Email Security Checklist: 15 Steps to Protect Your Inbox

Critical priority: do these five today

These five steps account for most of the protection on this page. Together they take under an hour, and they are the difference between an account a stranger can open with a leaked password and one they cannot.

1. Turn on two-factor authentication

About 5-10 minutes. This is the single highest-value step. With 2FA on, a stolen password is no longer enough; an attacker also needs the code on your phone. It is the cheapest defense against the credential leaks that feed most account takeovers.

Turn it on in your account security settings. Gmail keeps it under Security > 2-Step Verification, Outlook under Advanced security options, Yahoo under Account security. Prefer an authenticator app (Authy, Google Authenticator, Microsoft Authenticator, or your password manager) over SMS, because text messages can be intercepted or SIM-swapped.

Confirm it worked: sign out completely, then sign back in. You should be asked for a code from your app before you reach the inbox.

2. Set a long, unique password

About 5 minutes. Your email password should be the one you reuse nowhere else, because email is the reset point for everything else you own. Reuse is what turns one site's breach into a chain of compromised accounts.

Aim for 16 characters or more, or a four-to-five-word passphrase. Let a password manager generate and remember it so length costs you nothing.

Confirm it worked: check the password against Have I Been Pwned's Pwned Passwords, which has indexed billions of credentials exposed in breaches. If it appears, change it.

3. Review connected apps and third-party access

About 10 minutes. Over the years you have likely granted dozens of apps access to your mailbox. Each one is a key someone else holds, and an abandoned or breached app is a path straight in.

Audit the list in Gmail > Security > Third-party apps with account access, Microsoft account > Privacy > App access, or your provider's equivalent. Revoke anything you do not recognize, anything asking for more than it needs, and anything you used once and forgot.

Confirm it worked: after revoking, the app should disappear from the list and from your account activity log.

4. Check whether you have already been breached

About 5 minutes. Before adding locks, find out if the house is already open. Searching breach databases tells you which of your accounts have leaked and whether a password change is overdue.

Check your address on Have I Been Pwned and on Mozilla Monitor (formerly Firefox Monitor). If you use Chrome or Google's password manager, its built-in Password Checkup flags reused and breached passwords.

If you appear in a breach: change that account's password immediately, turn on 2FA, and check your sent folder and login history for activity you did not initiate.

5. Lock down recovery options

About 5 minutes. Recovery settings are a side door. An old phone number you no longer control, or a guessable security answer, lets an attacker reset your password and walk past your other defenses.

Review your recovery phone and email under your provider's security page and remove anything outdated. Where security questions are still required, treat the answers as passwords: invent them and store them in your password manager rather than using your real mother's maiden name.

Confirm it worked: every recovery phone and address listed should be one you currently control.

High priority: finish these within a week

With the critical layer in place, these five steps close the gaps attackers use to get in quietly or stay in after you have changed your password.

6. Turn on login alerts

About 5 minutes. Alerts turn a silent break-in into something you find out about in minutes. Most providers can email or push a notification whenever a new device or location signs in.

Gmail and Microsoft enable security alerts by default; confirm they are on under your notification settings rather than assuming.

Confirm it worked: sign in from a private window or a second device. A heads-up should arrive shortly after.

7. Use a disposable address for one-off signups

Ongoing habit. Every site that holds your real email is one more place it can leak, and breached signup lists are exactly what spam and phishing campaigns are built from. The fix is to stop giving low-stakes sites your real address at all.

For a free trial, a gated download, a forum, a one-time code, or a newsletter you are not sure about, use a temporary email address instead. A disposable inbox receives the confirmation, then deletes itself, so when that site is breached two years later, the address that leaks is one you already threw away. In our experience running TempMailSpot, new mail lands in the inbox within seconds, which is usually faster than switching back to the signup tab. Keep your real address, or a permanent alias (Step 14), for accounts you actually need to sign back into.

The rule of thumb: will you ever need to log in again? If no, it is a job for a disposable address.

8. Train your spam and phishing filters

About 10 minutes. Provider filters learn from you. A few deliberate habits make them noticeably better at catching what slips through, which matters given that phishing was involved in a large share of breaches.

Always mark spam as spam rather than just deleting it, and rescue any real message that was wrongly filtered by marking it "not spam." One counterintuitive rule: do not click unsubscribe on obvious spam. With a genuine spammer it merely confirms a live human reads the address, which invites more.

9. Stop images from loading automatically

About 2 minutes. Many marketing and phishing emails embed an invisible tracking pixel that reports back the moment you open the message, leaking your rough location and the fact that the address is active. Blocking automatic images shuts that off.

