🔒 Cybersecurity for lawyers

User Tools

Site Tools

Trace:
email

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
email [2019/08/17 05:45] – neilemail [2021/07/06 09:26] (current) – external edit 127.0.0.1
Line 1: Line 1:
 =====Securing your email ===== =====Securing your email =====
  
-It is vital to secure your email+If you use email — and, let's face it, how many lawyers do not? — it is vital that you secure it
  
-You are probably communicating a lot of sensitive information by email, and email is likely to be the system used to reset passwords on other accounts. +You are probably communicating a lot of sensitive information by email, and email is likely to be the system used to reset passwords on other accounts. At the very least, secure your email. However, you should also consider if email is the right tool at all – there are [[email_alternatives|alternatives]] which may offer security more appropriate to the risk.
  
 If your email account gets compromised, it could be very difficult to unpick it. If your email account gets compromised, it could be very difficult to unpick it.
Line 15: Line 15:
   * [[email#Secure the connection between your mail client and your email server|Secure the connection between your mail client and your email server]]   * [[email#Secure the connection between your mail client and your email server|Secure the connection between your mail client and your email server]]
   * [[email#Secure the connection between your mail server and the mail server of your recipient|Secure the connection between your mail server and the mail server of your recipient]]   * [[email#Secure the connection between your mail server and the mail server of your recipient|Secure the connection between your mail server and the mail server of your recipient]]
 +  * [[email#Minimise a fraudster's ability to spoof email from you|Minimise a fraudster's ability to spoof email from you]]
   * [[email#Enable two-factor authentication if you use webmail|Enable two-factor authentication if you use webmail]]   * [[email#Enable two-factor authentication if you use webmail|Enable two-factor authentication if you use webmail]]
   * [[email#Consider PGP/GPG for email encryption|Consider PGP/GPG for email encryption]]   * [[email#Consider PGP/GPG for email encryption|Consider PGP/GPG for email encryption]]
Line 56: Line 57:
 ====Secure the connection between your mail server and the mail server of your recipient==== ====Secure the connection between your mail server and the mail server of your recipient====
  
-Ask whoever administers your mail server to configure what is known as "opportunistic TLS". When you attempt to send an email to a third party, your server will try to see if can make an encrypted connection to their mail server+Ask whoever administers your mail server to configure what is known as "opportunistic TLS" 
 + 
 +When it is correctly configured, when you attempt to send an email to a third party, or someone tries to email you, your server and theirs will have an initial chat, to see if they can make an encrypted connection before transferring the actual email
  
 You can test if you already have it working for your mail server [[https://www.checktls.com/TestReceiver|here]]. You can test if you already have it working for your mail server [[https://www.checktls.com/TestReceiver|here]].
  
-If it can't, it will still transmit your email anyway, and, in doing so, it will pass unencrypted over the Internet. Because of this, if you are sending anything sensitive, encrypt it before you send it by email (e.g. by using [[#Consider PGP/GPG for email encryption|PGP/GPG]], or an [[#If you cannot encrypt your email, consider encrypted attachments|encrypted .zip folder]], or use [[email_alternatives|something other than email]].+If it can't, it will still transmit your email anyway, and, in doing so, it will pass unencrypted over the Internet. Â 
 + 
 +Because of this, if you are sending anything sensitive, encrypt it before you send it by email (e.g. by using [[#Consider PGP/GPG for email encryption|PGP/GPG]], or an [[#If you cannot encrypt your email, consider encrypted attachments|encrypted .zip folder]], or use [[email_alternatives|something other than email]]. 
 + 
 +====Minimise a fraudster's ability to spoof email from you==== 
 + 
 +A common fraud ([[https://www.theguardian.com/money/2019/aug/24/the-45000-deposit-for-our-first-home-was-stolen-and-the-banks-did-nothing|example]] is where a fraudster sends an email pretending to be from a lawyer, asking the recipient to do something expected and reasonable, but in favour of the fraudster rather than the solicitor — for example, getting a house buyer to transfer their deposit to a fraudster's email account, rather than the lawyer's client / trust account. 
 + 
 +Spoofing an email — making it look like it has come from your email address — is trivial. You cannot stop someone attempting to spoof an email from your address, but there are some things you can do to lessen the likelihood of it succeeding. 
 + 
 +===SPF === 
 + 
 +SPF — sender policy framework — involves setting a text record in your domain's DNS, which says which IP addresses are permitted to send mail for your domain. This is another reason why [[email#Secure your DNS: it's critical|securing your DNS is critical]]. 
 + 
 +When someone receives an email, their server will hopefully check your domain's SPF record, and determine if the email has come from one of the authorised IP addresses. If not, it might be marked as spam / junk, or else rejected. 
 + 
 +An example of an SPF record, for domain example.com, is: 
 + 
 +  example.com.  IN TXT "v=spf1 mx ip4:203.0.113.7/32 ip6:2001:db8::/32" 
 +   
 +There are a number of tools to help you generate your domain's SPF record. For example, [[https://mxtoolbox.com/SPFRecordGenerator.aspx?|here]]. 
 + 
 +===DKIM === 
 + 
 +DKIM — DomainKeys Identified Mail — is a mechanism for signing and verifying messages. 
 + 
 +As with [[#spf|SPF]], you need to add a text record to your domain's DNS, but, for DKIM, you also need to make changes to your mail server's configuration.  
 + 
 +What you will need to do will depend on your email server or service provider, so either check the manual or help pages, or get someone who knows what they are doing to help. 
 + 
 +===DMARC === 
 + 
 +DMARC — Domain-based Message Authentication, Reporting & Conformance — is an authentication and reporting mechanism. It builds on [[#spf|SPF]] and [[#DKIM|DKIM]], and lets a sender state whether their email are protected by either or both of these things, and what a recipient should do if those tests fail. 
 + 
 +Because it builds on SPF and DKIM, get those in place first, before you look at implementing DMARC. 
 + 
 +As with [[#spf|SPF]] and [[#DKIM|DKIM]], this is another text record for your domain's DNS. 
 + 
 +From a security point of view, setting your DMARC reject to suggest to recipients that they should reject messages from your domain which fail SPF and/or DKIM checks offers the best security. It requires you to make sure that your SPF and DKIM records are correct and up to date as, otherwise, "genuine" email might be rejected. 
  
 ====Enable two-factor authentication if you use webmail ==== ====Enable two-factor authentication if you use webmail ====
email.1566020710.txt.gz · Last modified: 2021/07/06 09:26 (external edit)