Email Security (CIS)

CIS Control 9 — Email and Web Browser Protections — covers technical and organisational measures to protect the organisation against threats delivered via email and web browsers. Email is the primary attack vector for phishing and malware — up to 90% of all cyberattacks begin with a malicious email.

Back to Dictionary

Why is email security critical?

Email remains the most commonly used attack vector in cybercrime. Phishing attacks, business email compromise (BEC), malware attachments and malicious links are primarily delivered via email. For most organisations, an effective email security configuration is one of the most impactful security investments available.

CIS Control 9 addresses both inbound threats (malicious emails targeting users) and the organisation's own email authentication posture (preventing attackers from spoofing the organisation's domain).

SPF, DKIM and DMARC

Three DNS-based email authentication mechanisms form the foundation for preventing email spoofing:

SPF (Sender Policy Framework): Specifies which servers are authorised to send email on behalf of the domain.
DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to emails, verifying the sender's identity.
DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving mail servers what to do with messages that fail SPF and DKIM checks.

CIS recommends implementing all three mechanisms as part of IG1.

Anti-phishing controls

Technical anti-phishing controls include email filtering and anti-spam, URL scanning and blocking, sandboxing of attachments, and warnings on emails from external senders. These should be supplemented by regular security awareness training to help users recognise phishing attempts.

DMARC reporting: DMARC provides the ability to receive reports on who is sending email using your domain. This helps detect spoofing attempts and ensures that all legitimate senders are correctly configured.

Secure browser management

Web browsers are a primary attack path for drive-by downloads and malvertising. CIS Control 9 includes safeguards on secure browser configuration, restriction of browser plugins and extensions, URL filtering, and blocking of malicious websites.

Frequently Asked Questions about Email Security (CIS)

What is CIS Control 9?

CIS Control 9 — Email and Web Browser Protections — covers technical and organisational measures to protect against threats delivered via email and web browsers, including phishing, malware and email spoofing.

What are SPF, DKIM and DMARC?

SPF, DKIM and DMARC are DNS-based email authentication mechanisms. SPF specifies authorised sending servers, DKIM adds a cryptographic signature to verify the sender, and DMARC tells receivers what to do with emails that fail these checks.

Why is email the primary attack vector?

Email is the most common delivery mechanism for phishing, malware and social engineering attacks because it reaches users directly, is difficult to fully filter, and exploits human trust. Up to 90% of cyberattacks start with a malicious email.

What anti-phishing controls does CIS recommend?

CIS recommends email filtering, URL scanning and blocking, sandboxing of attachments, external sender warnings and regular security awareness training to help users recognise phishing attempts.

Does CIS Control 9 cover web browser security?

Yes. CIS Control 9 includes safeguards for secure browser configuration, restriction of plugins and extensions, URL filtering and blocking of malicious websites to protect against drive-by downloads and malvertising.