email
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
email [2019/08/05 17:29] – neil | email [2021/07/06 09:26] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
=====Securing your email ===== | =====Securing your email ===== | ||
+ | |||
+ | If you use email — and, let's face it, how many lawyers do not? — it is vital that you secure it. | ||
+ | |||
+ | You are probably communicating a lot of sensitive information by email, and email is likely to be the system used to reset passwords on other accounts. At the very least, secure your email. However, you should also consider if email is the right tool at all – there are [[email_alternatives|alternatives]] which may offer security more appropriate to the risk. | ||
+ | |||
+ | If your email account gets compromised, | ||
+ | |||
+ | If you have used your personal email account to sign up any accounts for work (e.g. social media accounts), follow this guidance for your personal email account too. | ||
+ | |||
====Key points: ==== | ====Key points: ==== | ||
- | * [[#Secure your DNS: it's critical|Secure your DNS: it's critical]]Â | + | * [[email#Use a unique password|Use a unique password]]Â |
- | * [[# | + | * [[email#Secure your DNS: it's critical|Secure your DNS: it's critical]]Â |
- | * [[#Secure the connection between your mail client and your email server|Secure the connection between your mail client and your email server]]Â | + | * [[email#Host your server |
- | * [[#Consider PGP/GPG for email encryption|Consider PGP/GPG for email encryption]]Â | + | * [[email#Secure the connection between your mail client and your email server|Secure the connection between your mail client and your email server]]Â |
- | * [[#If you cannot encrypt your email, consider encrypted attachments|If you cannot encrypt your email, consider encrypted attachments]]Â | + | * [[email# |
- | * [[#Do not trust that the sender is who they say they are|Do not trust that the sender is who they say they are]]Â | + | * [[email# |
- | * [[#Do not trust unexpected attachments|Do not trust unexpected attachments]]Â | + | * [[email# |
- | * [[#Disable automatic loading of remote content|Disable automatic loading of remote content]]Â | + | * [[email#Consider PGP/GPG for email encryption|Consider PGP/GPG for email encryption]]Â |
- | * [[# | + | * [[email#If you cannot encrypt your email, consider encrypted attachments|If you cannot encrypt your email, consider encrypted attachments]]Â |
- | * [[#Be aware of phishing email |Be aware of phishing email ]] | + | * [[email#Do not trust that the sender is who they say they are|Do not trust that the sender is who they say they are]]Â |
+ | * [[email#Do not trust unexpected attachments|Do not trust unexpected attachments]]Â | ||
+ | * [[email#Disable automatic loading of remote content|Disable automatic loading of remote content]]Â | ||
+ | * [[email#Don't use tracking pixels or remotely-hosted content|Don' | ||
+ | * [[email#Be aware of phishing email |Be aware of phishing email ]]Â | ||
+ | Â | ||
+ | ====Use a unique password ====Â | ||
+ | Â | ||
+ | You should use a [[passwords|unique password]] for every account you have, but this is especially true for your email account. | ||
====Secure your DNS: it's critical==== | ====Secure your DNS: it's critical==== | ||
- | [[firm_website# | + | If you have your own domain name, make sure you [[firm_website# |
+ | Â | ||
+ | Â | ||
+ | ====Host your server (physically) in a suitable country====Â | ||
+ | Â | ||
+ | [[firm_website# | ||
- | ====Host it (physically) in a suitable country==== | + | ====Keep your software up to date==== |
- | [[firm_website# | + | [[firm_website# |
====Secure the connection between your mail client and your email server==== | ====Secure the connection between your mail client and your email server==== | ||
Line 34: | Line 57: | ||
====Secure the connection between your mail server and the mail server of your recipient==== | ====Secure the connection between your mail server and the mail server of your recipient==== | ||
- | Ask whoever administers your mail server to configure what is known as " | + | Ask whoever administers your mail server to configure what is known as " |
- | If it can't, it will still transmit your email anyway, and, in doing so, it will pass unencrypted over the Internet. Because of this, if you are sending anything sensitive, encrypt it before | + | When it is correctly configured, when you attempt to send an email to a third party, or someone tries to email you, your server and theirs will have an initial chat, to see if they can make an encrypted |
+ | You can test if you already have it working for your mail server [[https:// | ||
+ | |||
+ | If it can't, it will still transmit your email anyway, and, in doing so, it will pass unencrypted over the Internet. | ||
+ | |||
+ | Because of this, if you are sending anything sensitive, encrypt it before you send it by email (e.g. by using [[#Consider PGP/GPG for email encryption|PGP/ | ||
