s

ie
og
Email Security Checklist and

ol
c hn
Guide
Te
By Chinmay Kulkarni | Vardhishnu Technologies

Helping businesses stay secure, compliant, and audit-ready.

u
hn
is
dh
r
Va
 Email Security Checklist
-​ Chinmay Kulkarni

Here’s a comprehensive, detailed Email Security Checklist you can use for
internal audits, awareness campaigns, or client-facing materials. It is structured
into Technical Controls, Process & Policy, and User Awareness for clarity.

s
ie
og
Email Security Checklist

ol
1. Technical Controls

A. Email Authentication & Anti-Spoofing

c hn
Te
​Implement SPF (Sender Policy Framework) to validate legitimate sending
servers.​
u

​Configure DKIM (DomainKeys Identified Mail) to sign outgoing emails and

hn

prevent tampering.​
is

​Enable DMARC (Domain-based Message Authentication, Reporting &

Conformance) with strict policy (reject/quarantine).​
dh

​Regularly monitor DMARC reports for spoofing attempts.​

r
Va

B. Email Encryption

​Use TLS (Transport Layer Security) for email transmission between

servers.​
 Email Security Checklist
-​ Chinmay Kulkarni

​Deploy end-to-end encryption (PGP or S/MIME) for sensitive

communication.​

​Enforce encryption for attachments containing personal or confidential

data.​

s
ie
C. Spam & Malware Filtering

og
​Enable advanced spam filters to block phishing emails.​

ol
​Configure sandboxing for email attachments to detect malicious payloads.​

c hn
​Block executable file types (.exe, .js, .vbs) at the gateway.​

​Use reputation-based filtering to block suspicious domains.​

Te

D. Access Security
u
hn

​Enforce Multi-Factor Authentication (MFA) for email accounts.​

​Require strong passwords with rotation policy.​

is
dh

​Restrict IMAP/POP3 access unless business-critical.​

​Apply geolocation and device-based restrictions where possible.​

r
Va

E. Email Archiving & Backup

​Enable email retention & archiving for compliance.​

 Email Security Checklist
-​ Chinmay Kulkarni

​Ensure regular backups of email servers.​

​Test restore procedures periodically.​

s
ie
2. Process & Policy Controls

og
A. Governance & Monitoring

ol
​Define a clear Email Security Policy covering do’s and don’ts.​

c hn
​Monitor for suspicious logins, forwarding rules, or bulk email sending.​

​Enable alerting for anomalous email behavior (logins from unknown

Te
devices, high-volume sending, etc.).​

​Review and revoke access for former employees immediately.​

u
hn

B. Vendor & Third-Party Security

is

​Verify that email service providers comply with ISO 27001, SOC 2, or
dh

GDPR.​

​Review third-party email integrations (CRMs, marketing tools) for security

r
Va

gaps.​

​Ensure vendors also implement SPF/DKIM/DMARC.​

C. Incident Response
 Email Security Checklist
-​ Chinmay Kulkarni

​Define a playbook for phishing incidents (report → isolate → investigate

→ remediate).​

​Set up reporting channels for suspicious emails.​

​Conduct forensic analysis of compromised accounts.​

s
ie
​Notify impacted users/customers in case of breach.​

og
ol
3. User Awareness & Training

A. Security Awareness Training

c hn
Te
​Conduct regular phishing simulation campaigns.​

​Train users to identify:​

u
hn

​Suspicious sender addresses​

is

​Mismatched URLs​
dh

​Unexpected attachments​
r

​Urgent/fear-based language​
Va

​Teach employees how to report phishing attempts.​

B. Best Practices for Users

 Email Security Checklist
-​ Chinmay Kulkarni

​Never reuse corporate email passwords on personal sites.​

​Do not click unknown links; verify by hovering before clicking.​

​Avoid downloading attachments from unsolicited senders.​

s
​Do not auto-forward company emails to personal accounts.​

ie
