Check email security - tips not only for Gmail

Email security is a buzzword that makes the headlines time and again. After all, even today, classic email is often the first link in a chain of attacks that criminals use to try to capture access data and trade secrets - or, in the worst case, encrypt data to extort a ransom. To prevent this from happening, you should check your email security. As part of a new blog series, we'll give you tips on suitable security measures.

In the first part, you will learn important things about the basics and how you can check the status of your email security. You'll also get tips on what measures you can take to secure an email address.

From the perspective of an end user, the first thing that comes to mind is certainly the ostensible tool, the e-mail program. Many users are used to working with locally installed applications. Here, security stands and falls with the fact that these applications are always up to date. Secure e-mail programs must be continuously supplied with all updates published by their manufacturers, as the National Cyber Security Center (NCSC) of the Swiss Confederation also recommends.

Gmail saves update hassle

Usually, the programs do this automatically, but in the corporate environment, administrators may have to take action, first check updates for incompatibilities, package them, and then distribute them - a never-ending Sisyphean task. Our recommendation: rely on Gmail instead and do away with the tedious maintenance of locally installed email programs! Gmail shifts the work with e-mails completely to the browser and offers a modern graphical interface that is always up-to-date, just like its technical underpinnings. Maintenance and further development of the cloud offering is completely taken over by Google and thus helps to secure e-mails.

Which email providers are secure?

But when it comes to email security, there are many other aspects to consider besides the email program. Even those who have not yet thought about migrating to Gmail should be attentive when selecting a suitable e-mail provider. Questions such as "Which email providers are secure?" and "Are there secure email providers in Switzerland?" cannot be answered across the board. Rather, it makes sense to pay attention to important e-mail security features that a provider should definitely support.

SMTP and its weaknesses

A look at the technical underpinnings of e-mail communication can help. The Simple Mail Transfer Protocol (SMTP) has been responsible for sending e-mails since the 1980s - much longer than the Internet has existed in its current form. SMTP started out as a purely text-based protocol based on the ASCII standard, but it was only with the Multipurpose Internet Mail Extensions (MIME) that it learned to transmit binary files, such as images, as attachments.

From today's perspective, SMTP has conceptual weaknesses with regard to security. For example, the Internet and its predecessors initially comprised only a few servers, via which mainly scientific institutions and only later also companies and private individuals communicated with each other, and the standard behind SMTP did not provide for any deeper security measures. Sender and recipient addresses are still freely selectable today. What was not a problem in the infancy of the Internet opened the door to online criminals after its exponential growth to billions of clients and servers, allowing them to forge identities at will and use supposedly legitimate addresses when sending e-mails, commonly referred to as spoofing. SMTP alone can do nothing to counter this activity, since such a development was not yet foreseeable for the creators of the protocol in the early 1980s.

Pay attention to authentication and encryption

However, a number of extensions ensure security. It starts with access control, i.e. authentication via SMTP-Auth or SMTPS, so that only legitimate users can deliver e-mails to a server.

Furthermore, Transport Layer Security (TLS) via SMPTS or STARTTLS ensures encrypted transmission of e-mails from the client to the server as well as on their further way from the server to subsequent servers. The first piece of good news is that these measures have now become established as standard, and e-mail providers usually offer them out of the box.

Three building blocks for more e-mail security

However, authentication and transport encryption are not enough to put a stop to online crooks. For comprehensive protection of e-mail communication and true e-mail security, three additional building blocks are needed:

• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM) and
• Domain-based Message Authentication, Reporting and Conformance (DMARC)

In the following posts in this blog series, you will learn more about these building blocks and their configuration. Optimally, the three technologies work in combination to prevent criminals from misusing email addresses. A security-conscious email provider should offer SPF, DKIM, and DMARC and help you set them up so that you can secure your email address without any problems.

The second piece of good news: Google integrates all three components with Gmail and makes the setup as easy as possible. However, a few steps are required to activate the functions. Would you like support in securing your e-mail communication? We'll be happy to help you and work with you to ensure email security.