Email Security

Email security is a critical component in IT. With the ever-increasing volume of spoofing, phishing, and spamming emails hitting people’s mailboxes is very important to set clear policies and procedures on how to mitigate and deal with these security vulnerabilities. On this section, I will outline some email security policies you can implement on your email system to mitigate email threats.

Spam filtering software

The first line of defense in an email system is the spam filter. Spam filters scan incoming and outgoing emails for possible threats. Email spam filters are installed at the server level, but most desktop security suites also include email security components. Popular server and desktop email security suites are Symantec Endpoint Protection, Barracuda Security Gateway, Google

 Apps inbound mail gateway. Most spam

filtering software is cloud-based nowadays, and some of them employ a sort of machine learning algorithm to combat threats.

SPF record

SPF stands for Sender Policy Framework and it should be one of the first things you implement when designing a secure mail system. SPF is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving email servers to check that incoming mail from a domain comes from a server authorized by that domain’s administrators. SPF is implemented at the DNS level as a txt record. To create a SPF record, you will need the IP address or addresses of your mail server, and access to your DNS management console. Use an online tool like this http://www.spfwizard.net/ to create a valid SPF record. Your record should look like this “v=spf1 mx a ip4:10.10.10.10 -all”

DKIM record

DKIM stands for DomainKeys Identified Mail and is a cryptographic way of validating the authenticity of an email. DKIM employs a private and public key to make sure the original message is not altered in any way during transmission. DKIM is also a DNS TXT string based record, but creating the record is a little bit more involved than creating an SPF record. Most cloud-based spam filters provide DKIM support, and if you are using a connector with your internal mail server it should be a matter of just turning it on and set up the DNS record. If you are using an in-house mail server like Microsoft exchange, then creating the DKIM records is a little bit more difficult.Take a look at this tool to create the record https://github.com/Pro/dkim-exchange

DMARC record

DMARC stands for Domain-based Message Authentication Reporting and Conformance. DMARC needs an SPF and DKIM record in order to work. DMARC makes sure that legitimate emails are properly authenticated against DKIM and SPF records, and that spoof emails appearing to come from own domains are blocked. DMARC pretty much puts an end to spoof emails by making sure that the header of emails is not altered. Spoofing emails headers is a common way for hackers to trick people with fake emails, DMARC was set up to combat that problem. If you already have the SPF and DKIM records in place, then setting up the DMARC record should be straightforward. There are many tags that you can use to setup the DMARC record, I recommend you start with the reporting tag first. Read this guide on how to get started https://support.google.com/a/answer/2466563?hl=en

Email encryption

If you need an extra layer of security for your email communication then you can use email encryption.  Outlook for Exchange provides native support for email encryption ( check tutorials below on how to set it up ). You can also use third-party encryption software like http://openpgp.org/

Staff & user education

There is no software or security policy in the world that will protect you 100%, that’s why you need to train your IT staff and mail users in best practices on how to deal with fraudulent emails. Train your users how to spot “spoof” emails, and not clicking on attachments from unknown sources, etc.

In the section below you will find many tutorials on how to implement some of the things I mentioned above, and other email security tutorials I might post here.