Email Security: Protect Your Most Critical Account

Your email account is the skeleton key to your digital life. Here's why:

Password reset = email access:

• Forgot your banking password? Reset link goes to email.
• Forgot your social media password? Reset link goes to email.
• An attacker with email access can reset and take over virtually ANY account.

Email contains sensitive data:


• Financial statements and receipts
• Medical communications
• Legal documents
• Personal conversations
• 2FA backup codes (if you stored them there)

Your email IS your identity:


• Used as username on most services
• Receives security alerts and login notifications
• Contains your contact network

The cascade attack:


1. Attacker compromises your email

1. Resets password on your cloud storage
2. Downloads personal documents and photos
3. Resets banking passwords

Use the strongest possible security:

1. Unique, long password: 20+ characters, generated randomly
2. Hardware security key: YubiKey or Google Titan for login
3. TOTP backup: Authenticator app as a secondary 2FA method
4. Recovery options: Verify your phone number and backup email

Account-specific hardening:

Gmail:


• Enable Advanced Protection Program (uses hardware keys exclusively)

Outlook/Microsoft:

Proton Mail:

Email aliases let you create unique email addresses for every service, hiding your real email.

Why use aliases:

• If one service is breached, your real email stays hidden
• Easy to identify which service leaked your data (unique alias per service)
• Disable aliases for services you no longer use (stops spam)

Alias services:

Best practice: Use a dedicated alias service (SimpleLogin or addy.io) for proper protection. Create a unique alias for every online account.

If you own a domain, these three protocols prevent email spoofing.

SPF (Sender Policy Framework):

• Specifies which mail servers can send email for your domain
• DNS TXT record listing authorized IP addresses/servers
• Example: v=spf1 include:_spf.google.com ~all

DKIM (DomainKeys Identified Mail):


• Adds a digital signature to outgoing emails
• Receiving servers verify the signature against your DNS record
• Proves the email wasn't tampered with in transit

DMARC (Domain-based Message Authentication):


• Tells receiving servers what to do when SPF/DKIM checks fail
• Options: none (monitor), quarantine (spam folder), reject (block)
• Provides reports on who's sending email from your domain
• Example: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Implementation order:


1. Set up SPF first (easiest)

1. Configure DKIM next
2. Start DMARC with p=none, monitor reports
3. Gradually move to p=quarantine, then p=reject