Email Security Best Practice: The Definitive Guide (Updated for 2025)

Strong Passwords

Password strength and complexity can make all the difference when it comes to securing corporate email. Data from security.org shows that even a few characters can take your password from being instantly crackable, to taking thousands of years.

Microsoft’s password recommendations are pointed at one single goal: password diversity. This email security best practice encourages the creation of unique passwords that are hard to guess. Strong passwords are those that:

1. Use a minimum of 14 characters.
2. Don’t require special characters (e.g.: &%!*$).
3. Are not required to be reset.
4. Are uncommon, and use uncommon phrases.
5. Are not reused for multiple services.

Password Managers (such as Keeper) can also be implemented across your organisation to improve password (and email) security.

For your staff, these tools give them a way to create and store passwords without having to remember them. This means passwords can be far more complex, unique, and reduces the likelihood of the same password being used for more than one service.

For IT managers and executives, these tools give you a way to centralise the management of passwords across the organisation. Users can sign in to their Password Manager with SSO (which you manage) and only access the passwords that you’ve given them permissions to – often through role-based security groups.

Multi-factor Authentication (MFA)

Another email security best practice is to strengthen access controls by enforcing MFA for all email accounts.

With MFA, users must provide a second form of verification, such as a one-time code sent to their mobile device or a hardware token, to access their email.

This makes it more difficult for attackers to gain unauthorised access to a corporate email account, even if they have the user’s password.

A word to the wise, however: avoid using text messages and push notifications as forms of MFA. Text messages can be intercepted, and push notifications are often spammed by hackers until the user relents and allows them through.

Single Sign-On (SSO)

Today, the vast majority of corporate email services are held with Microsoft 365 or Google Workspace.

Both of these SaaS solutions have built-in SSO capabilities, which you can leverage as an best practice to significantly improve email security in your organisation.

SSO simplifies the user experience, reduces the number of passwords employees need to remember, and makes it easier to enforce strong access controls across multiple systems.

Account Lock-out Policies

Email accounts are often compromised through brute-force attacks. This is where a bad actor will repeatedly ‘guess’ the user’s password (usually with software) until they finally find the right combination of characters.

This approach usually means that the bad actor will incorrectly guess the password numerous times before they find the correct one.

Account lockout policies that temporarily lock accounts after a certain number of failed login attempts can be used as an email security best practice. This can help prevent brute-force attacks, where an attacker systematically attempts to guess a user’s password.

Role-based Access Control (RBAC)

RBAC is a way to grant email access permissions based on an individual’s role within your organisation.

Implementing RBAC as an email security best practice improves email security by ensuring that users only have access to the email resources necessary for their specific job functions, minimising the potential for unauthorised access or data leakage.

Create an Application Inventory

Maintain an inventory of all software, email clients, and servers used within your organisation. This email security best practice helps to identify which systems require updates and allows for better management of the patching process.

Establish a Patch Management Policy

Develop a patch management policy that outlines how updates should be prioritised, tested, and deployed. This policy should define the roles and responsibilities of those involved in the patching process and establish a schedule for regular updates.

Prioritise Patches

Not all updates are created equal. Prioritise patches based on the severity of the vulnerabilities they address, as well as the potential impact on your organisation.

As an email security best practice, critical security patches should be deployed as soon as possible, while less severe updates can be scheduled for routine maintenance windows.

Review and Audit

Periodically review the patch management process to ensure its effectiveness and make any necessary improvements.

Conduct security audits to confirm that all systems are up-to-date and compliant with the organisation’s patch management policy.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

S/MIME is an industry-standard protocol for encrypting email messages and digitally signing them to confirm the sender’s identity.

S/MIME uses public key infrastructure (PKI) to issue and manage digital certificates, ensuring the authenticity and privacy of email communications.

Both Microsoft Exchange Online and Google Workspace support S/MIME.

But if you want to use S/MIME in your organisation, you’ll also need to ensure that your email clients support it.

