Email Security

A practical guide for protecting email accounts.

Email is one of the most important accounts to secure because it is often used to reset passwords for other accounts.

If someone controls your email, they may be able to reset many other accounts.


Why email is important

Email is often the recovery door for:

  • password manager
  • banking
  • social media
  • cloud storage
  • shopping accounts
  • server accounts
  • domain accounts

This means email security should be treated as a priority.


Main goal

The goal is:

  • Protect the main email account.
  • Reduce spam and tracking.
  • Use aliases where possible.
  • Check recovery and forwarding settings.

Strong password

The main email account should have a strong unique password.

Do not reuse this password anywhere else.

Good:

  • one strong password only for email

Bad:

  • same password used on email and other websites

Enable 2FA

Enable two-factor authentication on the main email account.

Best options:

  • security key
  • passkey
  • authenticator app

Less ideal but better than nothing:

  • SMS code
  • email code

Save recovery codes safely after enabling 2FA.


Recovery options

Check account recovery settings.

Review:

  • Recovery email
  • Recovery phone number
  • Backup codes
  • Trusted devices
  • Security questions, if used
  • Account recovery contacts, if supported

Remove old recovery options you no longer control.

Example problem:

  • Old phone number still connected to email recovery.
  • Old recovery email no longer used.
  • Unknown device listed as trusted.

Forwarding rules

Email forwarding can silently send your mail somewhere else.

Check forwarding settings.

Look for:

  • unknown forwarding addresses
  • strange filters
  • rules that delete messages
  • rules that archive security alerts
  • rules that mark messages as read

This matters because attackers sometimes create rules to hide their activity.


Login history

Check recent login activity.

Look for:

  • unknown locations
  • unknown devices
  • old devices
  • failed login attempts
  • strange browser sessions

If something looks wrong:

  • change password
  • remove unknown sessions
  • review 2FA
  • check forwarding rules
  • check recovery options

Email aliases

An email alias is an address that forwards to your real inbox.

Example idea:

Aliases help because you do not give your main email to every website.


Why aliases help

Aliases can reduce:

  • spam
  • tracking
  • account linking
  • data broker exposure
  • phishing risk

If one alias receives spam, you know which service leaked it or sold it.

You can disable that alias without changing your main email account.


Alias categories

Useful categories:

  • shopping
  • newsletters
  • social media
  • forums
  • self-hosting
  • banking
  • government
  • temporary signups

For very important accounts, use a dedicated alias.

Example:

  • one alias for banking
  • one alias for password manager
  • one alias for domain registrar

What not to do

Avoid using the main email everywhere.

Avoid using one alias for everything.

Avoid publishing your main email publicly.

Avoid using work email for personal accounts.

Avoid using personal email for server admin alerts that should go to a separate address.


Phishing

Phishing is when someone tries to trick you into giving away login details.

Common tricks:

  • fake password reset email
  • fake delivery email
  • fake bank alert
  • fake account locked warning
  • fake invoice
  • fake security warning

Slow down before clicking.

Check:

  • sender address
  • link target
  • spelling
  • urgency
  • attachments
  • whether you expected the email

Do not log in through suspicious links.

Go to the website manually instead.


Security alerts

Do not ignore real security alerts.

Check alerts for:

  • new login
  • password changed
  • 2FA changed
  • new recovery email
  • new forwarding rule
  • new device
  • account export requested

If unsure, open the service directly in the browser instead of clicking the email link.


Email cleanup checklist

  • Strong unique password
  • 2FA enabled
  • Recovery email checked
  • Recovery phone checked
  • Backup codes saved
  • Forwarding rules checked
  • Filters checked
  • Login history checked
  • Unknown devices removed
  • Aliases created for important services
  • Main email no longer used everywhere

Simple rule

Treat email like the master key to your digital life.

  • Secure email first.
  • Then secure the accounts connected to it.