Email is the center of your digital life. Passwords are reset through email, financial documents arrive, business correspondence is conducted. Email hack = loss of control over all accounts.
Why Email Is Vulnerable
Email Architecture
Email was designed in the 1970s without security in mind:
You → Your Server → Internet → Recipient's Server → Recipient
[Can read] [Can read] [Can read]
Who sees your emails:
- Your email provider
- Recipient’s provider
- Anyone on the path (without TLS)
- Government agencies (by request)
Typical Threats
| Threat | Consequences |
|---|---|
| Account hack | Access to all emails, password resets |
| Phishing | Credential theft |
| Interception | Reading correspondence |
| Spoofing | Fake emails from your name |
Account Protection
Strong Password
- Unique (not used anywhere else)
- Long (16+ characters)
- In password manager
Two-Factor Authentication
Method priority:
- Hardware key (YubiKey) - best
- TOTP app - good
- SMS - only if no other options
Setting up in Gmail:
- Google Account → Security
- 2-Step Verification
- Add Authenticator app
- Add backup hardware key
Setting up in Outlook:
- account.microsoft.com → Security
- Two-step verification
- Set up Microsoft Authenticator
Activity Check
Regularly check:
- Recent account logins
- Connected applications
- Forwarding rules (hackers often set these up)
- Active sessions
Gmail: Scroll down → “Last account activity”
Outlook: Security → View activity
Secure Email Providers
Provider Comparison
| Provider | Encryption | Privacy | Price |
|---|---|---|---|
| ProtonMail | E2E by default | Switzerland, no logs | Free / $48/year |
| Tutanota | E2E by default | Germany, no logs | Free / $36/year |
| Gmail | TLS (not E2E) | Scans for ads | Free |
| Outlook | TLS (not E2E) | Scans for ads | Free |
| Fastmail | TLS (not E2E) | Doesn’t scan | $50/year |
ProtonMail
Pros:
- End-to-end encryption between ProtonMail users
- Swiss jurisdiction
- Open source
- No access to content even by ProtonMail
- Built-in VPN (Proton VPN)
Cons:
- E2E only with other ProtonMail (or via password)
- Limited storage on free tier
- No IMAP on free tier
For whom: Journalists, activists, those who value privacy.
Tutanota
Pros:
- Fully encrypted (including subject line)
- German jurisdiction
- Cheaper than ProtonMail
- Encrypted calendar
Cons:
- Fewer integrations
- No PGP support (own system)
- Less known
For whom: Those wanting a ProtonMail alternative.
When Gmail/Outlook Is Enough
- Regular correspondence without secrets
- Business email with colleagues
- Service notifications
Important: Even on regular email, enable 2FA!
Email Encryption
Encryption Types
TLS (Transport Layer Security):
You ←[Encrypted]→ Server ←[Encrypted]→ Recipient
[Decrypted on server]
Protects in transit, but server sees content.
E2E (End-to-End):
You ←[Encrypted entire way]→ Recipient
[Server cannot see content]
Only sender and recipient see the email.
PGP/GPG Encryption
Principle:
- Each participant has key pair (public + private)
- Encrypt with recipient’s public key
- Only their private key can decrypt
How to start:
-
Install GPG:
- macOS:
brew install gnupg - Windows: Gpg4win
- Linux: usually pre-installed
- macOS:
-
Create keys:
gpg --full-generate-key -
Export public key:
gpg --armor --export your@email.com > publickey.asc -
Share public key with contacts
Email integration:
- Thunderbird: built-in support
- Apple Mail: GPG Suite
- Outlook: Gpg4win
PGP Problems
- Complex for regular users
- Need to manage keys
- Metadata not encrypted (who writes to whom)
- Most contacts don’t use it
Alternative: ProtonMail - PGP under the hood, but simple interface.
Phishing Protection
Phishing Email Signs
| Sign | Example |
|---|---|
| Urgency | ”Your account will be blocked!” |
| Generic greeting | ”Dear customer” instead of name |
| Strange address | support@amaz0n-security.com |
| Errors | Grammar, spelling |
| Suspicious links | Hover - URL doesn’t match |
| Attachments | .exe, .zip from strangers |
How to Check
- Sender address: Click on name → see real email
- Links: Hover cursor (don’t click!) → check URL
- Urgency: Real companies don’t threaten instant blocking
- When in doubt: Go to site directly, not via email link
Security Settings
Gmail:
- Enable “Enhanced Safe Browsing”
- Check Gmail warnings about suspicious emails
Outlook:
- Enable “Phishing protection”
- Set up rules for suspicious emails
Email Privacy
What Provider Knows
| Data | Gmail | ProtonMail |
|---|---|---|
| Content | Yes | No (E2E) |
| Metadata | Yes | Minimal |
| Login IP | Yes | Yes (use VPN) |
| Contacts | Yes | Encrypted |
Email Aliases
Use different addresses for different purposes:
Simple way (Gmail):
yourname+shopping@gmail.com
yourname+social@gmail.com
yourname+work@gmail.com
All comes to one inbox, but shows where leak came from.
Advanced way:
- SimpleLogin - creates unique aliases
- Firefox Relay - aliases from Mozilla
- ProtonMail - built-in aliases
What to Do About Trackers
Many emails contain tracking pixels:
- Open time
- Location
- Device
Protection:
- Disable automatic image loading
- Use ProtonMail (blocks trackers)
- PixelBlock extension for Gmail
Email Backup
Why Backup
- Provider can block account
- Accidental deletion of important emails
- Switching to another service
- Attacks and hacks
Backup Methods
Google Takeout (Gmail):
- takeout.google.com
- Select Gmail
- Export to MBOX
Local client:
- Set up IMAP in Thunderbird
- Download all emails locally
- Sync regularly
Automatic backup:
- Mailstore Home (free for personal use)
- imapsync (for technically savvy)
Setting Up Secure Email
Basic Level (any provider)
- Strong unique password in password manager
- 2FA via app (not SMS)
- Activity check monthly
- Caution with links and attachments
Advanced Level
- Switch to ProtonMail for important correspondence
- Email aliases for different services
- Disable automatic image loading
- Regular backup
Paranoid Level
- PGP for all correspondence
- Tor for email access
- Separate email for each category
- Hardware key as only 2FA
Email and VPN
Why VPN for Email
| Without VPN | With VPN |
|---|---|
| ISP knows you’re checking email | Sees only VPN traffic |
| IP logged by email server | VPN IP logged |
| On public network - interception risk | Encryption to VPN |
When Especially Important
- Checking email on public WiFi
- Hiding the fact of email service usage
- Accessing email from countries with censorship
Email Security Checklist
Mandatory
- Unique strong password
- 2FA via app or key
- Check suspicious emails before clicking
- Current backup email/phone
Recommended
- ProtonMail or Tutanota for important stuff
- Email aliases for different services
- Automatic image loading disabled
- Regular activity check
For Sensitive Data
- PGP encryption for correspondence
- VPN when checking email
- Regular backup
- Hardware key for 2FA
Summary
Email remains critically important despite messengers. Minimum - strong password and 2FA on existing email. Optimum - switch to ProtonMail for important correspondence.
Remember: email hack opens access to all your accounts through “Forgot password” feature.
Tainet VPN protects connection when checking email on public networks. Encrypted channel prevents interception of authentication data or email content.
