How do I create a secure email address?

Email has become an essential means of communication, both for personal and professional use. However, emails often contain sensitive information that needs protection. Ensuring email privacy and security is crucial for avoiding issues such as identity theft, financial fraud, and confidential data leaks. Private emails may contain details about your health, finances, relationships and more. Work emails frequently include proprietary information, trade secrets, and confidential communications. Without proper email privacy safeguards, this sensitive data is vulnerable to cybercriminals, hackers and unauthorized access.

Fortunately, there are steps individuals and organizations can take to improve email privacy. Using strong passwords, enabling two-factor authentication, encrypting emails and being vigilant against phishing are some best practices. Overall, maintaining email security requires ongoing vigilance as new threats emerge. But with the right precautions, email can remain a safe means of communication without compromising privacy.

Use a reputable email provider

When setting up a secure email address, it’s important to go with a reputable provider that offers robust encryption and privacy protections. Top recommendations include ProtonMail and Tutanota.

ProtonMail, based in privacy-friendly Switzerland, provides end-to-end encryption for all emails by default. Emails are encrypted on the user’s device before being sent to ProtonMail servers. This prevents third parties from accessing email content. ProtonMail also does not track or profile users. However, free accounts have limited storage and require a paid plan for advanced features.

Tutanota, based in Germany, also uses end-to-end encryption. A major benefit is that even their free version comes with 1GB of storage. Paid plans provide more features like custom domains and aliases. One downside is Tutanota currently only has apps for iOS and Android but not desktop.

Other providers like Posteo and FastMail also have strong security and privacy. When selecting a provider, look for encrypted transmission, anonymous sign-up, open source code, and minimal logging/metadata collection. Avoid providers with a history of data breaches.

Create a unique email address

One of the best ways to increase email security is by creating a unique email address that is not easily guessable. Avoid using common names, words, or date formats in your email address as these can make it easier for attackers to guess (see Using unique email address for online signups?). Instead, incorporate numbers, symbols, and random strings of letters to make your address more secure.

For example, johnsmith2022@ or maryjones06@ contain information that is easy to find out about someone. A better approach is to use something like js8276#%^@ or mj32kl*&^%. The more obscure you can make your address, the harder it will be for someone else to replicate it. Just be sure to also write down your complex address so you don’t forget it!

Using a unique email that incorporates numbers and symbols will serve as an extra barrier against attackers attempting to gain access to your accounts. It also prevents marketing companies from as easily associating your address with your identity.

Enable two-factor authentication

Two-factor authentication (2FA) provides an extra layer of security for your email account by requiring two forms of identification to log in. This makes it much harder for unauthorized users to access your account even if they have your password.

With 2FA enabled, when you try to log into your email account you will be prompted for a code from another device in addition to your password. This could be a code sent via text message or generated by an authentication app like Google Authenticator or Authy. Once you enter the code, you will be granted access to your account.

According to Twilio, the main benefit of 2FA is that if one factor is compromised, your account is still likely protected. For example, if someone obtains your password, they still cannot access your account without also getting the secondary authentication code from your phone or authentication app that only you possess. This makes it significantly more difficult for hackers to break in.

Most major email providers like Gmail, Outlook, and Yahoo offer 2FA options. You should enable this security feature to better protect your email account from unauthorized access.

Use a strong password

One of the most important steps to create a secure email is to use a strong password. Passwords should be at least 12-14 characters long and include a mix of upper and lowercase letters, numbers, and special characters. Some tips for creating a strong password:

  • Avoid using personal information like your name, birthday, or dictionary words. These are easy for hackers to guess.
  • Use a password manager like LastPass or 1Password to generate and store unique, random passwords. This makes it easier to use long, complex passwords without having to remember them.
  • Include numbers, special characters, and capital letters. For example, “Th!s1s@Str0ngPwd.”
  • Don’t reuse passwords across accounts. Use a unique password for your email to limit damage if another account is compromised.

Regularly changing your password, at least every 90 days, can also boost security. Consider enabling automatic password changes offered by many email providers. With strong, unique passwords for each account, you make it much harder for cybercriminals to access your email and accounts.

Avoid Spam Triggers

There are a few simple practices you can follow to avoid having your email address picked up by spammers:

Don’t share your email address publicly on websites or social media. Spammers use web crawlers to scrape addresses online. Keep your email private unless necessary. See Microsoft’s tips for reducing spam.

