Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don't shoot yourself in the foot.
In February this year, I listed five basic email security tips that everyone should employ. The following is a list of five more good pieces of email security advice:
- Turn off automated addressing features. As communication software accumulates more and more automated convenience features, we'll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook's "dreaded auto-fill feature", where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list. This can be particularly problematic when discussing private matters such as business secrets.
- Use BCC when sending to multiple recipients. It's a bad idea, from a security perspective, to share email addresses with people who have no need for them. It is also rude to share someone's email address with strangers without permission. Every time you send out an email to multiple recipients with all the recipients' names in the
CC:fields, you're sharing all those email addresses with all the recipients. Email addresses that are not explicitly meant to be shared with the entire world should, in emails addressed to multiple recipients, be specified in the
BCC:field — because each person will then be able to see that he or she is a recipient, but will not be able to see the email addresses of anyone else in the
- Save emails only in a safe place. No amount of encryption for sent emails will protect your privacy effectively if, after receiving and decrypting an email, you then store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don't do as good a job of ensuring stored email privacy as we might like, and many users' personal computers are not exactly set up with security in mind, as in the case of someone whose MS Windows home directory is set up as a CIFS share with a weak password.
- Only use private accounts for private emails. Any email you share with the world is likely to get targeted by spammers — both for purposes of sending mail to it and spoofing that email address in the
From:field of the email headers. The more spammers and phishers spoof your email address that way, the more likely your email address is to end up on spam blocker blacklists used by ISPs and lazy mail server sysadmins, and the more likely you are to have problems with your emails not getting to their intended recipients.
- Double-check the recipient, every time — especially on mailing lists. Accidentally replying directly to someone who sent an email to a mailing list, when you meant to reply to the list, isn't a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your email didn't actually get to the mailing list. The converse, however, can be a real problem: if you accidentally send something to the list that was intended strictly for a specific individual, you may end up publicly saying something embarrassing or, worse, accidentally divulging secrets to hundreds of people you don't even know.
These tips are more related to the ways that users break their own security, rather than protecting oneself against the predations of malicious security crackers. Security can be violated through careless acts more easily than by outside forces. Don't be your own biggest security concern.