Email

If a hacker gains access to your inbox, it provides a gateway for your other accounts to be compromised through password resets, and for your information to leak (think about how much bank, travel, and medical data has been sent to you over the years). Therefore, email security is paramount for your digital safety.

0 out of 12 (0%) complete, 0 ignored

Done?	Advice	Level	Details
Ignore	Use a secure mail provider	Essential	The companies providing "free" email service don't have a good reputation for respecting users' privacy: Gmail was caught tracking all of your purchases. Any US provider will provide your data on request by US government agencies. Advertisers were granted access to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.” Start by registering a new mailbox and switching the most important communications to it one by one. Secure and reputable email providers such as: Tuta Mail, Proton Mail, Posteo, Mailbox.org, or Disroot allow mailbox encryption, are privacy-focused, as well as offer more security-focused features.
Ignore	Secure your email account	Essential	Use a long and unique password, enable 2FA, enable hardware key authentication, disable recovery using phone number and follow every advice from the Authentication Checklist. Your email account provides an easy entry point to all your other online accounts for an attacker.
Ignore	Have more than one email address	Essential	Consider using a different email address for security-critical communications from trivial mail such as newsletters or shopping. This compartmentalization would reduce the amount of damage caused by a data breach, and also make it easier to recover a compromised account. Email aliases and email forwarding are your friends on this path.
Ignore	Share only public email address	Essential	Do not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks. Use separate aliases for different activities and set up mail filters to apply distinct labels to incoming emails based on the recipient.
Ignore	Don't share sensitive data via email	Essential	Emails can be intercepted and recorded during transit. Additionally, you cannot be certain of the security of your recipient's mail provider. Therefore, email should not be considered safe for exchanging confidential information unless it is PGP-encrypted. If your recipient does not support encryption, instead of attaching a sensitive file consider emailing a private link to the file, where you can later revoke the access by that link.
Ignore	Don’t connect third-party apps to your email account	Optional	If you give a third-party app access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses significant security and privacy risks. For Google accounts it's advised to enable Advanced Protection Program, which limits what applications can be connected and what they are allowed to do with your account.
Ignore	Use a custom domain	Optional	Registering a custom domain allows you to switch email providers easily without losing your email address. This flexibility ensures you are not tied to a single provider and can avoid disruptions if a service is discontinued. You can get your own domain from providers like Namecheap for under $15/year, which can be used for both website and email purposes.
Ignore	Use aliasing / domain forwarding	Optional	Email aliasing allows messages to be sent to `[anything]@my-own-domain.com` and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address.
Ignore	Subaddressing	Optional	If you don't own a custom domain, an alternative to aliasing is subaddressing, where anything after the `+` symbol is omitted during mail delivery, e.g. `johnsmith+[anything]@gmail.com` will be delivered to `johnsmith` inbox. This sometimes enables you to keep track of who shared/leaked your email address, but unlike aliasing, it will not protect against your real address being revealed.
Ignore	Have a backup copy of your mailbox	Optional	To avoid losing access to your emails during an outage or account lock, Thunderbird can sync/backup messages from multiple accounts via IMAP and store locally on your computer. For Gmail you could use got-your-back tool.
Ignore	Be careful with email signatures	Advanced	Do not write your phone number or social network handles when you set email signatures. There are several marketing extensions that automatically crawl messages, and gather a detailed database of contact information based upon email signatures for sale. One of your recipients will have it.
Ignore	Be careful with auto-replies	Advanced	Out-of-office automatic replies are very useful for informing others there will be a delay in replying, but sometimes people reveal too much information - which can be used in social engineering and targeted attacks right when they are away and cannot keep an eye on the account. Your email provider should offer you a choice who would get the auto-reply.