The Gaming Boardroom

Where the gambling industry comes to think

Email security best practices (ITSM.60.002) – Canadian Centre for Cyber Security

Steve Tyler Exec Content

Email security best practices (ITSM.60.002) – Canadian Centre for Cyber Security

Summary

This Cyber Centre guidance (effective 12 August 2025) summarises practical, organisation-level email security measures to protect confidentiality, integrity and availability of communications and data.

It explains common threats (phishing, spoofing, malware, business email compromise, impersonation, data exfiltration and spam), details key protocols (TLS, S/MIME, PGP/OpenPGP, SPF, DKIM, DMARC) and sets out operational recommendations: encrypt email where appropriate, validate sender and server identity, secure email gateways, create policies, monitor activity, audit regularly, separate personal and business emails, verify links before clicking, and block spam.

The guidance also covers infrastructure controls for servers, storage, physical access and cloud deployments, plus complementary practices such as strong unique passwords, multi-factor authentication (including phishing‑resistant MFA), regular updates, incident response planning and backups. It recommends engaging trusted third‑party email security experts or services where needed and lists advanced services (sandboxing, content control, continuous monitoring and analytics).

Source

Source: https://cyber.gc.ca/en/guidance/email-security-best-practices-itsm60002

Key Points

  • Email is a prime attack vector; adopt layered defences to protect sensitive data and meet compliance obligations.
  • Use encryption: TLS for transport, and S/MIME or PGP/OpenPGP for end-to-end confidentiality and digital signatures.
  • Deploy SPF, DKIM and DMARC to reduce spoofing and improve sender authentication; start with softfail when testing SPF.
  • Secure the email gateway (on‑premises, hybrid or cloud) to filter malware, phishing and spam and to apply content controls.
  • Implement strong infrastructure controls: patched, hardened email servers, encrypted storage, access controls and MFA for admins.
  • Train staff regularly on phishing, BEC and social engineering; keep work and personal email separate.
  • Monitor email activity (SIEM, DMARC reports), run audits and tabletop exercises, and maintain an incident response plan and secure backups.
  • Consider third‑party services for sandboxing, advanced threat intelligence, continuous monitoring and analytics where in‑house capability is limited.

Why should I read this?

Quick and useful — this guidance tells you what actually matters for keeping email secure. If you run or help run email for an organisation, it’s a tidy checklist of what to do now (encryption, SPF/DKIM/DMARC, gateways, MFA, training and backups) and where to look next. Saves you time and helps avoid the basic mistakes that lead to costly breaches.

Context and relevance

As email threats grow more sophisticated (AI‑generated phishing, targeted BEC and homograph attacks), this document sets out contemporaneous, practical controls and protocols that align with industry expectations. It’s particularly relevant for organisations moving services to the cloud, those subject to regulatory obligations, or any team wanting a structured programme for reducing email‑based risk.

Adopting these practices improves resilience, reduces fraud and data loss risk, and supports forensic and compliance needs through better logging, authentication and policy enforcement.