Switch to "ask before displaying external images" in your mail settings (Gmail keeps it under Settings > Images).

Confirm it worked: open a marketing email. You should see a prompt to load images instead of them appearing on their own.

10. Check for forwarding rules you did not create

About 5 minutes. This is the step most people skip, and it is the one attackers count on. After brief access to an inbox, a common move is to add a hidden forwarding rule or filter so they keep receiving copies of your mail long after you reset the password.

Open Forwarding and POP/IMAP and Filters in Gmail, or Rules in Outlook, and look for anything you did not set up: an unfamiliar forwarding address, a filter that auto-deletes or archives, or one that marks messages as read so you never see them. Delete anything suspicious.

Medium priority: get to these within a month

These four steps are not urgent, but each removes a category of risk the first ten do not touch.

11. Encrypt anything genuinely sensitive

About 30-60 minutes to set up. Ordinary email travels in a form the provider and anyone who intercepts it can read. For most messages that is fine; for contracts, medical details, or credentials it is not. End-to-end encryption means only you and the recipient can read the contents.

The simplest route is an encrypted provider such as Proton Mail or Tuta, where messages between users are encrypted automatically. For broader coverage you can add PGP through tools like Mailvelope, Gpg4win, or GPG Suite, though the key management is more work. Our email encryption guide walks through the options in detail.

12. Secure the devices that read your mail

About 15-30 minutes. Your inbox is only as safe as the laptop and phone that stay signed into it. A device that is unlocked or unencrypted hands over your email along with everything else.

Turn on full-disk encryption (BitLocker on Windows, FileVault on Mac, on by default on modern phones), set a real screen lock with biometrics, and let security updates install automatically. On your phone, use the official mail app, hide message previews on the lock screen, and make sure remote-wipe is enabled in case it is lost.

13. Keep a backup of what matters

About 30 minutes. If you ever lose access through a forgotten password, a hijack, or a provider closing your account, years of correspondence can vanish with it. An export is cheap insurance.

Google's Takeout exports your Gmail; Outlook exports to a .pst file from File > Import/Export. Store the copy on an encrypted drive or in secure cloud storage, and open it once to confirm the backup is actually readable.

14. Give each service its own address with aliasing

About 15 minutes. An alias is a permanent forwarding address that lands in your real inbox but can be switched off on its own. Give each service a different one, and a single leaked or spammed address can be killed without touching anything else. You also learn exactly which company sold or lost your data.

This differs from a disposable address (Step 7): an alias is permanent and meant for accounts you keep, whereas a temporary address is for one-time use. The trade-offs are covered in temp email vs. aliases. A few options, with their real free limits:

For the highest-risk accounts: a hardware key

15. Add a FIDO hardware security key

About 30 minutes, plus the cost of a key. App-based 2FA stops most attacks, but a determined phishing page can still trick you into typing a one-time code into a fake login. A FIDO hardware key closes that last gap. CISA describes FIDO authentication as the strongest form of MFA, effective against the bypass techniques that defeat SMS codes, authenticator codes, and push prompts, because the key cryptographically checks the site's real domain before it will respond.

This is worth it for anyone whose account is a high-value target, such as journalists, activists, finance and admin staff, or executives, and for anyone who simply wants the strongest available protection on their primary email. Two well-supported options, at current prices:

Buy two (one to use and one as a backup you store safely), then register both under 2-Step Verification > Security key in your account settings. If you want to go further, Google's Advanced Protection Program locks an account to hardware keys and tightens recovery for those who need the maximum.

The checklist at a glance

If you want the whole thing on one screen, here it is by priority and rough time.

Habits that keep it secure

Security is not a one-time setup; the steps above stay effective only if you revisit a few of them on a schedule. The cadence below keeps the whole stack honest without much effort.

If your email is already compromised

If you see signs of a break-in (alerts you did not trigger, sent mail you did not write, reset emails you did not request), work through these in order, from a device you trust:

1. Change the password from a trusted device, not the one you suspect is infected.
2. Turn on or reset two-factor authentication to cut off existing sessions.
3. Delete any forwarding rules or filters you did not create (see Step 10, where attackers hide).
4. Read your sent folder for messages sent as you, and warn anyone who received one.
5. Revoke every third-party app's access and re-grant only what you trust.
6. Reset the password on any account that uses this email for recovery, starting with banking.
7. If money was involved, contact your bank and consider a fraud alert on your credit file.