantine policy for your organization. This includes what users are allowed to do with their quarantined messages, as well as periodic reports.
Clean email habits
Encourage clean email habits, like regularly emptying junk folders and creating categories and folders to easily navigate the inbox and reduce lost or missent messages. You can set up inbox rules to regularly empty junk.
Domain name system
Check your DNS records to ensure that email can be sent and received properly from your domain.
What to do if your email has been compromised
You may receive direct communication from vendors or clients notifying you of unusual email activity or you may notice slow or unusual device behaviour. These can all be signs that your devices and networks have been infected with malware and your email has been compromised.
Your organization should follow these steps after a suspected email compromise or information breach:
- Contact your IT personnel or IT help desk for direction on initial steps to take. This will likely include:
- changing all passwords associated with the account(s)
- reaching out to email contacts to inform people of the incident and the effect it may have on further correspondence
- scanning your device for malware
- considering stronger identification and authentication methods going forward
- Contact the corporate email platform. If your organization’s email was compromised, then it is likely that others within the same server are also compromised
- If you suspect money and/or financial information has been transferred, contact the financial institution and the corporate email platform immediately
- Report the incident to the Canadian Anti-Fraud Centre
For more information on business email scams and how to recognize them, consult the Royal Canadian Mounted Police’s publication on business email compromise.
Learn more
- Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)
- Best practices for passphrases and passwords (ITSAP.30.032)
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
- Protecting your organization against denial of service attacks (ITSAP.80.100)
- Distributed denial of service attacks – Prevention and preparation (ITSAP.80.110)
- Quick guide to email configuration (ITSAP.60.003)
- Implementation guidance – Email domain protection (ITSP.40.065)