Despite the rise of instant messaging apps, email is still at the center of business communication. 87% of all marketers say they rely on email marketing for content dissemination. This form of marketing is the primary client acquisition tool for 81% of all small businesses, with 80% relying solely on email for customer retention.

One reason people trust email more is that new messaging apps are less proven and still face big security issues. Users of Slack, for instance, have had many security concerns with the platform. Among them include data leakages, malware, and impersonation. 

Email Security Requires a Phishing Test for Employees

That is not to say that email is immune to cyberattacks. Email servers are still by far the industry’s most commonly breached asset.

To help keep your business email safe, we have compiled a list of email security best practices. By following these tips, you can reduce the risk of email-based attacks and keep your business running smoothly.

What Security Threats Face Email?

The first step to email security is understanding the types of threats that exist. Here are some of the most common email-based security threats:


Phishing is a type of email-based attack that involves fraudulent emails appearing to be from a legitimate source. These emails often contain links or attachments that download malware onto the victim’s computer.

Be especially on the lookout for spear phishing attacks. Spear phishing is a type of email attack targeting a specific individual or organization. These attacks are usually more sophisticated than regular phishing attacks, and they often contain personal information about the victim that makes the email seem more credible. A regular and ongoing phishing test for employees impressively lowers the risk of a phishing attack succeeding.


Malware is a type of software designed to damage or disable computers. Email attachments are a common way for malware to spread. Once opened, the malware can infect the victim’s computer and give the attacker access to sensitive data.

Common types of email-borne malware include viruses, ransomware, and spyware. Each type of malware has different effects, but all of them can be devastating to businesses. For instance, manufacturing companies that suffered ransomware attacks in 2021 paid an average of $2.04 million.

Email Security Best Practices, Phishing Test for Employees
Beware, it's Everywhere: Ransomware is Malware


Spoofing is a type of email attack where the attacker impersonates another person or business to gain access to sensitive information. This occurs by using a fake email address or website that looks identical to the real thing. An example of spoofing would be an email that appears to be from your bank but is actually from a scammer.

Social Engineering

Social engineering is a type of attack where the attacker uses psychological manipulation to trick people into revealing sensitive information or taking an action that they would not normally do. This can be done through email, phone, or in person.

For instance, an attacker might call someone pretending to be from IT and ask for their password. These attacks are also quite common, with the average company experiencing 700 cases annually. These tests should be incorporated into any ongoing phishing test for employees.

What Are Email Security Best Practices?

Now that you know the types of email-based attacks that exist, you can start to implement email security best practices to protect your business. Here are eight email security tips to keep in mind:

1. Train Your Employees

About 95% of all cyberattacks are the result of human error. In other words, humans are the problem…so they must also be the solution. This means that the best way to prevent email-based attacks is to train your employees on email security best practices. Make sure they know how to spot phishing emails and teach them what to do if they receive one. You should also consider running regular phishing simulations to assess their email security knowledge.

Run a Phishing Test for Employees – Constantly

Security Awareness Training without a regular and ongoing phishing test for employees is no training at all. Unless it involves the #1 attack (phishing) via the #1 attack vector (email), best practices for email security have to by definition include phishing, and ideally a phishing button employees can click to automate the process for forwarding suspicious email.

Make sure your employees know not to open email attachments from unknown senders and teach them how to spot fake links. If they are ever unsure about an email, they should contact the IT department for assistance.

Email Security Best Practices: Phishing Test for Employees
Is that really Wells Fargo? It might be spoofed. When in doubt, type it in directly.

2. Use Multi-Factor Authentication (MFA)

MFA is a security validation measure requiring users to provide at least three pieces of information to access the network. This can be something like a password and a one-time code or token (token preferred) sent to a mobile device.

Compared with two-factor authentication (2FA), MFA makes it much more difficult for attackers to gain access to email accounts and should be used whenever possible. MFA reduces cyberattack chances by 99%. 

