Email security is a key factor in application development and system configuration. Vulnerabilities in this environment can lead to data leaks and facilitate phishing attacks. For both individuals and businesses, the consequences range from short-term financial damage to long-term reputational and security risks. Our security analysts at usd HeroLab regularly identify such vulnerabilities in applications and systems during their pentests. This shows that, despite the known risks, email security is often neglected in practice.
To raise awareness of this issue, the German Federal Office for Information Security (BSI), eco – Association of the Internet Industry, and Bitkom e. V. have launched the so-called initiative "E-Mail-Sicherheitsjahr 2025" (Email Security Year 2025).
To mark the occasion, our security analysts are sharing their experiences from everyday pentesting with you in this blog post. They provide practical tips on what you should pay particular attention to when developing and operating systems that process emails.
Email security: Tips for application development
Applications often send transactional emails in various situations. These include, for example, notifications about new messages or reminders about pending actions in the application. They also include security-critical emails, such as those sent during the onboarding process for the application or when resetting a password. The danger posed by hacker attacks is that attackers can manipulate such emails, enabling highly effective phishing attacks. The following tips can help you reduce this risk.
Proper encoding of user content
Many messages contain content that can be influenced by users and is therefore controllable. A prime example of this is the content of a message sent within the application when it is referenced via email. But more subtle values such as the name in a personal salutation, also count.
Such values must be encoded in such a way that HTML control characters within the email are not evaluated. In this case, the same rules apply as for web applications. The same libraries, e.g., the OWASP Java Encoder, can be used for encoding. It is important to apply these to all affected values within the email text.
If an input field is not properly encoded, attackers can influence the content and appearance of the email message. This can go so far that the entire content of the email can be replaced, allowing users to be deceived in a very credible way, as the sender address remains unchanged and trustworthy.
Immutable Link Target Domains
Automatic email messages can also contain sensitive data. For example, a link to reset a password contains a random value that can only be used once. If attackers gain access to these emails, they can change the password themselves and take over the account.
With such emails, it is therefore important that the target of a link cannot be manipulated. This includes both the target domain and the target path of the link. This can be achieved in two ways: either through a setting in a configuration file that cannot be changed in the application and is read when the link is created, or through a strict list of permitted values for the target domain.
Avoid creating the link based on dynamic values, such as the domain accessed by the user, without first validating them strictly. This domain in particular can be changed at will by attackers. If no check is performed, the links can be redirected to a domain controlled by attackers. If a phishing victim then clicks on such a link, the protective value in the link is transferred to the attackers. Since the rest of the message and the sender remain unchanged in such an attack, such phishing emails are difficult to detect.
Email security: Tips for system operation
At the system level, there is direct access to the email server used, either for sending or receiving emails. At this level, authentication, and transport encryption are particularly relevant in order to prevent unauthorized access and ensure confidential email transmission.
Authenticated Email Sending Only
Email servers are also used in exclusively internal and isolated networks, for example to send monitoring messages. Due to the direct delivery of important and time-critical information from the internal network as a result of monitoring, such emails encourage quick and possibly careless action. In addition, emails sent from internal email servers are often not subject to additional protective measures such as spam filters, which is why internal email servers are an attractive target for attackers.
Although all systems in an internal network are generally considered to be completely trustworthy, we recommend only accepting emails for sending after prior authentication. As with systems accessible from the Internet, unique and strong passwords should be used for this purpose. We also recommend that a single account should not be used on multiple systems.
This prevents attackers who have gained access to the internal network from sending emails containing malware or phishing content themselves, thereby expanding their access to the network.
Always encrypted communication
Encryption during email transport plays a key role in ensuring the confidentiality and integrity of messages. In addition, if you follow the tip above, access data is also transmitted alongside the actual message. This data must also be protected by encryption during transmission.
There are several transport routes that you need to consider here: the sender of an email delivers it to the source mail server via SMTP. The email is then delivered to the destination mail server, possibly via intermediate stations. Finally, the recipient retrieves the email from the destination mail server via IMAP or POP3.
Encrypted delivery must be ensured throughout this entire chain, and unencrypted connections must be consistently rejected. If all administrators implement this in the delivery chain, the email, and the access data used will be transmitted exclusively in encrypted form.
Email security: Follow the BSI's advice on domain configuration
The BSI provides further relevant tips in its technical guidelines BSI TR-03108 for secure email transport and BSI TR-03182 for email authentication. While BSI TR-03108 deals with recommended encryption methods for communication with and between mail servers, BSI TR-03182 provides more information on authenticating the sender of an email.
The BSI TR-03182 guideline recommends using additional protection mechanisms such as SPF, DKIM, and DMARC to ensure that only authorized mail servers can send emails for a protected sender domain. If a domain implements these protection mechanisms, spam and phishing using this domain as the sender become significantly more difficult.
Final Thoughts
The proclamation of 2025 as Email Security Year highlights the importance of effectively securing email traffic in companies. We also know from our daily penetration tests that vulnerabilities in sending and receiving emails provide opportunities for phishing, data theft, and other cyber threats. We therefore recommend that you consistently implement basic security measures and the above tips in your company.
Keep your systems and mail servers up to date and perform regular security checks. This is the only way to ensure that email communication remains a secure and reliable tool in everyday business. Contact us, we will be happy to help you.
