if you’re like most companies, it’s your main channel of communication with customers. here are some email server security best practices you can use right away to help create a secure email server for your organization
Imagine you’re preparing for an approaching hurricane (Floridians know this well). install straps to help make your roof more secure. carries all of your garden equipment, furniture, and other outside items into your garage or shed. you cover your windows and doors and buy plenty of food and water in case you’re stranded without power. But if you choose to leave the outside doors of your house open as the storm approaches, you can say goodbye to your house and everything in it. Similarly, this is what happens when companies don’t bother to implement a secure email server.
Radicati estimates that the total number of business and consumer emails sent and received per day will exceed 376 billion by the end of 2025. If you send email but don’t have a secure email server, it means that the data transmitted through them is at risk of compromise. (Data is the lifeblood of your business – you can’t risk your sensitive information falling into the wrong hands.)
but what does it mean to have a secure email server? Let’s discuss the 10 best email server security practices and remind you why you need to implement these measures to protect your business and your customers.
let’s figure it out.
what is a secure email server?
Just like the word secure, having a secure email server means you’re protecting your email domain and data from unauthorized use. this means:
- protect your email both in transit and in your employees’ inboxes
- prevent unauthorized users from sending email using your organization’s domain
- configure email filters and virus protection on your servers
- protect the network(s) that your employees and other authorized users use to access these email services
- ensuring your email servers are physically inaccessible to unauthorized third parties (if you run your own email server)
- understand what steps your business email service provider (amazon workmail , google workspace, rackspace, microsoft exchange, etc.) to protect the servers that will host your organization’s email-related data
But how can you achieve these results? Let’s dig into what you came to learn…
10 Email Server Security Best Practices You Implement Now
The following list of email server security best practices is not a comprehensive or complete guide. however, this list gives you a great starting point to help make your email server more secure.
1. change all default settings, usernames and passwords for your email server
A big mistake organizations make is not taking the time to change the configuration and default settings of their servers. This may be because they are in a hurry, or perhaps they don’t realize how risky it is to use the default settings. Regardless of the reason, be sure to go one step further and change this setting.
This also includes changing the default login information. account and password security are paramount in cybersecurity as a whole. if you use a default username and weak password combination to secure anything, it’s the equivalent of having the option to use a double deadbolt lock on your front door but opting to use a flimsy chain lock instead. Sure, it provides minimal security, but an attacker just needs to use a bit of “brute force” (get it?) to break in and gain access to your home.
Using the default credentials (username and password) that comes with your server or software is like this. it is not secure and leaves your email server and data at risk of theft and other compromises.
2. configure mail transfer agent strict transport security (mta-sts)
a mail transfer agent with strict transport security is a verification control of incoming emails. according to google, “smtp connections for email are more secure when the sending server supports mta-sts and the receiving server has a mandatory mode mta-sts policy.”
uh, sure. great. but what does this mean? Basically, this means in layman’s terms that if you have mts-sts enabled on your organization’s email server, it will only allow emails to be received over secure, authenticated connections (using tls 1.2 or 1.3).
This helps protect your recipients from receiving unauthenticated messages sent over unsecured connections (that is, connections where someone could insert malware or modify data in transit, or what’s known as an attack). man-in-the-middle [mitm]).
If the sender’s digital identity cannot be authenticated or did not have ssl/tls enabled, the message is rejected.
3. Select Secure Email Protocols to Protect Your Communications in Transit
Establishing a secure mta is only part of the equation; You should also take a few extra steps to help make your server, and incoming and outgoing communications to/from it, more secure.
install an ssl/tls certificate on your server to enable https
did you know that ssl/tls also applies to email? that’s right, you can use ssl/tls security to secure the communication channel of your messages. this allows you to encrypt the communications that occur between your email server and other email servers with which you communicate. this way, no one can intercept communications in transit.
Every time one of your employees sends or receives an email from someone, a connection to that person’s email server is created. if that connection is not secure, it means that anyone with the technical knowledge can intercept that message in transit and steal or modify the data without the original two parties knowing what happened.