Email Clients that Support S/MIME

Pretty Good Privacy (PGP) / OpenPGP

PGP is another widely used email encryption standard that also relies on public key cryptography.

OpenPGP is an open-source implementation of the PGP standard, and it is compatible with various email clients and encryption tools.

PGP allows users to encrypt, decrypt, and digitally sign email messages, ensuring confidentiality, integrity, and authenticity.

Transport Layer Security (TLS)

TLS is a protocol that encrypts data transmitted over a network, such as emails sent between email servers.

Enforcing TLS for all email communications helps secure email data in transit and prevents unauthorised access to sensitive information.

Most email providers support TLS by default, but TLS can only work when both the sender’s and recipient’s email servers have TLS enabled.

Standard Email Filtering

Today, the vast majority of email service providers perform inbound and outbound email filtering out of the box. The catch however, is that no email filter is perfect. Even the best in the market, Microsoft and Google, allow some malicious emails to find their way to your staff.

And it only takes one to cause a serious problem.

In fact, a recent study of more than 300 million emails showed that between 20,000 and 40,000 emails are sent to each staff member every year. Of this email volume, Google and Microsoft failed to catch 150 to 300, and 200 to 400 malicious emails respectively.

So if staff are receiving between 150 and 400 malicious emails every year, what can you do about it? Let’s read on.

Secure Email Gateways (SEG)

Secure Email Gateways (SEGs) have been used by organisations around the globe since well before cloud email existed. Even today, many organisations still have SEGs in place.

SEGs work by adding a layer of email security outside of Microsoft or Google (or your chosen email service provider). Emails flow through and are filtered by the SEG, then sent on to the end user.

However, while some SEGs perform better than Microsoft or Google, many do not.

In fact, because of the way SEGs are designed, they are completely blind to what’s happening within the cloud environment. They can’t scan internal emails, activity in collaboration apps (such as Teams or Slack), they can’t see suspicious lateral movement or user behaviour.

What’s worse is that they often harm or completely disable Microsoft and Google’s native email filtering capabilities.

How? Let’s find out.

Sometimes, emails that come through the SEG are passed to the cloud email service for additional scanning. In these instances, the emails are stripped of critical meta data (such as the sender’s IP address) that helps Microsoft or Google determine whether the emails are malicious.

You’d be forgiven for thinking that this is of no consequence, since the email has already been scanned by the SEG. But remember, no email filter is perfect.

Other times, SEGs are configured to filter and send emails directly to the user – completely bypassing Microsoft or Google.

API-Based Email Security

API-Based Email Security products completely do away with Secure Email Gateways.

Instead of adding an external layer of email security, API Email Security products are cloud-native SaaS products that integrate directly into Microsoft or Google.

This deep integration means that – unlike SEGs – API-based Email Security products have complete visibility of the cloud environment. Many of these products can scan internal emails, and even product your collaboration apps (such as Teams, Slack, OneDrive, SharePoint, Google Drive and more).

As such, API Email Security products are incredibly effective at protecting your organisation against email security threats, and make them a top email security best practice this year.

But there’s more than one way to build an API Email Security product (two ways, to be precise).

Standard API Email Security

This is where emails are filtered by Microsoft or Google, then delivered to the user. After delivery, the email security product scans the email and removes it from the user’s inbox.

The problem with this approach is that research shows that on average, it takes approximately 180 seconds for API email security solutions to scan and remove malicious emails from user inboxes, but only 82 seconds before a user clicks a phishing link.

This is where Inline API Email Security plays a crucial role.

Inline (’Next Generation’) API Email Security

Inline API Email Security works just like Standard API Email Security in that emails are filtered by Microsoft or Google.

But they aren’t delivered straight to the user.

Instead, emails are first filtered by the Inline API Email Security product with AI that is trained on Microsoft and Google’s weaknesses – making it the last defense before the inbox.

This ability to scan emails after Microsoft or google, but before the user is what makes it “in-line”.

