Email Security Checklist: 15 Steps to Protect Your Inbox
A prioritized, actionable checklist to secure your email accounts. From basic hygiene to advanced protection, with verification steps to confirm you're protected.
Your email account is the master key to your digital life. With it, attackers can reset passwords to your bank accounts, access your social media, and impersonate you to colleagues. According to the FBI, email compromise attacks caused over $2.9 billion in losses in 2023 alone.
This checklist provides 15 prioritized steps with verification methods to confirm each protection is working. Start with Critical items and work your way down.
Critical Priority: Do These First
These five steps provide the most significant security improvement and should be completed immediately.
1. Enable Two-Factor Authentication (2FA)
Priority: Critical | Time: 5-10 minutes. Two-factor authentication ensures that even if someone steals your password, they cannot access your account without a second verification method. Setup in Gmail at myaccount.google.com > Security > 2-Step Verification. Use Authy, Google Authenticator, or Microsoft Authenticator. Verification: Log out completely, then log back in. You should be prompted for a code from your authenticator app.
2. Create a Strong, Unique Password
Priority: Critical | Time: 5 minutes. Your email password must be unique and never reused. Requirements: Minimum 16 characters, mix of uppercase, lowercase, numbers, and symbols, never used for any other account. Use 1Password, Bitwarden (free), Dashlane, or passphrases. Verification: Check your password at haveibeenpwned.com/Passwords.
3. Review Connected Apps and Third-Party Access
Priority: Critical | Time: 10 minutes. Each connected app is a potential vulnerability. Audit in Gmail at myaccount.google.com/permissions. Red Flags: Apps you don't recognize, apps requesting excessive permissions, services you signed up for once but never used. Verification: After revoking access, check your email activity log.
4. Check for Account Compromises
Priority: Critical | Time: 5 minutes. Determine if your account has already been compromised. Tools: Have I Been Pwned (haveibeenpwned.com), Firefox Monitor (monitor.firefox.com), Google Password Checkup (passwords.google.com). If Breached: Change password immediately, enable 2FA, review account activity, check sent folder for unauthorized messages.
5. Verify Recovery Options Are Secure
Priority: Critical | Time: 5 minutes. Outdated recovery options let attackers hijack your account through password resets. Review in Gmail at myaccount.google.com/security > Ways we can verify it's you. Best Practices: Remove outdated phone numbers and emails. For security questions, use fictional answers stored in your password manager.
High Priority: Complete Within a Week
These five steps significantly enhance your security and should be completed soon.
6. Enable Login Alerts
Priority: High | Time: 5 minutes. Configure notifications for new logins to detect unauthorized access early. Enable in Gmail at myaccount.google.com/notifications (Security alerts enabled by default). Verification: Log in from an incognito window or different device. You should receive a notification within minutes.
7. Use Temporary Email for Signups
Priority: High | Time: Ongoing practice. Every website with your primary email becomes a potential source of spam, phishing, or data breaches. When to Use: Free trials, resource downloads, forum registrations, one-time verifications, newsletters. Services: TempMailSpot (tempmailspot.com) for quick disposable addresses, Firefox Relay, SimpleLogin, Apple Hide My Email.
8. Configure Spam and Phishing Filters
Priority: High | Time: 10 minutes. Fine-tune settings to catch more threats beyond default filtering. Training: Always mark spam as spam (don't just delete). Mark legitimate emails incorrectly filtered as "Not spam." Never unsubscribe from obvious spam (confirms your address is active).
9. Disable Automatic Image Loading
Priority: High | Time: 2 minutes. Invisible tracking pixels notify senders when you open emails, revealing your location and activity patterns. Disable in Gmail at Settings > General > Images > "Ask before displaying external images." Verification: Open a marketing email. You should see a prompt to load images rather than seeing them automatically.
10. Review Forwarding Rules
Priority: High | Time: 5 minutes. Attackers who briefly access your account often set up forwarding rules to maintain surveillance after you change your password. Check in Gmail at Settings > Forwarding and POP/IMAP; also check Filters for suspicious rules. Red Flags: Unknown forwarding addresses, filters that delete or archive automatically, rules that mark emails as read.
Medium Priority: Complete Within a Month
These four steps provide additional security layers.
