Top 15 email security best practices for 2024 security awareness training

What are the most important email security protocols?

Email was designed without security considerations. Email security protocols, including SMPTS, SPF and S/MIME, add mechanisms to keep messaging safe from threats.

Not long after the first internet email protocols were developed, computer scientist Andrew S. Tanenbaum wrote, "The nice thing about standards is that you have so many to choose from."

He wasn't wrong. Although the original internet application protocols rarely addressed security, many email security protocol choices now exist. The reason for this is that there are many aspects of email security, from encrypting data in motion to preventing domain spoofing to authenticating that messages have been sent from valid domains and more.

Let's explore the following email security protocols and the role they play in keeping email safe:

  • SSL/TLS for HTTPS.
  • SMTPS.
  • StartTLS.
  • SPF.
  • DKIM.
  • DMARC.
  • S/MIME.
  • OpenPGP.
  • Digital certificates.

    1. SSL/TLS for HTTPS

    Secure Sockets Layer (SSL) was introduced in 1995. After experiencing vulnerabilities, SSLv3 was succeeded by the Transport Layer Security (TLS) protocol in 1999 and eventually deprecated in 2015. Many still refer to TLS as its predecessor, SSL.

    While SSL/TLS does not play an inherent role in email security, it is used for HTTP Secure (HTTPS), which is used for almost all email exchanges between servers and users.

    HTTPS uses TLS to encrypt streams of network traffic between clients and servers. It is not invoked directly in email, but is used for web traffic and thus is used to encrypt webmail messages.

    2. SMTPS

    SMTP Secure (SMTPS) works like HTTPS for SMTP. It uses TLS to encrypt message exchanges between clients and servers. Encrypted TLS traffic is decrypted at its destination, however, so cleartext messages may be accessible on email servers as messages are routed unless another encryption protocol, such as StartTLS, is in use.

    3. StartTLS

    StartTLS is a service extension for SMTP that supports opportunistic encryption between mail servers and clients. When the StartTLS extension is in use, communicating mail systems negotiate the use of encryption and authentication algorithms to protect exchanges. All message content and message metadata can be encrypted. Once the transmissions are received, the data is decrypted.


    The SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) protocol helps secure emails by enabling SMTP servers to add encryption via TLS. It also gives enterprises a mechanism to enable servers to refuse to connect with servers that do not offer TLS connections with a trusted certificate. By requiring a trusted certificate and rejecting connections from unauthenticated servers, email providers can prevent attackers from using fraudulent domains to send phishing or spam email.

    Graphic of an email spoofing threat
    Worried about email spoofing? There are email security protocols for that.

    5. SPF

    Sender Policy Framework (SPF) provides a protocol that enables domain owners to identify which hosts are authorized to use their domain names when sending email and defines how that authorization can be verified. It provides a way for domain owners to announce which IP addresses are authorized to send email on behalf of the domain. It also reduces the likelihood that spam or phishing emails can be sent with that domain spoofed as the source of the messages, even though SPF is usually enabled with additional email security protocols that provide stronger assurances that email originated from the proper domain.

    6. DKIM

    DomainKeys Identified Mail (DKIM) builds on SPF and enables the entity that owns the signing domain to link itself with a digital signature that authenticates that entity.

    7. DMARC

    Domain-based Message Authentication, Reporting and Conformance (DMARC) provides mechanisms for notification and mandating actions when messages fail authentication under SPF and DKIM. While SPF and DKIM can flag messages as being spoofed, DMARC enables domain owners to advertise what actions should be taken when spoofed addresses are detected and for recipients to determine the appropriate response action.

    8. S/MIME

    Secure/MIME (S/MIME) is the standard that defines how to encrypt and authenticate MIME-formatted data. While S/MIME content can be encrypted, the email headers are not, so an attacker would be able to see who is sending the message and who the intended recipient is.

    9. OpenPGP

    OpenPGP is a standard for encryption and authentication of data, including email messages, based on the Pretty Good Privacy (PGP) framework. OpenPGP is interoperable with S/MIME, and while data can be protected, the metadata around encrypted messages is not.

    10. Digital certificates

    Digital certificates are electronic documents that prove public key ownership, verifying senders are who they claim to be. A digital certificate can also be used to sign and encrypt emails. While they are not protocols per se, there are protocols that define how digital certificates can be created and shared.

    Email -- but not email security -- protocols

    Basic, insecure email depends on just a handful of protocols. It is important to note that these are not email security protocols. The following control how email is transmitted, formatted and retrieved:

    • Simple Mail Transfer Protocol (SMTP) specifies how messages are transmitted.
    • Internet Message Format, or RFC 5322, and Multipurpose Internet Mail Extensions (MIME) determine how messages are formatted.
    • Internet Message Access Protocol 4 and Post Office Protocol 3 specify how email clients retrieve messages from SMTP servers.

    Editor's note: This article was written by Peter Loshin. TechTarget editors revised it in 2023 to improve the reader experience.

    Next Steps

    Browse 9 email security gateway options for your enterprise

    Top 15 email security best practices

    Use these 6 user authentication types to secure networks

    How to create a company password policy, with template

    Build a strong cyber-resilience strategy with existing tools

    Dig Deeper on Data security and privacy

    Enterprise Desktop
    • Understanding how GPOs and Intune interact

      Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

    • Comparing MSI vs. MSIX

      While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

    • How to install MSIX and msixbundle

      IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

    Cloud Computing