Email Server Security

This Process Street email server security checklist is engineered to help you set up an email server and to do so with the highest levels of security.

An email server is a vital part of any company’s infrastructure and it would be very difficult to be a successful business without one. However, as a result of phishing attacks and a range of other dangerous practices, emails and the networks they operate on present a potential point of entry to crackers looking to exploit the vulnerabilities of your system. 

In this checklist, we try to cover as many security steps as we can in order to give you as many defensive options as possible. Some of these steps are technical in nature, such as enabling DKIM or DMARC. However, human error is one of the greatest threats to any network.

Each employee is a trojan horse waiting to happen. As a result, we have also included steps for you to make sure that employees throughout the company are trained in basic security practices. At the very least, we hope to see them use strong passwords. 

This Process Street template is fully editable and you can adapt it to suit your personal needs. There may be steps you feel are overkill and want to remove, or you may have further steps you want to add in which you feel we’ve missed. You can edit the template to change tasks or the content of tasks as you wish.

Throughout this checklist, you will find opportunities to add information into form fields. The information entered here is stored within the template overview tab each time a checklist is run. This allows you to review what occurred in each process over time. You can export this data to a CSV file if you wish to keep your own copy.

If you want to know more about email server security check out the video below:

Use the form fields below to record information relevant to the process.

SPF or Sender Policy Framework (SPF) is a security mechanism created to prevent other people from sending emails on your behalf.

SPF works by allowing DNS servers to communicate with each other to check authorized IPs. This stops someone else sending mail from your network while working from a different IP. 

If you were using Google to send your mail, you could find their recommended steps for setting this up here.

DKIM or DomainKeys Identified Mail is similar to SPF. 

This works by creating two keys, a public one and a private one. These are encrypted signatures in the header of your email which demonstrate the sender is really you. 

The receiver then takes the public key and checks your DNS records with it in order to be able to encrypt the private key. This is how they know whether it is a legitimate email or not. 

You can normally enable the public key from your email provider’s admin console. For Google users, there’s this set of instructions for reference.

Once you have the public key, you can add the generated txt record to your DNS records and then turn on email signing within your provider. 

DMARC or Domain-based Message Authentication Reporting and Conformance is a further level of security which requires you already have SPF and DKIM enabled. 

You can find a 15-minute DMARC setup process to follow here.

Use the form field below to leave any notes on your DMARC creation process.

Most email providers have an easy way of setting up spam filters within their admin dashboard. 

Check out this process here to see how easy these steps can be. 

Spam filters are effective at stopping clutter in inboxes as well as fighting back against security threats. 

When establishing a throttling policy, there are three main areas to consider. 

Use the form fields below to record the parameters you set for each variable.

Setting these figures will help make sure that even if your account is compromised, this won’t cause any lasting damage to your reputation.

To stop internal phishing emails, you can restrict emails that come from your domain to only be allowed from your email system.

However, this comes with some considerations. There may be legitimate emails coming from your domain but not your system. These might be:

1. Using a remailer service (mail goes from your users to the third party internet remailer, then back to your organization) 
2. Cloud services set to send as domain users 
3. Web application forms that trigger emails sent from an internet web server with a domain email address

To help yourself maintain effective logs, consider these three approaches:

1. Create a policy for how long you maintain logs for. 
2. Make sure you always have enough disk space for your logs.
3. Explore log visualization tools to make your records easier to interpret. 

Use the form field to leave notes on how you have adapted your approach to logging. 

Your DNS records have so far been the cornerstone of your email defense strategy. 

However, you must make sure you keep your DNS records themselves secure. 

DNSSEC works by signing the DNS response using public key cryptography. This prevents people from posing as your DNS and intercepting information. 

As we mentioned in the introduction, human error is one of the biggest challenges to overcome when designing security systems. 

The best chance you have of making sure your systems are secure is by providing sufficient training to staff members within the company. 

Here are the basics which should be covered by this training:

• How to identify and avoid phishing scams and similar threats
• Alternatives to email for transferring files
• How to avoid malware and malicious links
• What social engineering in hacking is and how to know what information is appropriate to give out. 

You could use Process Street to build the outline of this course. Link to the template for the training process in the form field below:

The final step to securing your email is to construct a process to regularly test and assess your system against your specific requirements. 

You can use Process Street for regularly occurring checklists to make sure this assessment isn’t overlooked. 

• Email and Server Security Services and Processes – F-Secure
• Mail Server Security – Apriorit
• Top 10 Tips to Secure Your Email Server – Vircom
• The Email Security Checklist – UpGuard
• Secure Email and Protection for Servers – F-Secure