+ | |||
+ | ====Minimise a fraudster' | ||
+ | |||
+ | A common fraud ([[https:// | ||
+ | |||
+ | Spoofing an email — making it look like it has come from your email address — is trivial. You cannot stop someone attempting to spoof an email from your address, but there are some things you can do to lessen the likelihood of it succeeding. | ||
+ | |||
+ | ===SPF === | ||
+ | |||
+ | SPF — sender policy framework — involves setting a text record in your domain' | ||
+ | |||
+ | When someone receives an email, their server will hopefully check your domain' | ||
+ | |||
+ | An example of an SPF record, for domain example.com, | ||
+ | |||
+ | example.com. | ||
+ | | ||
+ | There are a number of tools to help you generate your domain' | ||
+ | |||
+ | ===DKIM === | ||
+ | |||
+ | DKIM — DomainKeys Identified Mail — is a mechanism for signing and verifying messages. | ||
+ | |||
+ | As with [[# | ||
+ | |||
+ | What you will need to do will depend on your email server or service provider, so either check the manual or help pages, or get someone who knows what they are doing to help. | ||
+ | |||
+ | ===DMARC === | ||
+ | |||
+ | DMARC — Domain-based Message Authentication, | ||
+ | |||
+ | Because it builds on SPF and DKIM, get those in place first, before you look at implementing DMARC. | ||
+ | |||
+ | As with [[# | ||
+ | |||
+ | From a security point of view, setting your DMARC reject to suggest to recipients that they should reject messages from your domain which fail SPF and/or DKIM checks offers the best security. It requires you to make sure that your SPF and DKIM records are correct and up to date as, otherwise, " | ||
+ | |||
+ | |||
+ | ====Enable two-factor authentication if you use webmail ==== | ||
+ | |||
+ | If you use webmail — where you can access your email through a web browser — enable [[two-factor_authentication|two-factor authentication]] on your login. | ||
+ | |||
+ | If you can only access the webmail interface via a VPN (i.e. it is not exposed to the public), the risk of not having two-factor authentication is reduced. | ||
====Consider PGP/GPG for email encryption==== | ====Consider PGP/GPG for email encryption==== | ||
Line 50: | Line 121: | ||
PGP/GPG is not perfect, but it is better than not encrypting your email. Depending on your needs, you might want to look at [[email_alternatives|alternatives to email]], which offer better security. | PGP/GPG is not perfect, but it is better than not encrypting your email. Depending on your needs, you might want to look at [[email_alternatives|alternatives to email]], which offer better security. | ||
+ | |||
+ | ===Warnings: | ||
+ | |||
+ | * PGP/GPG does not hide the existence of a communication, | ||
+ | * If you lose your private key, or forget your passphrase, you cannot access your email. | ||
+ | * If someone gets hold of your private key and your passphrase, they can access all encrypted email sent to you with the corresponding public key, and they can send email pretending to be you, signed with your own private key. | ||
+ | |||
macOS: [[https:// | macOS: [[https:// | ||
Line 61: | Line 139: | ||
[[#Consider PGP/GPG for email encryption|PGP/ | [[#Consider PGP/GPG for email encryption|PGP/ | ||
- | If you need to transfer something sensitive as a once-off by email, put your message, or the files you want to send, into a directory, and then encrypt the directory. Send that encrypted directory to your recipient, via email, and give them the password by a separate, secure channel. Do not email the password, as otherwise you have sent both the thing you are protecting, and the password to access it, by the same means: someone monitoring their email would get both elements. | + | If you need to transfer something sensitive as a once-off by email, put your message, or the files you want to send, into a directory, and then encrypt the directory. Send that encrypted directory to your recipient, via email, and give them the password by a separate, secure channel. |
+ | Â | ||
+ | Do not email the password, as otherwise you have sent both the thing you are protecting, and the password to access it, by the same means: someone monitoring their email would get both elements. Send it some other way, such as by text message, or give it out over the phone. | ||
As with PGP/GPG, this would still leave the subject line and content of the email, along with sender and recipient information, | As with PGP/GPG, this would still leave the subject line and content of the email, along with sender and recipient information, | ||
Line 98: | Line 178: | ||
{{:: | {{:: | ||
+ | |||
+ | In iOS, it's in Settings / Mail: | ||
+ | |||
+ | {{:: | ||
==== Don't use tracking pixels or remotely-hosted content ===== | ==== Don't use tracking pixels or remotely-hosted content ===== |
email.1565026199.txt.gz · Last modified: 2021/07/06 09:26 (external edit)