Home of internet privacy

How to improve your email security

No matter if it’s private communication or business, your emails contain practically everything there is to know about you.

From your emails, anyone can learn about your work, relationships, vacations, and medical situation. Someone in control of your email account could even impersonate you and defraud your friends and business partners, as well as reset passwords to any account linked to the email address.

[Keep up with the latest in technology and security. Sign up for the ExpressVPN blog newsletter.]

Email security is of high importance. While perfect anonymity and security might seem unachievable, it is rather easy to secure your account against some of the most equipped adversaries—and without too much cost.

Choose the right provider

Unless you perform the almost impossible task of running your own email server, you will rely on others to correctly configure your email account and provide reliable mechanisms to lock intruders out.

A good email provider will properly encrypt emails sent from their servers to other providers, and ideally, warn you if such encryption is not possible before sending the email. Email encryption uses the same technology as encrypting the content of websites between the server and your browser: TLS.

TLS stands for Transport Layer Security, and it ensures your connection to a website is encrypted and verifies the integrity of the server you are connecting to. TLS is also used to encrypt your connection to an email server and connections between email servers.

You can check if your provider properly uses TLS with a tool like CheckTLS. Just enter your email (or any other email from the same domain) to see if your email server encrypts messages between servers.

Your test results should look like this. Everything is green, indicating all emails are encrypted when sent between servers, and the certificates are valid.

If you see a red Fail under TLS, you need to urge your email provider to configure their servers correctly, or switch providers. (Yes, the U.S. Military does not encrypt its email!)

In many cases, you will see a result like the one above. The Cert OK fail indicates that while the nsa.gov email servers use encryption, they do not have a valid certificate, making them vulnerable to man-in-the-middle attacks. If you encounter this problem, reach out to your email provider, system administrator, or lookout for a new one.

How to secure your email account

To ensure that no one else has access to your account, set a strong password ideally using a password manager. The most crucial characteristic of your password is that it should be unique. This means not only do you not use this password on any other service; nobody uses this password on any service.

You will also need to carefully check your provider’s security settings and make use of two-factor authentication. We also recommend a hardware key such as the open FIDO U2F standard. Two-factor authentication (2FA) works by requiring a secondary, one-time code when accessing your account. The 2FA code may be generated on a dedicated device, an app, or sent by text message, making it hard for anyone else to access your account.

If you are using webmail, make sure you create a separate ‘app password’ or otherwise authenticate the client properly.

Webmail vs. email client

You can use either webmail (e.g., the browser) or a dedicated email client such as Thunderbird to view and write your email.

In webmail, make sure you navigate to the correct site before entering your password. A password manager or hardware key can help you with that. The connection needs to be correctly encrypted, as indicated by the lock icon in your browser’s address bar. There must not be any warnings or errors.

When using an email client, always make sure your emails are fetched and sent over an encrypted channel so they cannot be easily intercepted.

Regular housekeeping on your account is essential for good security. Ensure that no one has set any redirects or filters that automatically forward your email to another account.

Also, check your previous logins and see if you find anything suspicious. Some email providers allow you to link your account to other apps or platforms. Make sure that all of these integrations are trustworthy and needed.

Don’t load images and be careful about tracking links

To track their emails’ reach and effectiveness, many companies, especially newsletter providers, will monitor the links in their emails. This lets companies see how many people, and even who exactly, read the email, clicked on certain links, or forwarded the email.

When you hover your mouse over a link, your browser should show you its destination, which you can copy it into a text editor for further inspection. You could open the link in the Tor Browser to disguise your location, although this would still reveal the time you opened the link.

Another strategy used to track you is to include images into your emails. When you open the email, you automatically load the image from a remote server. This can contain a tracking code and reveal to mailing list administrators who opened the message. You can most likely configure your email provider not to load external images by default, thus disabling the tracking code.

Links might not only track you, but rather send you to sites that host malware, or phishing sites.

Be careful when opening attachments

Attachments can contain all kinds of malware, such as cryptolockers or trojans. Only click on files that you expect, and whose senders you trust.

It is advisable to open commonly infected formats such as .pdf, .xls, and .doc using your webmail provider’s built-in functionality or in a virtual machine. Either way, make sure your computer is up to date. Antivirus software helps but is not a guarantee of a virus-free computer.

Email encryption for advanced users

It is possible to encrypt emails to protect them from being snooped on, intercepted, and altered by even the most skilled and well-funded adversaries.

Pretty Good Privacy (PGP), also called GNU Privacy Guard (GPG), is free software that encrypts your email contents in a way that means only the intended recipient can see it. However, it does require the recipient to use the software as well.

When using PGP, both you and your contacts will create a key pair on your devices, which includes a public and a private part. You can exchange the public key, verify its authenticity, and encrypt your emails with this key. To decrypt the information, the private key is necessary, which never leaves the computer.

Though very secure, PGP does still leave some information out in the open, called metadata. The metadata includes the email addresses of the sender, recipient, time the message was sent, and the approximate email size.

Avoiding metadata is difficult and might entail not using emails at all. For example, have a look at Off-the-record (OTR), an encrypted chat protocol. OTR encrypts your messages and creates a new key for each conversation, to make it more difficult to link them.

This article teaches you how to set up an anonymous jabber account, enable OTR encryption, and route your chats through the Tor network.

Secure all your email accounts

When dealing with a reputable email provider, the most important thing will be to secure your accounts. Set a strong and unique password, use a password manager, and set two-factor authentication!