Skip to content

Email Security Checklist

Intro

Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life. If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised through password resets, therefore email security is paramount for your digital safety.

Checklist

Critical or Essential Activities

  • Have More Than One Email Address
    Priority: Essential
    Use different addresses for newsletters versus security-critical personal communications. This kind of compartmentalization could reduce the amount of damage caused by a data breach, and also make it easier to recover a compromised account.

  • Keep your Account Secure
    Priority: Essential
    Use a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker.

  • Disable Automatic Loading of Remote Content
    Priority: Essential
    Email messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see this article.

Optional Activities

  • Use Plaintext
    Priority: Optional
    Prefer plaintext over HTML email to avoid tracking pixels embedded in links. HTML messages often include identifiers in links and inline images which can collect usage and personal data. For more info see UsePlaintext.email.
  • Don't Connect Third-Party Apps to your Email Account
    Priority: Optional
    If you give a third-party app or plug-in full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses significant security and privacy risks.
  • Don't Share Sensitive Data via Email
    Priority: Optional
    Avoid sharing confidential information via unencrypted email. Emails are very easily intercepted and you can't be sure of how secure your recipient's environment is. Use a tool like Bitwarden Send or OneTimeSecret.com to safely send encrypted information.

Advanced Activities

  • Use Aliasing / Anonymous Forwarding
    Priority: Advanced
    Email aliasing allows messages to be sent to <anything>@my-domain.com and still land in your primary inbox, effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address.
  • Subaddressing
    Priority: Advanced
    An alternative to aliasing is subaddressing, where anything after the + symbol is omitted during mail delivery. This enables you to keep track of who shared or leaked your email address, but unlike aliasing, it will not protect against your real address being revealed.