Email Security

How to Secure Your Email Account

A step-by-step hardening guide that works for Gmail, Outlook, Yahoo, iCloud, Proton Mail, and any other email provider.

📅 March 2026 · 🕐 10 min read

Your email account is the single most important account you own. It is the recovery address for your bank, social media, cloud storage, and dozens of other services. If an attacker compromises your email, they can reset passwords across your entire digital life. This guide walks you through every layer of protection you should have in place — whether you have already been hacked or want to prevent it from ever happening.

🎯 Goal: By the end of this guide, your email account will have strong authentication, verified recovery options, clean third-party access, and active monitoring — making it extremely difficult for attackers to compromise.

1. Use a Strong, Unique Password

Your email password should be completely unique — never reused from any other account. If any other service you use suffers a data breach and you share the same password, your email is immediately at risk.

What makes a strong password?

Length over complexity — Aim for 16+ characters. A long passphrase like correct-horse-battery-staple is stronger than P@ssw0rd!
No personal information — Avoid names, birthdays, pet names, or anything findable on social media
No dictionary words on their own — Combine random words or use a generated password
Never reused — Every account should have a different password

💡 Use a password manager. Tools like Proton Pass generate and store unique passwords for every account. You only need to remember one master password. See our password manager guide.

2. Enable Two-Factor Authentication (2FA)

Two-factor authentication is the single most effective security measure you can enable. Even if an attacker steals your password, they cannot access your account without the second factor.

Types of 2FA (from strongest to weakest)

Hardware security keys (FIDO2/WebAuthn) — Physical USB or NFC keys like YubiKey. Phishing-proof and the gold standard for security. Required for Google Advanced Protection.
Authenticator apps (TOTP) — Apps like Google Authenticator, Authy, or Ente Auth generate time-based codes. Much stronger than SMS and work offline.
SMS codes — Better than nothing, but vulnerable to SIM swapping attacks where an attacker convinces your carrier to transfer your number to their SIM card.
Email codes — The weakest form. If your email is compromised, the attacker receives the codes too.

⚠️ Avoid SMS if possible. SIM swapping attacks are increasingly common. If your provider only offers SMS-based 2FA, it is still better than no 2FA at all — but consider switching to a provider that supports authenticator apps or hardware keys.

3. Verify and Secure Recovery Options

Recovery options are your lifeline if you get locked out — but they are also a target for attackers. An attacker who controls your recovery phone or email can reset your password and take over your account.

Checklist

Recovery phone number — Make sure it is your current number. Remove old numbers you no longer control.
Backup email address — Use a separate, secure email (not the one you are securing). Ideally one with its own 2FA enabled.
Security questions — If your provider still uses these, treat the answers like passwords. Do not use real answers that could be found on social media. Store fake answers in your password manager.
Recovery codes — Most providers generate one-time backup codes when you enable 2FA. Download and store these securely (password manager or printed in a safe).
Recovery contacts/keys — Apple and some providers offer recovery contacts or recovery keys. Set these up if available.

🔐 Store recovery codes offline. Print them or save them in your password manager. Never store them in the email account they are meant to recover — if you lose access, you lose the codes too.

4. Audit Third-Party App Access

Over time, you grant various apps and services access to your email via OAuth or app-specific passwords. Each connected app is a potential entry point. Regularly review and revoke access for apps you no longer use or do not recognise.

What to look for

Apps you do not recognise or remember authorising
Apps you no longer use
Apps with broad permissions ("read, send, and delete email" when they only need to read)
App-specific passwords you created for old devices

5. Check Forwarding Rules and Filters

Email forwarding is one of the most dangerous persistence mechanisms attackers use. Even after you change your password and enable 2FA, a forwarding rule silently sends copies of every email to the attacker. This is the number one thing people forget to check after a breach.

What to check

Forwarding addresses — Remove any you did not set up
Filter rules — Look for rules that auto-delete, auto-archive, or redirect emails (especially ones targeting security alerts, bank notifications, or password resets)
POP/IMAP access — Disable if you do not use a desktop email client. Attackers can use IMAP to sync your entire mailbox.

6. Review Active Sessions and Devices

Check which devices and sessions are currently signed into your email account. Remove any you do not recognise. After changing your password, sign out of all sessions to force re-authentication everywhere.

💡 Tip: After a security incident, always use the "Sign out of all other sessions" option. This immediately revokes any attacker access, even if they have saved cookies or tokens.

7. Protect Yourself from Phishing

Phishing is the most common way email accounts get compromised. No amount of technical security can protect you if you hand your credentials to an attacker on a fake login page.

Golden rules

Never click login links in emails — Always navigate directly to the website by typing the URL or using a bookmark
Check the sender address carefully — Phishing emails often use look-alike domains (e.g., support@g00gle.com instead of support@google.com)
Be suspicious of urgency — "Your account will be suspended in 24 hours" is a classic phishing tactic
Hover before clicking — On desktop, hover over links to see the actual URL before clicking
Use hardware security keys — FIDO2 keys are phishing-proof because they verify the domain cryptographically. Even if you enter your password on a fake site, the key will not authenticate.

8. Set Up Ongoing Monitoring

Security is not a one-time task. Set up ongoing monitoring so you are alerted immediately if something suspicious happens.

Enable login alerts — Most providers can notify you of sign-ins from new devices or locations
Monitor haveibeenpwned.com — Sign up for breach notifications to be alerted if your email appears in a data breach
Review account activity monthly — Schedule a quick monthly check of login history, connected apps, and forwarding rules
Keep your devices updated — Enable automatic updates on your phone, computer, and browser. Unpatched software is a common attack vector.
Use a secure DNS provider — Services like Quad9 (9.9.9.9) or Cloudflare (1.1.1.1 for Families) can block known malicious domains before you even reach them

Quick Security Checklist

Use this checklist to verify you have covered all the essentials:

☐ Strong, unique password (16+ characters, not reused)
☐ Two-factor authentication enabled (preferably authenticator app or hardware key)
☐ Recovery phone and backup email verified and current
☐ Recovery/backup codes saved securely offline
☐ Unfamiliar third-party apps revoked
☐ No unexpected forwarding rules or filters
☐ POP/IMAP disabled if not in use
☐ All unrecognised devices/sessions removed
☐ Login alerts enabled
☐ Signed up for breach notifications at haveibeenpwned.com

Tags:

How To Guide