Skip to main content
Request a demo
Person using a tablet to browse a website while sitting at a table with a cup of coffee and an open magazine.
🠘 Back to all blog posts

Email security best practices

Sound governance practices can prevent mistakes that could cost your company millions.

- By Dennis Hammer - Apr 21, 2025

Person using a tablet to browse a website while sitting at a table with a cup of coffee and an open magazine.

An employee of Fischer Advanced Composite Components AG (FACC) thought he was following orders when he sent $47 million to a special account. An email from the CEO gave him clear instructions to fund a new acquisition project.

But that email turned out to be fake in a classic example of a Business Email Compromise (BEC) scheme. It seemed to originate from CEO Walter Stephan, but it was actually an impersonation from outside the company. The money disappeared into Asia. That was in 2016.

Then in 2019, there was a phishing attack on Toyota Boshoku Corporation, when an employee was tricked by email into transferring the equivalent of $37 million to a fraudulent account. Media giant Nikkei was defrauded of $29 million in a similar attack.

Sadly, cases like this are too common.

Email security attacks, particularly phishing, have seen a significant rise in recent years. In 2022, approximately 4.7 million phishing attacks were recorded. In 2023, the figure climbed to nearly 5 million.

Phishing attacks don’t come out of nowhere. Rather, weak email governance from marketing teams is often the chink in the armor: Bad actors exploit insecurities in email marketing campaigns and use what they find to take advantage of companies and their customers. 

And phishing is just one of the many ways in which poor email governance can come back to haunt you.

How secure is email?

It’s not. In fact, it’s not designed to be.

Email was originally made to be open and accessible, similar to old-fashioned snail mail. If you have an address, anyone can reach you, even if you don’t know the sender.

This open format is partially why email is such an effective marketing tool.

But accessibility is also a vulnerability. With the right tools, a person can intercept and view your emails. Strangers can send seemingly legitimate messages that entice you to click links, download attachments, or reply with sensitive information.

Today, email attacks are more sophisticated than ever. Scammers spoof FROM addresses, draft professional HTML content, and even link you to duplicitous websites that mirror the sites of trusted brands. They can pretend to be your customers or pretend to be you when speaking with your customers.

Why email security matters

Scammers and abusers wouldn’t bother attacking your emails if it didn’t work. According to the 2025 Data Breach Investigations Report by Verizon, emails are a top threat vector.

In fact, malicious parties don’t have to do anything fancy to gain access. The right phishing email message is all they need to waltz into your private systems.

So email security matters for three equally important reasons.

First, there’s the potential financial loss. According to the FBI, in 2023 business email compromise scams cost US companies $2.9 billion. And, according to NetDiligence, a company with expertise in cybersecurity, the average cost of an incident rose from $84,000 in 2022 to $183,000 in 2023 — an increase of 118 percent.

These costs can spiral out of control quickly. Suppose a hacker intercepts a message between you and a customer that includes sensitive information. Now you and the customer are both targets.

Second, there’s your reputation to consider. Customers trust you with their personal details, like names, emails, and payment info. When emails aren’t secure, this data can fall into the wrong hands.

People lose trust in brands that don't protect their privacy. It can take years to earn trust, but just one email security mistake can ruin it. You can lose customers even if they aren’t personally affected.

Third, regulatory agencies require security. If you’re subject to the restrictions in various data protection laws — and most of us are — you have to take email security seriously. GDPR (General Data Protection Regulation) HIPAA (Health Insurance Portability and Accountability Act), or New York or California’s data privacy laws all set requirements for safe email handling.

How email threats work

Email attacks generally start with a probe. A malicious party (which could be someone posing as a customer) gathers information about their targets through social engineering and public information. Then they launch technical exploits or write convincing emails to gather the pieces they still need to gain access to your email system.

In some cases, they use custom domains that look like yours but aren’t legitimate. The sender often insists on urgent action, designed to fluster you. They usually threaten a negative consequence for nonaction.

Once the hacker gains access, they use a compromised account to steal more confidential information or access other systems. In some cases, they impersonate the account owner to exfiltrate data from other users.

This means that it’s important to scrutinize every email you receive, even the ones from your coworkers, supervisors, and stakeholders. Everything can be an email threat.

Common email security threats

Cybercriminals love to use email to attack businesses. At-Bay, a cybersecurity insurance company, shares that more than 50 percent of all cyberattacks start with an email, but they often occur in different ways. Keeping your emails secure means knowing the threats you might face.

