Security awareness training quiz: Insider threat prevention What are the most important email security protocols?

Top 11 email security best practices for 2022

Attackers exploit email every day to break into corporate networks, but the risk can be reduced by promoting 11 email security best practices.

In the past, email security best practices could be summarized quickly: Don't trust email because email is an unauthenticated, unreliable messaging service. This is still mostly true, and the same best practices for email security for employees from 1989 still hold: Use strong passwords, block spammers, don't trust offers that are too good to be true and verify requests even from trusted entities.

As email becomes increasingly critical to business success, however, a stronger set of email security best practices is recommended. They can be summarized as follows:

  1. Train employees on email security best practices.
  2. Create strong passwords.
  3. Don't reuse passwords across accounts.
  4. Consider not changing passwords regularly.
  5. Use multifactor authentication (MFA).
  6. Take phishing seriously.
  7. Be wary of email attachments.
  8. Don't click email links.
  9. Don't use business email for personal use and vice versa.
  10. Avoid public Wi-Fi.
  11. Use email security protocols and tools.

Let's explore each best practice in further detail.

1. Train employees on email security best practices

Regular security awareness training informs users about security best practices and keeps users up to date with not only corporate security policies and their role in keeping their organizations secure, but also threats they may encounter.

Be sure to include email security training and best practices in an enterprise security awareness program.

2. Create strong passwords

One of the most important email security best practices is to use strong passwords. Previous thinking was that complex equaled strong. Forcing employees to create complex passwords, however, such as }m}{4p#[email protected], will likely end up with the password being written on a sticky note on a user's desk or saved in an insecure file on a user's desktop.

Current NIST recommendations maintain that password length, not complexity, is key to password strength. Passphrases -- the stringing together of a few words, such as kittEnsarEadorablE -- are one method to make longer, easy-to-remember yet difficult-to-guess passwords that help defend against attackers using dictionary attacks to target weak passwords.

Plug these two examples into's How Secure Is My Password?, and you find that }m}{4p#[email protected] would take 400,000 years for a computer to crack, while kittEnsarEadorablE would take 6 trillion years. Stronger passphrases should string together unrelated words. Per's calculator, kittEnsmErryvisitortrEE would take 2 sextillion years for a computer to guess.

NIST further recommends companies not require special characters in passwords -- unlike the often required addition of !, # or $, for example -- and not prohibit consecutively repeated characters.

3. Don't reuse passwords across accounts

Password reuse is another email security threat. If one account using the same credentials as other accounts is compromised, attackers can easily gain access to those other accounts as well. Attackers know that trying a reused password associated with a person's account on a breached system often unlocks other accounts. Password reuse is especially dangerous when employees use the same passwords for corporate and personal accounts.

Encourage employees to use strong, unique passwords for each account. This is a pain point for many users, especially those with dozens or hundreds of passwords to remember. Using single sign-on or a password manager can help alleviate the challenge.

4. Consider changing passwords regularly

Guidance around the frequency of password changes has been hotly debated in recent years. Changing passwords every 90 days used to be the norm. The assumption was that frequent password changes help keep systems secure, but it often leads to user frustration and the use of less secure passwords as a result. More often than not, Password1 will turn into Password2 after 90 days.

NIST recommends against forcing periodic password changes. Forced password changes must be required following a suspected compromise, however.

Note that some compliance regulations, such as PCI DSS, require frequent password changes.

Companies must weigh the benefits of regular password changes with users' tendency to use weaker passwords that are easier to remember and thus easier for attackers to exploit.

5. Use multifactor authentication

MFA involves using more than one method to authenticate a user's identity. This could include, for example, a username and password in combination with a one-time password or fingerprint biometric. Adding a second -- or third or more -- method to the authentication process adds an additional layer of defense and defends against common email security issues, such as brute-force attacks and password cracking. Microsoft has predicted locking down accounts with MFA can block 99.9% of account compromise attacks.

