Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-4-3 – The cybersecurity requirements for protecting the email service must include at the least the following:
Understanding the Requirement
This control requires that an organization's email service be protected by a defined set of technical and administrative measures that meet the listed objectives (2-4-3-1 through 2-4-3-5). In practice that means enforcing authenticated and encrypted delivery, preventing malware and phishing, controlling account and administrative access, monitoring and logging email activity, and ensuring continuity and recoverability. This guidance aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is intended to help SMBs implement the minimum practical protections for email which is a high-risk attack vector.
Technical Implementation
- Authenticate and encrypt email delivery: Publish and enforce SPF, DKIM, and DMARC for your domain to prevent spoofing; require TLS (opportunistic or mandatory where supported) for SMTP connections. For on-premises mail servers, enable and maintain valid certificates; for cloud providers, verify tenant-level TLS enforcement.
- Deploy layered filtering and malware protection: Use an inbound email filtering service (gateway or cloud provider features) that performs real-time URL and attachment scanning, sandboxing for suspicious attachments, and reputation checks. Configure quarantine and automated actions for high-risk messages and tune false-positive thresholds periodically.
- Restrict and protect accounts: Enforce multi-factor authentication for all email accounts and require strong password policies. Apply least privilege to admin accounts (separate admin identities, use role-based access), and disable legacy/weak authentication protocols (e.g., basic auth) where feasible.
- Logging, monitoring and alerting: Centralize email logs (transport, authentication, quarantine actions) and retain them for a defined period. Configure alerts for DMARC reports showing spikes in spoofing, sudden outbound volume, or mass quarantine events. Consider a lightweight SIEM or cloud logging plus scheduled review processes for SMB scale.
- Continuity, backup and retention: Implement mailbox archiving and retention policies to meet business needs and support recovery after compromise or deletion. For on-prem systems, ensure regular backups of mail stores; for cloud, enable provider-native retention/archiving and export capabilities for eDiscovery and recovery.
- Patch, harden and test: Keep mail server software, connectors, and any plugins/antivirus engines up to date. Regularly test filtering and incident response with phishing simulations and table-top exercises to validate detection and user reporting paths.
Example in a Small or Medium Business
Acme Design, a 45-person firm, moved its email to a cloud provider and implemented a short list of controls to meet 2-4-3. They published SPF and DKIM records and deployed a strict DMARC policy with reporting to see attempted spoofing; after two weeks they moved from p=none to p=quarantine for untrusted senders. The IT manager enforced MFA for all accounts and disabled legacy IMAP/POP access for users who did not require it. An inbound email gateway was configured to block known-malicious attachments, sandbox suspicious documents, and quarantine messages with phishing indicators; the gateway forwards daily summary reports to the IT team. Mailbox archiving was enabled for 3 years and weekly exports were scheduled to a secure backup location to support recovery. Finally, the company ran quarterly phishing exercises, maintained a log retention policy, and created a simple incident playbook instructing staff how to report suspected compromises and how IT will respond, which reduced detection and recovery time when a staff member clicked a malicious link.
Summary
Combining clear policy (account controls, retention and incident procedures) with technical measures (SPF/DKIM/DMARC, TLS, filtering, MFA, logging, backups and patching) meets the minimum requirements of Control 2-4-3. For SMBs this layered approach reduces spoofing and malware risk, limits attacker access, improves detection and speeds recovery — all while keeping implementation and ongoing operations manageable and cost-effective.
