Some of the biggest scandals around celebrities, politicians, and corporations of the past decade have revolved around leaked emails and correspondence. Clearly, email is one form of communication whose security should not be taken lightly, as the implications of incidents can be disastrous both for individuals and organizations. If you’re looking for a set of good practices that ensure the safety of your emails, look no further.
1. Use encryption by default
Imagine if the text of every email you sent was written on a poster and carried through a busy street to its destination. Not very secure, is it? Sending emails with no encryption is very similar to this situation, because attackers can intercept and read plaintext emails with relative ease.
If you’ve already set up an email service, it may prove useful to check which (if any) email encryption is being used, and if the results are disappointing, take swift remedial action. Though many popular mail providers offer encryption in transit, the best standard is considered end-to-end encryption, with message contents protected and unreadable even when the data is at rest.
2. Set up a strong password
Most email addresses can be discovered one way or another, so your password serves as the true keys to the kingdom, and you should treat it with the proper care. For one thing, it must be unique and not commonplace (such as alphabet-order letters, your year of birth, etc.), and never used for other accounts and services. If you reuse a password and one related account faces a leak, this could easily put your mailbox at risk.
Another priority should be increasing complexity – through extended length, substitution of letters, use of special symbols, and various-case characters. If you also manage the email service on the server side, you can implement password hashing + salting to make intrusion near-impossible for hackers.
3. MFA
MFA stands for multi-factor authentication, and simply represents a setting of your account requiring one or more additional prerequisites for login. So let’s say your login details are something you know. Additional factors would be alternative things pointing to your identity or control. For example, something you are could be a fingerprint or retinal scan, while something you have might be a physical piece of hardware, like a USB key.
By far the most popular form of MFA today is codes delivered via SMS or an authenticator app. In the former case, your identity is matched with a specific phone number, while authenticator apps typically match with one registered device, like a smartphone or tablet.
4. Anti-spoofing protection
Spoofing poses a danger to your email service in two possible ways: 1) you receive a spoofed email and treat it as legitimate, performing some unfortunate actions; 2) someone spoofs your email address, causing harm to your address’s reputation and potentially creating other problems for people associated with you.
You can tackle spoofing by setting up DKIM and DMARC records in the DNS records of the domain associated with your email address. Traditionally, they supplement an existing SPF record (that forms a core spam filter). If you have no access to the DNS records, you can also try setting up custom filtering rules and enabling available anti-spoofing measures.