Email Client Settings

The email client (in addition to the browser) can also be a gateway for malware, especially if it automatically displays HTML and/or automatically loads images (and other information).
The most important points about email security:

1. Always (automatically) keep the client (and the operating system) up to date.
2. Set the client as secure as possible, e. g. deactivate the automatic display of HTML and the automatic execution of dynamic content.
   For all good email clients there is the option that you can activate HTML either automatically or by 1 click for senders you trust (please make sure that the email is signed!), but a well-written email can also be read well in "plain text mode" (text-only), so - if there is no real reason - you should not send HTML emails either.
   In the case of HTML emails with external images, you cannot be sure that you are seeing what the sender wanted to send you, even if you see an valid electronic signature; the content of an embedded image, for example, could have changed in the meantime.
   If you allow the reloading (or automatic loading) of external images in HTML emails, then it is also possible to track when and from where you opened the message.
3. Furthermore, you should definitely also display the email address and not only the name of the sender, if possible not only in the opened email but also in the email list.
4. Also sign your own emails with an email certificate and always send emails with a TU Graz address via the SMTP server of TU Graz (see also SPF).
   Outlook on the web (formerly called OWA) can only handle email certificates properly with Windows and Internet Explorer, as an alternative you can start RDS and use your usual email client there.
5. Do not open any attachment from unknown persons or if you actually do not expect an attachment!
   If it is part of your job at TU Graz to receive such data (applications etc.), then you should not open the attachment from the email program. Save the attachment to the disk, calculate the hash value for the attachment (Windows: PowerShell command Get-FileHash ATTACHMENT, Linux: sha256sum ATTACHMENT and macOS: shasum -a 256 ATTACHMENT) and then upload this hash to Virustotal to have it analyzed. If the hash is found to be harmless there, then the attachment is probably also harmless.
6. For suspicious emails that are not marked as SPAM? or as SUSPICIOUS, check if we already warn about them.
   Consider to delete marked (or "tagged") emails automatically.
7. Only store passwords in encrypted form!

Even if you are better protected by secure settings: Technology alone will never be able to protect you 100 percent, it's up to you how you handle email!

And if, after checking these points, you find that your email client on the mobile phone cannot implement all these points, then your cell phone is probably not suitable for business emails either!

Examples

• Thunderbird
  Disable HTML. Using the add-on "Allow HTML Temp", HTML can then be reactivated for certain emails with one click.
  Show sender address:
  Using the add-on "Full Address column" you can activate this for the email list.
  For opened emails, you have to disable the item "Show only display name for people in my address book" in the settings in the section "General" - "Display":

  

Be sure to set a "Primary Password"!



• Outlook
  Disable HTML
  Show sender address