Of course, if you’re using an email signing certificate to encrypt your email data directly (more on that later), then this serves as an additional layer of security for your communications.
use secure ports for your incoming and outgoing email services
traditionally, imap or pop3 are protocols used for incoming email (ie messages that email clients take from your mail server). smtp, on the other hand, is used for outgoing emails. make sure to configure your services below on the following secure tcp/ip ports for incoming and outgoing messages:
- outgoing: secure port 465 or 587 (with starttls enabled) for smtps
- incoming— with ssl/tls enabled, you you can use one of the following ports:
- port 993 for imap (with ssl enabled)
- port 995 for pop3 (with ssl enabled)
4. adopt dmarc to help prevent brand domain spoofing
Cybercriminals love to play dress-up with company brands and cash in on their reputation. It’s not uncommon for bad guys to impersonate organizations as a way to carry out phishing scams. Check Point reports that the most impersonated brand in Q1 2022 was LinkedIn, which was involved in more than half (52%) of all phishing attacks they analyzed globally. in Q4 2021, check point said dhl held that title, and prior to that, microsoft was the reigning champion of the title no company wants.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email protocol that helps protect your domain from inauthentic use by unauthorized persons. The Internet Engineering Task Force (IETF) introduced it as a way to help organizations protect their domains from these fraudulent uses. dmarc relies on two other authentication protocols to ensure that only authorized users send email on behalf of your domain:
- Sender Policy Framework (spf): An spf text is a record that you attach to your domain name system (dns). this helps validate messages sent by your domain.
- domain key identified mail (dkim): this protocol attaches your digital signature to the message of outgoing email headers this allows you to use public key cryptography to help prove the authenticity and integrity of emails coming from your domain.
but how popular is dmarc? mimecast reports in its 2022 State of Email Security report that nearly nine out of 10 businesses (89%) are using dmarc or plan to do so in the next 12 months. this is according to their global survey of 1,400 IT and cybersecurity professionals from 12 countries.
Of course, you can take dmarc one step further and take your organization’s digital identity to the next level. You can do this by integrating Mark Indicators for Message Identification (BIMI) and Verified Mark Certificates (VMCs) into your organization’s email digital identity. Doing this will allow you to embed your organization’s verified logo on all outgoing emails from legitimate senders in your organization.
5. keep your server software and firmware current with patches and updates
running an outdated or unpatched version of your server software is a sure recipe for disaster. Patches are a way for publishers or developers to fix bugs and other issues that leave their email servers vulnerable. If you don’t apply those patches in a timely manner, you risk cybercriminals exploiting these vulnerabilities to gain access to your email and data servers.
One thing you’ll need to choose is how you want to deploy the updates. do you want to handle them manually? Do you want to explore the option of automation? Each approach has its pros and cons, but the point is that you want to make sure that updates and patches don’t get left up in the air and you don’t find yourself facing another eternal blue situation.
(quick explanation: eternal blue was a vulnerability in legacy windows systems that microsoft issued a patch for, but organizations failed to deploy in a timely manner. the end result was hundreds of thousands of devices around the world being infected by ransomware in an attack that affected hundreds of millions of people [if not more].)
6. use email server firewalls to monitor incoming & outbound traffic
OK, we’re more than halfway through our list of secure email server best practices. Just like how network firewalls work, email server firewalls filter incoming and outgoing traffic based on the rules of your email server. what this does is help you monitor incoming and outgoing communications on your domain for suspicious activity.
An illustration of how an email server firewall helps to block suspicious traffic. Of course, we can’t give you any specific directions about setting up rules on your email server since every system is different. So, you’ll need to refer to your specific firewall manufacturer’s site for specifics on how to accomplish this goal.
set speed limits and size restrictions on outgoing traffic
While it’s important to monitor your traffic, you’ll also want to make sure you’re restricting both the number of emails that can originate from your domain and their size. a spike in outgoing messages could indicate that one or more of your authorized accounts may have been compromised and are being used to send spam or phishing messages. Setting rate limits can help protect your domain’s reputation.