Companies should mandate the use of MFA. Employees should also protect themselves by using MFA wherever available.

Image of different authentication factors in multifactor authentication
Multifactor authentication adds an extra layer of security to email and can prevent account compromise attacks.

6. Take phishing seriously

While email security products prevent many spam emails from reaching a user's inbox, a good number of them still get through and contain phishing schemes that are becoming increasingly sophisticated and realistic. These can include standard phishing scams, along with spear phishing or whaling attacks. Users should be on the lookout for phishing scams and use caution when opening any potentially malicious emails. Don't respond to, click links or open attachments in emails that appear suspicious.

More and more enterprises are including phishing awareness training in their security awareness training programs to help employees identify problematic messages and teach them how to avoid clicking on the wrong links or opening the wrong attachments.

Graphic explaining phishing vs. spear phishing vs. whaling
One of the best ways for employees to keep their email secure is to understand how phishing scams work.

7. Be wary of email attachments

Many email attacks rely on the ability to send and receive attachments that contain malicious executable code. Malicious attachments can be blocked by antimalware software that detects the malicious source. Malicious attachments, however, can also be sent by trusted sources that have been exploited by attackers.

Whatever the source, employees should take care with attachments even when the organization uses email scanning and malware blocking software. If an attachment has an extension associated with an executable program, such as .exe (executable program), .jar (Java application program) or .msi (Windows Installer), extra caution should be taken before opening it. Files such as Word documents, spreadsheets and PDF files can also carry malicious code, so be careful handling any type of attached file. Scan files with an antimalware program, or avoid opening them altogether.

8. Don't click email links

Hyperlinks in email can often connect to a web domain different from what they appear to represent. Some links may display a recognizable domain name, such as, but, in fact, direct the user to a different, malicious domain. Attackers also use international character sets or misspellings to create malicious domains that appear to be those of well-known brands.

Always review link contents by hovering the mouse pointer over the link to see if the actual link is different from the displayed link. When in doubt, type domains directly into browsers to avoid clicking links in emails at all.

9. Don't use business email for personal use and vice versa

While it may be tempting and convenient for employees to use a corporate email account for personal matters, an enterprise email security best practice is to prohibit this. Likewise, work-related emails should never be sent from personal accounts. Mixing business and personal can result in threats such as spear phishing.

Outline acceptable email use policies and any restrictions in a corporate email policy.

10. Avoid public Wi-Fi

Employees may see public Wi-Fi as a blessing, but remind them that these connections are ripe for attacks. If employees log in to corporate email on public Wi-Fi, anyone on that network could access their email as well. Malicious actors can use open source packet sniffers, such as Wireshark, to monitor and gain access to personal information via email. Even if users don't actively check email on public Wi-Fi, almost every system is set to automatically update inboxes when a device connects to a network. If users are on Wi-Fi, so is their email, putting account credentials at risk.

Only use secure, known Wi-Fi networks to check email.

11. Use email security protocols and tools

Three standards are key to filtering spam messages: DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

  • DKIM uses asymmetric cryptography to prevent email spoofing. A digital signature is added to an email to verify the message was not altered after it was sent. If the signature doesn't match the email domain's public key, it is blocked. If it does match, it is delivered.
  • SPF verifies an email came from its source and is authorized to send an email from that domain. If verified, the email gets delivered. If not, the email is blocked.
  • DMARC extends DKIM and SPF. Using DMARC, domain owners can publish their DKIM and SPF requirements, as well as specify what happens when an email fails to meet those requirements, such as reporting back to the sending domain.

These technical controls prevent spoofed emails but do not stop all unwanted messages. Additional email security tools, such as antimalware, antispam, email filtering, email security gateways and email monitoring systems, should be considered.

Next Steps

Browse 9 email security gateway options for your enterprise

Best practices to conduct a user access review

Allowlisting vs. blocklisting: Benefits and challenges

Enterprise cybersecurity hygiene checklist for 2022

This was last published in December 2021

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing