Email Security Best Practices

Best Email Security Practices for Employees 1024x630 1

We all have multiple email accounts and many of us do always have the best plan in place to secure and recover those accounts. Let’s cover some basics and tips that I use to maintain my email infrastructure. The tips will vary depending on your email provider, but can be adapted to your unique situation.

I like to start form the end and work my way backwards when it comes to security. What I mean is, the recovery account will be configured first and then I will move back to my normal mail accounts.

My recovery email is with a provider such as Tutanota because I can recover that account with a “key”. When creating this account, try and create an address that is random and can not be traced back to you (not your name, nickname, pet’s name, etc). You will only use this account as a recovery address and it will only be used as a recovery in one place. Enable this account with a hardware security token such as a Yubikey. Use a long password from your password manager (I use LastPass). After creating and securing the account, save your recovery key in two places, a paper copy in your safe and an electronic copy in an encrypted container on a flash drive.

My next step back is to create an account with Protonmail (I like the Plus plan so I can create alias addresses) again using a unique username and strong password. The recovery for this account will be Tutanota. Secure Protonmail with Authy or something similar. Export your PGP key and store it in your encrypted container. Enable two-password mode.

Once I have my recovery pieces in place, I can then move to my daily use mailbox. I will assume your normal mail is with one of the major providers (Google, Yahoo, Microsoft), but if you are using something different you may not have all of the options.

Find your security and recovery settings and start by updating your recovery address to be your Protonmail account (use an alias for this). Verify your recovery phone number and make sure to add one if you have not. If your account has security questions, pick any of the options and using your password manager store your (made up) answers to these questions. Do not answer them truthfully as that information can be gathered easily (you have not been doing those Facebook quizzes, have you).

Once you have your recovery information in place, proceed to update your password to something long and secure (using your password manager). Then enable and configure your 2FA/MFA options. I suggest using the YubiKey as your primary and using Authy as your secondary options. This allows you to log in any mobile and desktop devices with ease while still providing for a high level of security. Make sure you are not using SMS as an option unless that is the only option your provider offers.

If your provider does not support secure passwords, recovery options, and 2FA/MFA then you should look for a different email provider.

Leave a Comment

Your email address will not be published. Required fields are marked *