Outbound email threats

Outbound threats occur when you send an email. They fall into two categories: human error and interception.

Human error is when you or someone on your team is the cause of the breach. You might accidentally include some sensitive information in a mass email or send private information to the wrong recipient.

In some cases, breaches occur when someone uses the BCC or CC fields incorrectly, which can expose recipients’ email addresses to each other. This is a big confidentiality breach in some industries.

Accidental attachments are another common error, especially if they contain sensitive personal or financial data.

Interception is the unauthorized access to emails at various stages in their journey. It typically occurs when the sender’s device is compromised with malware or using an unsecured network.

If the right email is intercepted, it can lead some hackers into your email server, which gives them the power to intercept, read, or manipulate future emails.

Reviewing your outgoing emails is easy with our Email Governance tool. It helps marketing teams scan for errors in emails and fix them before sending. It also streamlines your checks for accessibility, quality, and brand consistency.

Inbound email threats

Inbound email threats are dangerous as well. Scammers may try to fool you into giving up information that they can use to infiltrate your email account or other systems.

Phishing - This refers to attacks where a scammer sends fake emails pretending to be from a customer or someone you trust. Their goal is to trick you into giving away personal information or clicking dangerous links. They often use social engineering tactics to manipulate you into disclosing information or performing specific actions.

According to a 2024 survey of cybersecurity leaders, 94 percent of organizations experienced phishing attacks in the past year. Ninety-six percent of those were negatively impacted by it.

Malware and viruses - Harmful software hidden in emails can infect your computer. It’s often delivered when you click a link or download an attachment. Once inside, this software can send emails on your behalf, steal your data, or damage your system.

Business email compromise - Similar to phishing, BEC scams pretend to be trusted leaders, like your boss or someone from accounting. Scammers trick people into sending money or sensitive data.

Account takeovers/spoofing - Once a malicious party has access to your account, they impersonate you and send dangerous messages to your contacts or steal sensitive information. This can confuse or trick your customers into sharing personal details or sending money.

If you have an account with special privileges, they could do real damage.

Email security protocols

Email security protocols are a key part of email governance. They help your outgoing messages reach customer inboxes safely. These industry-standard tools quietly protect your brand behind the scenes.

For marketers, these tools ensure your recipients’ inboxes trust your emails. They can improve your email deliverability and campaign reach.

Sender Policy Framework (SPF) checks that emails claiming to be from your brand really came from you. It confirms that your email server is trusted. This stops scammers from pretending to send emails on your behalf.

DomainKeys Identified Mail (DKIM) adds a hidden signature to your emails. This signature proves the email message hasn’t changed since you sent it. Email providers see this signature and know your email is safe to deliver.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) combines SPF and DKIM. It tells inboxes exactly how to handle emails that fail these checks. With DMARC in place, fake emails pretending to be from your company get blocked or marked as spam.

When these protocols work together, your emails are perceived as trusted by email clients, email service providers, and ISPs. Ultimately, your marketing campaigns reach more people.

Getting started with these protocols is simpler than it sounds. Your IT or operations team can quickly set them up by taking a few easy steps:

  1. Check your current email setup to see which security measures you already have.
  2. Add SPF records to your domain. Your IT team can usually do this in under an hour.
  3. Set up DKIM signatures through your email provider.
  4. Turn on DMARC to combine these tools and specify rules for inboxes.
  5. Regularly test your email security to make sure everything works smoothly.

Email security best practices

Most email service providers and clients offer security tools that deter nefarious parties, but talented criminals know how to bypass them. Beyond implementing those security protocols, it’s important to take some additional steps.

1. Develop an email security policy

A solid security policy is the backbone of any outbound email protection strategy. It should clearly lay out what kind of information counts as sensitive, explain how email should (and shouldn’t) be used, and provide steps for handling any data that leaves the organization.

With Siteimprove’s Email Governance tool, you can set company-specific standards for the kind of information your team is allowed to send. The filter scans outgoing emails for sensitive information based on rules you set and alerts you before sending. This prevents inappropriate data from leaking to customers, whether the content is sent from you accidentally or a hacker puppeting your account.

2. Educate and train your team

Your security policies are useful, but the best defense is a team that knows how to guard itself. Hold regular security awareness training. Teach your team on the types of errors that can compromise your brand’s reputation or compliance.

Test your team’s resilience to phishing by running simulations. When they experience a simulated attack, they’ll be more likely to recognize real ones in the future.