It’s also what makes it patented. Only Avanan (acquired by Check Point in 2021) has this capability.

Continuous Program Delivery

In 2022, the Australian Government reported that 68% of organisations had Security Awareness Training in place. But in reality, most organisations were only delivering training once annually.

However, research shows that high performing Security Awareness Training programs are made up of continuous phishing simulations and training.

As German psychologist Hermann Ebbinghaus has shown, our memories weaken over time, and information is forgotten without re-enforcement.

This doesn’t mean that staff should be constantly inundated with simulations or training material, but there should be a steady stream of both.

In our experience, the ideal time between simulations is 10 to 15 days, and the ideal time between training sessions is 14 days. Further, training sessions should require no more than 10 minutes to complete.

AI-Powered Phishing Simulations

A challenge faced by most education systems is that they take a one-sized-fits-all approach to phishing simulations.

As such, all staff receive the same phishing simulations at the same time.

In part, this is because these solutions rely on you, the operator, to select and schedule the simulations that are sent to end users.

But this approach fails to recognise that human beings are unique, and your staff are at different places in their learning journeys.

Industry leading security awareness training solutions like Phished build an algorithmic model for each person, which is used to determine the difficulty level of the phishing simulations that they receive.

This model is based on situational and behavioural factors such as:

1. The role of the user in your organisation.
2. The types of emails the user typically engages with.
3. How long they have the email open before they realise it’s a simulation.
4. The time of day they read their emails, and
5. The device the use.

Not only is this approach more effective in driving a phishing-aware email security culture, but it also means that management of the solution can be far more hands off, and less time consuming for the operator.

Email Security Risk Analysis

Most Security Awareness Training solutions will present a litany of reports and figures.

But most of these are vanity metrics that, while tactical, don’t give business leaders any insight as to the effectiveness of the program in reducing email risk.

Leading solutions will measure email security risk at the individual level, then expand to show how this risk is distributed across departments and the broader organisation.

Risk analysis figures should be derived from concrete user interaction parameters, including data captured from phishing simulations, training sessions and the way users respond to threats as they arise.

Email Monitoring Tools

Today, email monitoring tools (especially those with AI-powered detection capabilities) do most of the heavy lifting. But those with experience in email security best practice will know that ultimately, these tools play a supporting role for the humans that keep your organisation secure.

Advanced email monitoring solutions – such as Security Information Event Management (SIEM) systems, or email security tools such as API Email Security – have built in email monitoring features.

Through these tools, you can perform proactive threat hunting by analysing your organisation’s email traffic for anomalous activity or behaviour. These activities might include unusual spikes in email volume, an increased number of failed login attempts, or activity from unusual countries.

Beyond proactive threat hunting, several of these tools will surface suspicious events for you, allowing you to take action against one or even an entire campaign of malicious activity across multiple mailboxes with only a few clicks of the mouse.

Alerts and Notifications

Importantly, you can also configure these tools to send alerts or notifications when malicious activities or anomalies are detected.

Ideally, these notifications are delivered into a SIEM for processing by your IT or cyber security team, who have documented processes for how to evaluate email threats as they arise.

Acting on Suspicious Activities

When malicious campaigns are identified, your technical team will need a documented and practiced way to respond and minimise the risk to your organisation.

The tools you use to monitor email traffic should also give these operators the ability to see if users have engaged with the malicious content and determine the scope of the threat. Further, there should be simple methods for IT teams to quickly and effortlessly remove emails from user inboxes.

Identify and Locate Sensitive Data

Whether you plan on implementing DLP as a process, a technology or both, the first step is to identify the types of sensitive information your organisation handles.

This might be Personally Identifiable Information (PII), financial data, critical intellectual property, or confidential documentation.

Part of this identification process is understanding the location of this data within your organisation – not only in your file system (such as SharePoint, OneDrive, Dropbox or Google Drive), but also in email services or SaaS products (such as CRMs and ERPs).

