| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 12.7 - Manage Email Security
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series secures the most exposed service on the Internet within Domain 4. It covers how email moves, the goals you pursue when protecting it, its baked-in weaknesses, the standards that harden it, and how to tame attachments, spam, and lingering fax.
What this episode covers
- How email moves — SMTP relays messages while POP3 and IMAP retrieve them, and an unauthenticated server becomes an open relay.
- Security goals and policy — confidentiality, integrity, sender authentication, and nonrepudiation, all anchored in a management policy.
- Baked-in weaknesses — plaintext transit, malware delivery, trivial spoofing, and weaponization through mail-bombing and mail storms.
- Message protection — Secure MIME with certificates and Pretty Good Privacy for peer-to-peer encryption.
- Sender authentication — DKIM, the Sender Policy Framework, and DMARC work together to fight spoofing.
- Transport encryption — STARTTLS upgrades a session while implicit SMTPS assumes encryption from the start.
- Attachment, spam, and fax defenses — gateway blocking, block lists, challenge-response, reputation filtering, and locked-down fax.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How does email actually move?
Servers use the Simple Mail Transfer Protocol, or SMTP, to accept messages and relay them onward, and clients pull mail using either the Post Office Protocol version three or the Internet Message Access Protocol. When you run an SMTP server, configure strong authentication for both inbound and outbound mail, or you risk becoming an open relay that accepts and forwards mail without authenticating the sender, which spammers exploit to piggyback on your infrastructure.
What weaknesses come baked into email?
The core protocols carry no native encryption, so messages usually travel as plaintext, wide open to interception and eavesdropping. Email is a favorite carrier for viruses, worms, and malicious code, and source verification is almost nonexistent, so spoofing a sender address is trivial. Email can even be weaponized through mail-bombing, a denial of service that floods an inbox or server, alongside mail storms and unwanted bulk spam.
Which protocols and standards add protection?
There are two groups. For message-level protection, Secure MIME uses digital certificates and public key encryption to sign and encrypt, while Pretty Good Privacy is a peer-to-peer key system that encrypts mail. For sender and domain authentication that fights spoofing, DKIM confirms a message was authorized by the claimed domain, the Sender Policy Framework checks the sending host, and DMARC sets policy for failures. Transport encryption adds STARTTLS and implicit SMTPS.
How do you tame attachments and spam?
Layer practical defenses on top of the protocols. At the gateway, block attachments entirely or block only the risky executable and scripting types, paired with user training and antimalware, remembering that antimalware catches known threats far better than new ones. For unwanted mail, block list services drop known abuse sources on arrival, challenge-response filters ask an unknown sender to prove they are human, and reputation filtering grades sending services.
Why does fax still deserve a mention?
Faxes linger and are as exposed as any phone call, open to interception and eavesdropping. You can harden them with fax encrypters that scramble the outgoing signal and link encryption that carries the fax over a protected path like a VPN, while activity logs and exception reports help spot anomalies. Received faxes matter too, so disable automatic printing, avoid machines that store copies in memory, and route faxes to email instead of paper.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 12.7 - Manage Email Security.