Cyber security best practices for managing email (ITSAP.60.002) – Canadian Centre for Cyber Security

Summary

This guidance from the Canadian Centre for Cyber Security explains core email security risks and practical steps organisations and employees should take to reduce those risks. It covers common threats — impersonation and spoofing, confidentiality and integrity compromises, availability/DoS attacks and tracking pixels — and provides a set of accessible controls and behaviours to improve email security and privacy.

Key technical and policy recommendations include enabling multi-factor authentication (preferably phishing-resistant), using TLS and end-to-end encryption where appropriate, enforcing strong passwords, keeping software updated, segregating promotional and corporate domains, configuring spam filters and quarantine policies, and training staff in safe email habits. The guidance also sets out what to do if an account is compromised.

Source

Source: https://cyber.gc.ca/en/guidance/cyber-security-best-practices-managing-email-itsap60002

Key Points

Email is a prime attack vector for organisations of every size; breaches can be impersonation, interception, alteration or service disruption.
Impersonation and spoofing are common — verify senders before clicking links or sharing sensitive data.
Use multi-factor authentication (MFA), ideally phishing-resistant methods, to protect accounts.
Enable TLS for server-to-server transport and adopt end-to-end encryption (S/MIME) where message confidentiality is required.
Keep devices, email clients and security software updated; enable auto-updates where possible.
Segregate domains (e.g. newsletters/promotions vs corporate) to protect the primary domain reputation.
Disable external image loading to reduce tracking-pixel risks and encourage not using pixel tracking in outbound email.
Implement spam filtering, quarantine policies and regular inbox hygiene (empty junk, use folders/rules).
Outsource email to reputable providers or use reverse proxies to reduce DoS vulnerability; check DNS records regularly.
If compromised: contact IT, change passwords, scan devices, notify contacts and vendors, contact financial institutions if needed, and report to the Canadian Anti-Fraud Centre.

Context and relevance

Email remains the most-used business communication channel and therefore a persistent target for phishing, business email compromise and other attacks. This guidance is a practical checklist for small and medium businesses and employees to harden email systems quickly, align basic technical settings with best practice, and reduce organisational risk without large resource demands.

What to do if your email has been compromised

Contact your IT help desk immediately for remediation steps (expect to change passwords and scan devices for malware).
Inform your email platform provider — compromises can affect other accounts on the same server.
If financial data or transfers are involved, contact your bank and the platform provider at once.
Report fraud to the Canadian Anti-Fraud Centre and consult RCMP guidance for business email compromise.

Why should I read this?

Short version: if you use email for work, this is worth five minutes of your time. It’s a no-nonsense checklist that tells you what to switch on, what to lock down and how to act if things go wrong — so you don’t get caught out by phishing, spoofing or a messy breach. We’ve saved you the slog of trawling through technical manuals.