Best Practices: Protecting Your Email Accounts from Compromise

You’ve read about securing your computer, protecting your website from compromise and how to create a secure password. Now, let’s take a look at your email accounts and how to protect them from compromise. Below is a listing of email best practice guidelines for making sure your email is secure.

• Use strong, unique passwords between accounts and update every six months, if not every 90 days.
  Our article Best Practice: Creating a Secure Password walks you through the best practices of password creation. Having a strong password is the number one way to keep yourself safe from malicious activity in email, on your server and on your computer.
• Follow CAN-SPAM and the Liquid Web Terms of Service if you are doing bulk emailing of any kind.
  Following these guidelines will help keep your email from being blacklisted and help you to continue to send legitimate emails to your customers, potential customers, and employees.
• Enforce double opt-in with a physical address in mailing as well as an unsubscribe link in any bulk emails.
  Part of the CAN-SPAM compliance requirements is to provide a valid physical postal address so that recipients know where you are located and have a physical address. This helps keep recipients from assuming that your email is spam. An unsubscribe link should always be included in any bulk email and you should honor them immediately.
• Never allow your server to be an open relay.
  Most Liquid Web servers are pre-configured to avoid being an open relay, but make sure that the SMTP is configured in such a way to authenticate the user, requiring a username and password to send email. You can learn more about SMTP in our article Turning on SMTP Authentication.
• Make sure to use encrypted IMAP 993 and SMTP with TLS.
  You can learn more about IMAP and SMTP in our article What Is a Mailserver (SMTP, POP3, IMAP)? Using a TLS is using Transport Layer Security, also known as SSL to encrypt your email to make it harder for hackers to intercept your email and obtain sensitive information sent. See our article What Is an SSL Certificate? for information on SSL’s and installing them.
• If you use a contact form or tell-a-friend type function in your site, use reCaptcha or require login for use.
  Use reCaptcha as a means to verify human visitors responding to your contact form and keeping computer programs from accessing your email or website. In addition to using reCaptcha, you can also require users to register an account in order to send information via contact form or tell-a-friend function.
• Add a Sender Policy Framework (SPF) Record, Enable DomainKeys Identified Mail (DKIM), and add a DMARC record to prevent email spoofing and spamming.
  Sender Policy Framework (SPF) Records are a specific DNS record which gives a list of servers allowed to send email from your domain. Find out how to add an SPF record in our article Adding a Sender Policy Framework (SPF) Record. DomainKeys Identified Mail (DKIM) allows you to attach an encrypted digital signature to your email. See how to use DKIM in our article Enabling DomainKeys Identified Mail (DKIM). DMARC is another DNS record which tells other email servers that you have DomainKeys and SPF records to prevent email spoofing, see how to use it in our article Enabling DMARC.
• Use an antivirus scanner like ClamAV to scan incoming emails for viruses.
  ClamAV is a powerful antivirus software that can scan your email and server for malicious files. See our instructions on how to use and install ClamAV in our article Using ClamAV for Virus Protection.
• If using scripts to email, force use of credentials instead of sending as “nobody” user.
  You can use WHM Tweak Settings to prevent “nobody” from sending mail. Do not save your script in a publicly accessible folder, this will help keep it hidden from public view and discourage abuse.