From the National Institute of Standards and Technology (NIST),  MFA can include three elements:

  • Things you know – such as a password or other personally-known information such as the answers to security questions

  • Things you have – such as an id badge with an embedded chip, or a digital code generator

  • Things you are – such as physical traits like your fingerprints or voice   

3. Follow DMARC Protocols

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email validation protocol designed to protect domain names from being misused (spoofed) by threat actors, authenticates the sender’s identity before allowing the message to reach its intended designation.

Whenever email security best practices are mentioned, DMARC is never far behind. DMARC verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.

4. Use Encryption

Email encryption is a process of encoding email messages so that only the intended recipient can read them. This occurs by using a type of software called a public key infrastructure (PKI). PKI uses two types of keys, a public key, and a private key, to encrypt and decrypt email messages.

When email encrypts, even if an attacker manages to intercept an email message, they will not be able to read it. This makes email encryption an essential part of email security. This technology is so popular that the global industry size for encryption software is expected to surpass $42 billion by 2030.

5. Create Strong Passwords

Poor password security accounts for 81%  of data breaches. This means it is critical to have strong passwords for all email accounts. Passwords should be at least eight characters long and contain a mix of uppercase and lowercase letters, numbers, and symbols. They should also change on a regular basis.

Easier said than done, but it is crucial to never use the same password for multiple email accounts. If one account is compromised, the others aren’t far behind.

6. Email Security Best Practices: Use a Password Manager

A password manager is a type of software that helps you create and store strong passwords. This is a big help for employees who have trouble creating strong passwords on their own. Given that 81% of all breaches related to hacking are due to weak or stolen passwords, a password manager is the lowest of low hanging fruit to improve your security posture.

Email Security Best Practices: Phishing Test for Employees, Social Engineering
Social Engineering: Highly Effective at Separating People from Common Sense - and Their Private Data

7. Use Spam Filters

Spam filters can be very effective at reducing the amount of junk email that your employees have to deal with, which is up to 85% of all emails sent. They can also help to block email attacks, like phishing attempts.

8. Back Up Your Emails

76% of people back up data, including important emails. Backup everything on a daily basis in case of a security incident. This way you can restore any lost or deleted email messages. There are several different methods you can use that you can back up email data, including using email archiving software or backing up email to the cloud. Whichever method you choose, make sure that your backup solution is dependable and secure. 

9. Invest in a Secure Email Gateway

Unless you believe employees do the right thing 100% of the time, give serious thought to adding a secure email gateway to your network. Secure email gateways are a multi-layered framework of hardware and software products dedicated to securing the email channel within organizations.

Over 90% of cyberattacks arrive via email. 95% of successful cyberattacks require humans to do something stupid. To avoid costly attacks like ransomware, business email compromise (BEC) and spoofing, secure email gateways provide another critical layer of protection. 

10. Patch Your Software, Hardware, Firmware and Peripherals

Even though this seems obvious, you’d be surprised. Did you know that you stand to lose 47% more money in case of a data breach if your technology is outdated? One of the best ways to improve email security is to make sure that all email software is always up to date. This includes email servers, email clients, and email security software.

Outdated software is one of the most common causes of email security breaches. Software updates often include security fixes for known vulnerabilities. By keeping your software up to date, you can help to protect your email system from attacks.

A Final Thought on Email Security Best Practices

Email security is important for all organizations as it remains the de facto communication standard. Because cybercriminals follow the money, they will keep finding ways to exploit email. Cybercriminals are constantly inventing new ways to exploit email systems, and these days those new ways almost always involve people.

Therefore it’s important to stay one step ahead by conducting regular security awareness training, email security training and administering a regular phishing test for employees. By following the email security best practices listed above, you can do your part to keep your business safe.

To learn more about how ThriveDX protects organizations with email security best practices, please check out our Security Awareness Training here.

Data Breach Types

Christopher Dale is the content marketing manager for ThriveDX’s Enterprise Division. He has worked in the cybersecurity field for almost 14 years in PR, social media and content development roles for a range of companies including ESET, Forcepoint, Cylance (Blackberry) and Proofpoint. He holds Bachelor of Arts degrees in Political Science and Rhetoric & Communication from the University of California, Davis. 

Protect Your Organization from Phishing


Explore More Resources

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Download Syllabus

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.
tagging ThriveDX Enterprise on LinkedIn

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content