​Be cautious with out-of-office replies (avoid oversharing details).​

og
ol
C. Executive & VIP Protection

c hn
​Apply extra monitoring & filtering for high-risk executives.​

​Train executive assistants on BEC (Business Email Compromise) scams.​

Te
​Protect domain with look-alike domain monitoring.
u
hn

Detailed Email Security Guide

is
dh

1. Technical Controls
r
Va

A. Email Authentication & Anti-Spoofing

●​ SPF (Sender Policy Framework):​

Defines which mail servers are allowed to send emails on behalf of your
domain. Without SPF, attackers can easily impersonate your domain for
phishing. Configure DNS TXT records to specify legitimate sending
 Email Security Checklist
-​ Chinmay Kulkarni

servers.​

●​ DKIM (DomainKeys Identified Mail):​

Adds a digital signature to outgoing emails, allowing the recipient’s server
to verify the email hasn’t been altered in transit. This prevents attackers
from tampering with your message or inserting malicious content.​

s
ie
●​ DMARC (Domain-based Message Authentication, Reporting &
Conformance):​

og
Builds on SPF and DKIM. It tells receiving servers how to handle emails
that fail authentication (reject, quarantine, or none). Also provides DMARC

ol
reports that help track spoofing attempts and unauthorized senders.​

c hn
🔑 Together, SPF + DKIM + DMARC create a strong first line of defense against
email impersonation (Business Email Compromise, CEO Fraud, and Phishing).
Te

B. Email Encryption
u
hn

●​ TLS (Transport Layer Security):​

Ensures that emails are encrypted during transmission between mail
is

servers. Without TLS, attackers could intercept plain-text messages

(“man-in-the-middle attacks”).​
dh

●​ End-to-End Encryption (PGP or S/MIME):​

r

Protects the message from sender to recipient so that even if intercepted,

Va

it cannot be read without the private key. Useful for sensitive

communications like financial records, contracts, or medical data.​

●​ Attachment Encryption:​
If sensitive data is shared, enforce password-protected attachments or
file-sharing alternatives. For compliance-driven industries (finance,
 Email Security Checklist
-​ Chinmay Kulkarni

healthcare, legal), this is critical.​

C. Spam & Malware Filtering

s
●​ Advanced Spam Filters:​

ie
Blocks bulk emails, phishing campaigns, and malicious advertising.

og
Modern filters use AI/ML to detect evolving threats.​

●​ Sandboxing for Attachments:​

ol
Suspicious files are executed in a safe “sandbox” environment to analyze

hn
behavior before reaching the end user. This prevents ransomware and
trojans.​ c
●​ Blocking High-Risk File Types:​
Te
Executable files (.exe, .js, .vbs, .bat) are often carriers of malware. These
should be blocked at the gateway.​
u

●​ Reputation-Based Filtering:​
hn

Automatically blocks emails from domains/IPs with poor reputation

scores or blacklisted sources.​
is
dh

D. Access Security
r
Va

●​ Multi-Factor Authentication (MFA):​

Even if a password is compromised, MFA (OTP, push notification,
hardware token) adds an additional layer of protection.​

●​ Strong Password Policies:​

Require complex passwords (length + special characters) and enforce
 Email Security Checklist
-​ Chinmay Kulkarni

periodic rotation. Password managers can reduce user fatigue.​

●​ Restrict IMAP/POP3 Access:​

These legacy protocols bypass advanced security controls. Disable them
unless strictly necessary.​

s
●​ Geo & Device Restrictions:​

ie
Only allow login from specific geographies or corporate devices. Prevents
unauthorized access from unknown locations.​

og
ol
hn
E. Email Archiving & Backup

●​ Retention Policies:​
c
Automatically store emails for compliance (ISO 27001, GDPR, HIPAA).
Te
Prevents accidental deletion of critical communication.​