Avoid visiting sketchy websites or signing up for suspect services using your primary email. Spammers buy and sell email lists, so be wary of where you share your address. Stick to reputable, secure sites.

Regularly check your email settings and unsubscribe from any unwanted mailing lists. Reducing opt-in communications can decrease spam. See CISA’s advice on managing subscriptions.

In general, be cautious and selective when handing out your email online. Follow basic security practices to keep your inbox free of spam.

Encrypt sensitive emails

When sending sensitive information like financial data or personal details over email, it’s important to encrypt the message. Encrypting your email prevents unauthorized access if the message is intercepted. One popular email encryption method is Pretty Good Privacy (PGP) and its open-source counterpart GNU Privacy Guard (GPG). You should consider using PGP/GPG encryption when:

You are emailing sensitive information like bank account details, Social Security numbers, medical records, or confidential business data. Encryption protects the contents if your email is compromised.

You are emailing information that could be damaging if made public, like proprietary information about your company. Encryption prevents unintended sharing.

You need to verify your identity to the recipient. PGP/GPG provides authentication using digital signatures.

You want end-to-end encryption that secures messages all the way from your device to the recipient’s. PGP/GPG encrypts the message contents so only the intended recipient can decrypt it.

You need to encrypt emails on multiple devices like your phone, tablet and computer. PGP/GPG gives you a unified public/private key pair that works across all your devices.

Overall, PGP/GPG email encryption provides a robust way to protect sensitive data and verify identities when using email. It’s recommended for individual users and businesses that regularly need to send confidential information.

To get started with PGP/GPG encryption, you’ll need encryption software and to create a public and private PGP key pair. Popular email providers like ProtonMail and Tutanota also include built-in PGP email encryption features.

Avoid phishing attacks

Phishing is when scammers send fraudulent emails or texts, pretending to be a trustworthy source, in order to trick users into sharing personal and financial information or clicking on malicious links. According to the Federal Trade Commission (FTC), phishing is one of the most common ways cybercriminals steal personal information [1]. Here are some tips to identify and avoid phishing attacks when using email:

Look closely at the sender’s email address. Scammers often use an address that looks similar to a legitimate business. For example, they might use instead of

Check for spelling and grammar mistakes, which are telltale signs of a phishing email. Legitimate businesses will not send mass messages riddled with errors.

Do not click on links or attachments in unsolicited emails. Carefully inspect the URL before clicking by hovering over the link to see if the address matches the link text.

Never enter your login credentials or personal information from an embedded link. Go directly to the website instead.

Be wary of any emails that create a sense of urgency or demand immediate action.

Do not be intimidated by threats of account suspension or legal action. Contact the company through their official channels to verify the email’s legitimacy.

Forward suspicious emails to [email protected] and the company impersonated in the email to report the phishing attempt.

Manage permissions carefully

Be careful about which apps and services you allow to access your email account. Many apps will ask for permission to read, send, delete or manage emails in your account. Only grant access to trustworthy apps that you actually use. Avoid granting full account access unless absolutely necessary.

You can review and revoke app permissions in your email account settings. For Gmail, go to Settings > Manage your Google Account > Security > Third-party apps with account access. For Outlook, go to Settings > Manage Connected Accounts. Be sure to periodically audit these permissions and revoke access for unused apps.

Similarly, adjust your overall email privacy settings. Disable features like read receipts or mail forwarding if not needed. Check your auto-forwarding rules and remove any suspicious or unknown addresses. Enable two-factor authentication for an extra layer of security. These steps can limit exposure in case your password is compromised. See Gmail’s privacy settings or Outlook’s account privacy settings for more details.

Overall, be selective in what account access you grant to third party services and apps. Regularly review permissions and privacy configurations to ensure your account security and prevent unauthorized access.

Regularly update software

It is crucial to keep your email provider’s software up-to-date in order to get the latest security patches and fixes. Email providers regularly release updates to address vulnerabilities that could be exploited by hackers. For example, according to 24by7 Security, organizations should be aware of the latest software updates from their email providers to protect against email threats. Allowing your email provider’s software to become outdated leaves you more vulnerable to attacks. Most major email providers like Gmail and Outlook automatically apply security updates in the background. However, it doesn’t hurt to manually check for updates occasionally to ensure you are running the most secure version.