Professional email is the nervous system of a business. Orders, contracts, financial information, and client communications all pass through it. It is also attackers\' preferred entry point. A regular security audit of your email system helps identify vulnerabilities before they are exploited.
Why Audit Your Email?
Email security is not a state—it\'s a process. Threats evolve, configurations degrade, best practices are forgotten. A periodic audit allows you to:
- Identify technical vulnerabilities
- Verify compliance with best practices
- Detect obsolete or unauthorized access
- Assess risks in case of an incident
- Prioritize corrective actions
An audit should not be seen as a bureaucratic burden but as an investment in business protection. The cost of an audit is negligible compared to the consequences of a breach: data loss, reputational damage, GDPR sanctions, business interruption.
What to Audit
A comprehensive email audit covers several dimensions: technical, organizational, and human. Here are the main points to check.
1. Authentication Protocol Configuration
SPF, DKIM, and DMARC are the three protocols that protect against email spoofing. Their correct configuration is essential.
SPF (Sender Policy Framework)
Verify that your SPF record lists all servers authorized to send emails for your domain. A misconfigured SPF can block your own emails or allow spoofing through.
To test your SPF, send an email to a verification service like mail-tester.com or use online DNS diagnostic tools.
DKIM (DomainKeys Identified Mail)
Verify that DKIM is enabled and the signature is valid. An email without a DKIM signature or with an invalid signature will be treated with suspicion by recipients.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC tells recipient servers what to do with emails that fail SPF/DKIM checks. Verify that you have a DMARC policy and that it is progressively strengthened (none → quarantine → reject).
Recommended Configuration
Infomaniak automatically configures SPF and DKIM for your domains. For DMARC, you need to manually add a DNS record. Start with a "none" policy with reporting to analyze results, then gradually move to "quarantine" and "reject".
2. Access and Account Management
User accounts are potential entry points. Audit them regularly.
Active Accounts
List all email accounts in your organization. Identify unused accounts (former employees, test accounts, obsolete aliases). Disable or delete those that are no longer needed.
Access Rights
Verify who has access to what. Are shared mailboxes accessible only to relevant people? Do administrators have justified access? Apply the principle of least privilege.
Passwords
Evaluate the password policy in place. Minimum length, complexity, rotation, prohibition of common passwords. Are users using unique passwords for their email?
Two-Factor Authentication
Is 2FA enabled on all accounts? Is it mandatory for high-risk accounts (administrators, executives)? If not, why?
3. Transport Security
Emails must be encrypted in transit to prevent interception.
TLS on Client Connections
Verify that IMAP, POP3, and SMTP connections use TLS. Non-secure ports (143, 110, 25) should be disabled in favor of secure ports (993, 995, 465/587).
TLS Between Servers
Opportunistic TLS between SMTP servers should be enabled. Emails to domains that don\'t support TLS will continue in plain text, but it\'s a default protection for others.
4. Anti-Spam and Antivirus Filtering
Filters are your first line of defense against phishing and malware.
Anti-Spam Effectiveness
Analyze the spam folder of a few representative users. Do you find false positives (legitimate emails marked as spam) or false negatives (spam that made it to the inbox)? Adjust settings if necessary.
Attachment Antivirus
Are attachments scanned by antivirus? Are dangerous files (.exe, .js, .vbs) blocked or quarantined?
5. Backups and Recovery
In case of an incident (ransomware, accidental deletion, corruption), can you restore your emails?
Backup Policy
What is the backup frequency? What is the retention period (how long are backups kept)? Are backups tested regularly?
Recovery Procedure
Have you documented the recovery procedure? How long does it take to restore a mailbox? Have you tested it recently?
Infomaniak Backups
Infomaniak performs automatic backups of your mailboxes. If needed, support can restore deleted emails within a certain timeframe. For maximum protection, consider an additional backup with Swiss Backup.
6. Logging and Monitoring
Logs enable detection and analysis of security incidents.
Connection Logs
Are mailbox connections recorded (date, time, IP, success/failure)? How long are logs retained?
Anomaly Monitoring
Do you monitor repeated failed login attempts? Connections from unusual locations? Mass email sending?
7. Compliance and Legal Aspects
Email handles sensitive personal and professional data. Regulatory compliance must be verified.
Data Hosting
Where are your emails physically hosted? If you process data of European citizens, hosting with an American provider subject to the Cloud Act raises questions.
Email Retention
Some industries require specific retention periods (10 years for accounting documents, for example). Is your retention policy compliant?
Employee Email Access
Do you have an IT charter that specifies conditions for accessing professional emails? Do you comply with the legal framework (employee notification, proportionality)?
Audit Checklist
To structure your audit, here are the key points to check as a checklist.
| Area | Checkpoint | Status |
|---|---|---|
| Authentication | SPF configured and valid | ☐ |
| DKIM active and signature valid | ☐ | |
| DMARC configured (policy ≥ quarantine) | ☐ | |
| Access | No orphaned accounts | ☐ |
| 2FA enabled on all accounts | ☐ | |
| Strong password policy | ☐ | |
| Least privilege principle applied | ☐ | |
| Transport | TLS mandatory on client connections | ☐ |
| Opportunistic TLS between servers | ☐ | |
| Filtering | Effective anti-spam | ☐ |
| Antivirus on attachments | ☐ | |
| Continuity | Regular and tested backups | ☐ |
| Documented recovery procedure | ☐ | |
| Compliance | GDPR-compliant hosting | ☐ |
| Up-to-date IT charter | ☐ |
Priority Corrective Actions
If your audit reveals gaps, prioritize corrective actions based on their impact and ease of implementation.
Immediate Priority (Critical Risk)
- Disable former employees\' accounts
- Enable 2FA on administrator accounts
- Configure DMARC if missing
- Enforce TLS on client connections
High Priority (Elevated Risk)
- Roll out 2FA to all users
- Strengthen DMARC policy (move from none to quarantine)
- Implement monitoring for suspicious connections
- Test recovery procedures
Medium Priority (Continuous Improvement)
- Train users on phishing detection
- Fine-tune anti-spam rules
- Document procedures
- Consider migration to a sovereign host
Audit Frequency
A comprehensive annual audit is the minimum. Certain points can be checked more frequently:
- Monthly: Active account review, incident analysis
- Quarterly: Anti-spam testing, log verification
- Annual: Full audit, recovery test, security policy review
Trigger events (security incident, organizational change, new regulation) justify an extraordinary audit.
Calling in an Expert
An external perspective brings an objectivity that the internal team can hardly achieve. An audit by a specialized provider allows you to:
- Benefit from specialized expertise
- Identify blind spots invisible internally
- Obtain a formal report (for insurers, clients, regulators)
- Benchmark against industry best practices
InfoSwitch Support
InfoSwitch offers email security audits tailored to SMBs. We verify technical configuration, analyze organizational risks, and propose a prioritized action plan. Contact us for a personalized quote.
Conclusion
Email security is not decreed—it is built and maintained. A regular audit is the best way to ensure your protections remain effective against constantly evolving threats.
Don\'t assume everything is fine just because there hasn\'t been an incident. Attackers know how to be discreet. Verify, document, improve: it\'s the only way to stay one step ahead.
Ready to migrate to Infomaniak?
Contact us for a free 15-minute audit. We will analyze your situation and provide you with a personalized quote.
Request a free audit