Most businesses—even the smallest—have more than one email address. Even if you are a one-man band… and if you don’t, perhaps you should think about it.
Types of address include:
- your.name@ – every person in your organisation probably has one of these, for that personal touch. This type of email address is assigned to one individual.
- sales@, info@, jobs@, contact@, support@ – these are typically outward facing touchpoints, so that your customers (or potential customers) can get in touch with you even if they don’t know an individual’s name in your business. These generic email addresses are usually shared accounts used by multiple people (if your organisation is big enough) but even if your organisation is just you, it can help to separate enquiries in this way.
- it@, marketing@, legal@, finance@, catering@, hr@ – while these can be used externally, they are often also inward-facing role-related email addresses, so that anyone in the company can ask for help or share information without needing to recreate a long list of individual names each time. These typically are used by multiple people working in that role.
Depending on your organisation’s size, you might also have specific security-role-related email addresses such as dpo@, compliance@ or security@.
Generic email addresses and security
These generic or role-based email addresses, like personalised ones, can impact on the security of your business. They should be protected in the same way, using strong passwords, encryption, MFA, backups and so on. However:
- Accountability: if more than one person uses an email address, you may find it more difficult to establish who carried out which action. Remember to regularly review who has access to these general email accounts, and update permissions where needed
- Generic and role-based email addresses can also be targeted by spam and phishing. So employees should be just as careful when reading and responding to these as when responding to those addressed to themselves.
- Role-based email addresses may be more likely to be flagged as spam. This can lead to deliverability issues—or even having your emails blocked entirely. This can be damaging to your company’s reputation and can lead to lost business.
Supporting email security through deliverability
There are three anti-spoofing controls available to help validate and authenticate your email so that it reaches the intended destination, and to reduce the risk that your domain could be used to spread malicious emails.
- SPF: publishes which mail servers have permission to send email from your domain. Servers receiving your email will check your SPF record to check that messages that appear to be from you have come from servers authorised by you.
- DKIM: digitally signs your email to prove it comes from you, and that your email address has not been forged.
- DMARC: builds on SPF and DKIM and provides instructions on how to handle messages that are not validated or authenticated but appear to come from you. It also provides feedback reports so you can resolve any issues.
The NCSC offer a service to check your email security to help you identify any issues with these settings.
It’s very straightforward to check your own settings, though you might need some technical support from your email service provider. Just enter your domain name, and NCSC will check the settings, and advise on how to resolve any issues found.
Need some support in handling security issues in your business? Contact the Click and Protect team on 0113 733 6230, or use our contact form.