Most importantly, show them what safe and legal emails look like. Show them what information they can share and what won't compromise your systems or users.

Employee training should also include a “think before you click” mandate. Since clicking the wrong link can give hackers access to your inbox or device, you should only click links that you recognize and expect. Some legitimate businesses use link shorteners and UTM codes, so spotting a bad link is harder than you might expect.

It’s best to err on the side of caution. If you don’t recognize a link, don’t click it. If you don’t recognize the sender, don’t respond. (This tip would have saved FACC a lot of money.)

3. Update software and devices

Hackers like to target known vulnerabilities, which means any outdated software leaves your devices open to ransomware, malware, or zero-day exploits. Your IT team should enable automatic updates for operating systems, email clients, and antivirus software.

4. Disable automatic email forwarding

Forwarding lets you automatically send new emails to another email address. It’s a handy tool, but this feature might send some emails outside your secure environment.

If hackers gain access to an account, they might forward all incoming mail to themselves. It’s best to turn this feature off.

5. Use a secure email gateway

A gateway also uses email encryption to hide data in transit and prevent exposure of personally identifiable information, which is a feature your customers expect.

Powerful email gateways bring several other benefits to the table.

  • They identify whether the destinations of URLs are safe.
  • They run suspicious files in an isolated environment.
  • They prevent the impersonation of key stakeholders, like your CEO or CFO.
  • They move suspicious messages to a quarantined space for monitoring.
  • They scan files with multiple antivirus scanners.

6. Require multi-factor authentication (MFA)

MFA is a system that requires users to confirm their login. Combine something the user knows (such as a password) with something they have (like a smartphone app) or something they are (like biometric data). Hackers struggle to get their hands on this additional verification information.

7. Require strong passwords

MFA is valuable, but not fool-proof, so it’s important that every email user on your team has a strong password. You’ll have to set requirements in your email system.

  • Good passwords are long, but they don’t have to be complex. A 25-character song lyric is stronger than “Gw}{4p#Q*R4w.”
  • Good passwords are unpredictable. Your birthdate or children’s names are bad choices.
  • Good passwords are unique. Never reuse passwords for different accounts.
  • Good passwords are changed often. Don’t use variations of previous passwords.

8. Close and forward accounts of ex-employees

If someone leaves your organization, close their account immediately so they can’t access your sensitive information. If you expect that account to receive important messages, forward those emails to another employee.

9. Practice auditing

Keeping a clear record of your digital communications helps you avoid and respond to threats. Audit trails contain lots of information that give you a full picture of every email sent and received so you can identify if something goes wrong.

  • Who sent it and who received it
  • Timestamps for when it was sent and opened
  • The email’s content, including attachments and links
  • Who interacted with it
  • Any metadata, such as headers, IP addresses, and server logs
  • Any changes to it in the case of email threads

Most secure email platforms include a dashboard to help you stay on top of this data and stay in line with regulations.

10. Implement email revoke

Revoking an email isn’t the same as recalling one, though they’re often mixed up. While recall just sends a request asking the recipient to delete the message, revoke actually cuts off access to the email after it’s been sent.

This feature is especially useful if sensitive information ends up in the wrong inbox. Instead of hoping the recipient ignores it or deletes it, revoke lets you block access remotely, reducing the risk and containing the situation before it gets worse.

Some platforms, like Microsoft Outlook, offer basic recall options, but they’re often unreliable, especially when dealing with private business or customer data. Use an outbound email security tool with one-sided revoke controls.

11. Implement a spam filter

A spam filter prevents phishing emails or messages with dangerous links and attachments from ever hitting your inbox. Depending on how your email is configured, your IT team may be able to implement spam filters at the server and email client level.

Filters on your outgoing marketing messages can also tell you if your content will trip your recipients’ spam filters.

12. No public Wi-Fi networks

Hackers love to use public Wi-Fi networks to target new victims. A hacker might use a public network to access your device and grab your login credentials, download your customer email list, or send emails on your behalf.

Your team should only connect to the internet through a safe network that has WPA protection, firewalls, and an administrator who controls everything.

Email security requires vigilance

Email security protects your business from outgoing threats like human error and incoming threats like phishing. Without strong security, your brand reputation and customer trust are at risk.

But email safety isn't just about avoiding disasters. It also boosts your campaign reach by making sure your emails arrive safely in inboxes. And when customers trust your emails, they’re more likely to open them.

Good email security can feel tricky, but it doesn’t have to be. You just need the right governance tool.