7. be selective about who (or what) you give access to your mail server
We’ve said it before and we’ll keep saying that not everyone needs access to everything. This is true of everything from customer and employee database information to privileged access to your email servers. this is where access management best practices come into play.
You can set up employee profiles so that users have only the minimum level of access they need to do their jobs. If someone needs access to a sensitive system for a project, give them permission for the amount of time needed to complete it. be sure to remove those privileges once access is no longer needed (for example, when they complete the project).
Also, make sure you have a procedure in place to ensure access to accounts is revoked when employees leave your organization. Attackers or even disgruntled ex-employees love to use old logins to snoop into systems they should no longer have access to. you can prevent this from happening by deactivating your accounts immediately.
8. use secure ssh authentication without password as administrator to manage your server
As an administrator, you likely use secure shell (ssh) to manage the various servers in your organization. traditionally, this requires the use of a username and password combination for authentication. but there’s a better (and more secure) way to do this than relying on potentially weak login credentials: you can use public/private key pairs instead.
This authentication method involves the use of cryptographic keys to prove your digital identity as a legitimate authorized user. one of which is public and the other that your device keeps private that proves it’s you. this process allows you to easily and securely authenticate without having to remember a cumbersome password.
We’ve talked extensively about the importance of ssh key management best practices before. To quickly recap, ssh key management is all about securing your cryptographic keys as part of your ssh access management strategy and security practices. (Be sure to check out the article linked at the beginning of this paragraph for more detailed information.)
9. teach users how to keep their accounts secure
protecting account credentials is not optional; it is the responsibility of each individual employee and user of the network. why? because compromising user accounts is the easiest way for hackers to compromise your server. Part of this approach to strengthening your organization’s cyber defenses involves educating and training users on cybersecurity best practices.
Some of the aspects that effective cyber awareness trainings should cover include:
- how to recognize and avoid social engineering and common phishing threats (use real-world examples for this)
- what they should do when they receive suspicious emails or calls (provide specific guidance and contacts)
- how to create strong passwords (which you will need to apply)
- how to use single sign-on (sso) and password management tools
- by what shouldn’t install shadow it (unauthorized and potentially malicious software)
10. require your authorized users to digitally sign and/or encrypt their emails
To help prevent your employees, especially administrators and other privileged users, from falling for credential phishing scams, require everyone to digitally sign their emails. By adding a cryptographic digital signature (that is, a signature verified by a public CA) to your email, you are doing two important things:
- provide the recipient of the email with the assurance that the sender is legitimate, and
- ensure that the integrity of the message has not been compromised since it was signed.
You can also use these certificates to encrypt emails containing sensitive data for an added measure. this process requires that both parties (sender and recipient) have email signing certificates and that the sender of the email uses the public key of the recipient. then you use their public key to encrypt the email before pressing send and they use their corresponding private key to decrypt the message on their end.
If this sounds complicated, don’t worry: all you have to do is ask the recipient to send you a digitally signed email first. this way you have a copy of your public key readily available. it’s that easy.
final thoughts on why having a secure email server is a must for every organization
Frankly, there are many reasons why implementing these email server security best practices is crucial for businesses and other organizations globally. the main reason is that it is the correct and responsible thing to do. Your customers, users, and other stakeholders trust you to protect their data.
Second, it helps protect your interest by keeping your data safe from prying eyes. Cyber criminals or even your competitors would love to get their hands on the digital items you have stored on your email server.
here are some other quick reasons why having a secure email server is essential for your organization:
- keeps your data secure from unauthorized access
- prevents data leaks and compromises
- prevents brand and reputational damage that will result from security issues
- ensures compliance with security and data privacy regulations (gdpr, ccpa, pci dss, etc.)
- mitigates the risk of having to face the direct and indirect costs of having a insecure email server (think data breach mitigation, lawsuits, non-compliance penalties, etc.)
- #best practices
- #email security
- #secure email server