Only when these data types are identified and located can you correctly configure your DLP solution.

Develop Data Protection Policies

With your sensitive data identified, you can now create specific policies that define the rules and actions that should be taken when sensitive information is identified in email communications. Well crafted data protection policies should consider:

1. Relevant regulations and compliance requirements. Understand the regulatory landscape as it relates to your industry and region. This includes legislation like the Australian Privacy Act (1988) and General Data Protection Regulation (GDPR), and compliance standards such as the ACSC’s Information Security Manual (ISM) and Essential Eight or APRA’s Prudential Standard CPS 234.
2. Data classification levels. Categorise information based on sensitivity and the potential impact of unauthorised disclosure. For instance, the disclosure of a standardised contract (whilst uncomfortable) might not be as serious as the disclosure of client medical records. Common data classification levels include ‘public’, ‘internal’, ‘confidential’ and ‘highly confidential’.
3. Data handling guidelines. Provide guidelines on how data within each classification level should be handled, stored and transmitted. This includes any data or email encryption requirements, access controls and the use of secure communication channels.
4. Data retention policies. Determine how long sensitive data should be retained, including when and how it should be disposed of. Data retention policies should consider legal, regulatory and commercial requirements.
5. Incident response procedures. Develop clear procedures for employees to follow in the event of a data breach. This should include reporting the incident to the appropriate internal team, the preservation of any evidence and the steps staff should take to contain and mitigate damage.

Deploy and Configure DLP Solutions

There are numerous data loss prevention solutions in the market that have excellent data loss prevention capabilities. But there are a few features that are absolutely critical for email security:

1. Wide selection of data types. Top DLP solutions have dozens of data types to monitor for.
2. Customisable data types. Your DLP solution should have the ability to define custom data types (i.e.: using Regular Expressions).
3. Collaboration app support. DLP capabilities should expand beyond email security to apps such as Teams, Slack, SharePoint, Dropbox and Google Drive.
4. Automatic email blocking: Emails containing sensitive data (such as Medicare or credit card numbers) should be automatically prevented from leaving the organisation.
5. Automatic file encryption. DLP solutions should automatically encrypt sensitive information as it leaves the organisation, based on the data handling policies you’ve created for your organisation.

DomainKeys Identified Mail (DKIM)

DKIM helps protect your email from being tampered with or impersonated, building trust and enhancing security.

DKIM is like a digital wax seal that helps verify the authenticity and integrity of email messages. It’s an email security best practice that ensures the email has not been tampered with while being delivered.

When someone from your organisation sends an email, your email server stamps the message with a unique DKIM signature, similar to a wax seal on a letter. The recipient’s email server then checks the signature using a digital key found in your public records (similar to a key that fits the wax seal).

If the key matches the signature, the email is considered authentic and is delivered.

Sender Policy Framework (SPF)

Implementing SPF helps ensure that only authorised servers can send emails on your behalf, enhancing email security and reducing the risk of phishing and spam attacks.

Imagine SPF as a list of approved mail carriers that your organisation allows to deliver its mail. When an email arrives at the recipient’s email server, the server checks the SPF record to see if the email came from an approved mail carrier (email server).

If the mail carrier is on the list, the email is considered legitimate and is delivered. If not, the email might be marked as spam or rejected.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC is an email security best practice that helps protect your email domain from phishing and spam attacks by ensuring the emails you receive are genuine and not from an impersonator trying to trick you.

Think of DMARC as a security guard that checks the identification of visitors at the front desk. In this case, the visitors are email messages.

It works by checking SPF and DKIM records, which are like the visitor’s ID cards. If the email passes both checks, DMARC allows it through. If not, it can report the problem, send the email to the spam folder, or reject it entirely (depending on your organisation’s rules).

DMARC has wide adoption, but most email domains are yet to implement the protocol. In fact, as of June 2022, approximately 43% of all email domains were verified as using DMARC.