11. Encrypt Sensitive Emails
Priority: Medium | Time: 30-60 minutes. Standard email offers no protection if intercepted. Easy Options: ProtonMail (proton.me) for end-to-end encrypted messages, Tutanota (tutanota.com), Outlook 365 Options > Encrypt when composing. Advanced (PGP): Mailvelope browser extension, GPG4Win (Windows), GPG Suite (macOS).
12. Secure Your Devices
Priority: Medium | Time: 15-30 minutes. Your email is only as secure as the devices accessing it. Checklist: Enable full-disk encryption (BitLocker for Windows, FileVault for Mac), set strong device passwords with biometric locks, enable automatic software updates, install reputable antivirus software, enable remote wipe capability. Mobile: Use official email apps, disable email preview on lock screen, enable remote wipe.
13. Create Email Backups
Priority: Medium | Time: 30 minutes. If you lose account access, years of correspondence could vanish. Backup Methods: Gmail at takeout.google.com > Select Mail > Export. Outlook at File > Import/Export > Export to Outlook Data File (.pst). Best Practices: Store on encrypted external drive and secure cloud storage. Test restoration periodically.
14. Implement Email Aliasing
Priority: Medium | Time: 15 minutes. Create unique addresses for different purposes. When one alias is compromised, disable it without affecting others. Services: SimpleLogin (simplelogin.io) for unlimited aliases, AnonAddy (addy.io) with free tier, Firefox Relay (relay.firefox.com), iCloud+/Hide My Email. Strategy: shopping@yourdomain.com for stores, social@yourdomain.com for social media.
Optional: Advanced Protection
For users requiring maximum security.
15. Use Hardware Security Keys
Priority: Optional | Time: 30 minutes + purchase. Hardware keys provide the strongest 2FA, immune to phishing attacks that bypass SMS or authenticator codes. Essential for journalists, activists, and executives. Recommended Keys: YubiKey 5 (yubico.com) at $45-70, Google Titan (store.google.com) at $30-35, Feitian (ftsafe.com) at $20-40. Setup in Gmail at myaccount.google.com/signinoptions/two-step-verification > Add security key. Advanced: Google Advanced Protection (landing.google.com/advancedprotection) enables maximum security.
Quick Reference Checklist
Critical (Today): Enable Two-Factor Authentication, Create Strong Unique Password, Review Third-Party App Access, Check for Account Compromises, Verify Recovery Options.
High (This Week): Enable Login Alerts, Use Temporary Email for Signups, Configure Spam Filters, Disable Automatic Image Loading, Review Forwarding Rules.
Medium (This Month): Encrypt Sensitive Emails, Secure All Devices, Create Email Backups, Implement Email Aliasing.
Optional: Hardware Security Keys.
Ongoing Security Habits
Weekly: Review spam folder; check for login alerts.
Monthly: Audit connected apps; check forwarding rules; update flagged passwords.
Quarterly: Run breach check; update recovery options; create fresh backup.
Annually: Evaluate email provider; update security questions; audit alias usage.
If Your Email Is Compromised
Follow these steps immediately:
1. Change password immediately from a trusted device 2. Enable or reset 2FA 3. Remove unauthorized forwarding rules 4. Review sent messages for unauthorized emails 5. Revoke all third-party app access 6. Check other accounts using this email for password resets 7. Notify contacts if attacker sent messages as you
Email security is about building layers of protection. Start with the critical items today; they take less than an hour and provide the most significant improvement. The goal isn't perfect security but making your account harder to compromise than the next target.
Revisit this checklist after major life changes that affect your recovery options or devices. Email security is an ongoing practice.
Need to sign up for a service without exposing your real email? Try TempMailSpot for instant, disposable email addresses that protect your primary inbox from spam and data breaches.
Frequently Asked Questions
Affiliate Disclosure
This page contains affiliate links. We may earn a commission if you make a purchase through these links, at no extra cost to you.
Recommended Privacy Tools
Expert-vetted tools to enhance your online privacy and security
Dashlane
Premium password manager with built-in VPN. Dark web monitoring alerts you to potential breaches.
Learn MoreBitwarden
Open-source password manager trusted by millions. Free tier includes unlimited passwords and cross-device sync.
Learn More1Password
Award-winning password manager with military-grade encryption. Securely store passwords, credit cards, and sensitive documents.
Learn MoreWe earn a commission if you make a purchase, at no additional cost to you. This helps us keep TempMailSpot free forever.