●​ Backups:​
u

In case of ransomware or accidental deletion, backups ensure business

hn

continuity.​
is

●​ Restore Testing:​
Backups are useless unless tested. Periodically simulate recovery to verify
dh

reliability.​
r
Va

2. Process & Policy Controls

A. Governance & Monitoring
 Email Security Checklist
-​ Chinmay Kulkarni

●​ Email Security Policy:​

Defines acceptable use (e.g., no forwarding to personal accounts,
restrictions on attachments). Reduces insider risk.​

●​ Suspicious Activity Monitoring:​

Watch for mass forwarding, login attempts from unknown regions, and

s
sudden spikes in outgoing traffic. These are signs of compromised

ie
accounts.​

og
●​ Alerts & Automated Responses:​
Immediate alerting helps IT act before damage spreads. Example: unusual

ol
mailbox rules or external auto-forwarding should trigger alerts.​

●​ De-provisioning Former Employees:​

hn
Immediately revoke access for employees leaving the organization.
c
Dormant accounts are easy targets.​
Te
u

B. Vendor & Third-Party Security

hn

●​ Email Service Providers:​

is

Ensure providers like Microsoft 365 or Google Workspace are configured

with all available security features. Validate certifications (ISO 27001, SOC
dh

2).​
r

●​ Third-Party Integrations:​
Va

CRMs, marketing platforms, and automation tools often have access to

corporate mailboxes. Regularly review permissions and revoke
unnecessary access.​

●​ Domain Monitoring:​
Attackers often register lookalike domains (e.g., “[Link]”) for
 Email Security Checklist
-​ Chinmay Kulkarni

phishing. Monitor and take down such domains proactively.​

C. Incident Response

s
●​ Phishing Playbook:​

ie
Standard procedure: User reports suspicious email → IT isolates

og
account/device → Forensics investigates → Block sender domain →
Notify impacted users.​

ol
●​ Reporting Channels:​

hn
Provide employees with a “Report Phishing” button in Outlook/Gmail.
Quick reporting is key.​ c
●​ Forensic Analysis:​
Te
Check email headers, logs, and login trails to understand compromise
scope.​
u

●​ Customer/User Notifications:​
hn

Transparency is vital. If data is compromised, notify stakeholders in line

with regulatory obligations.​
is
r dh

3. User Awareness & Training

Va

A. Security Awareness Training

●​ Run regular phishing simulation exercises to test real-world readiness.​

●​ Train employees to detect red flags:​

 Email Security Checklist
-​ Chinmay Kulkarni

○​ Spoofed domains (e.g., “[Link]”)​

○​ Suspicious URLs (hover before clicking)​

○​ Unexpected urgent requests (“CEO needs this wire transfer now”)​

s
○​ Attachments with unusual file types.​

ie
og
B. Best Practices for Users

ol
hn
●​ Never reuse corporate credentials on personal websites.​

●​ Always verify links before clicking.​

c
Te
●​ Avoid downloading attachments unless from verified sources.​

●​ Do not configure auto-forward rules to personal accounts.​

u
hn

●​ Be cautious with auto-replies when on vacation—avoid oversharing internal

details.​
is
dh

C. Executive & VIP Protection

r
Va

●​ Executives are prime targets for Business Email Compromise (BEC).​

●​ Apply stricter filtering, monitoring, and dedicated security controls for VIP
accounts.​
 Email Security Checklist
-​ Chinmay Kulkarni

●​ Executive assistants should undergo specialized training to detect wire

fraud attempts.​

●​ Monitor for lookalike domains that specifically target C-level staff.​

s
ie
Key Takeaway

og
Email security is not just technology-driven; it’s a combination of:

ol
1.​ Authentication & Encryption (technical baseline)​

c
3.​ User Awareness (human firewall)​
hn
2.​ Policies & Monitoring (governance framework)​
Te
u

A single weak link—whether a misconfigured server, outdated policy, or an

untrained employee—can result in data breaches, financial fraud, or compliance
hn

violations.
is
r dh
Va