OPSEC Tutorial #17: Email Security Basics
Series: Operational Security (OPSEC) Fundamentals
Difficulty: Beginner-Intermediate
Time to Complete: 30-45 minutes
Category: Digital Protection / Operational Security
Overview
Email is one of the most attacked communication channels. It is often the gateway to your entire digital identity—compromise your email, and attackers can reset passwords for every other account you own.
This tutorial covers practical steps to secure your email accounts, recognize threats, and maintain privacy in your communications.
Note: This tutorial focuses on defensive security practices for protecting your personal communications and accounts.
Why Email Security Matters
Email is your digital identity hub:
- Password resets for every other account flow through email
- Financial institutions send sensitive information
- Two-factor authentication codes arrive via email
- Personal and professional communications are stored there
- Email providers scan content for advertising and profiling
Common threats:
- Phishing: Fake emails designed to steal credentials
- Account takeover: Attackers gain access to read/send as you
- Data breaches: Provider compromises expose your messages
- Surveillance: Governments and corporations monitor communications
- Metadata exposure: Even encrypted email reveals who contacted whom and when
Step 1: Secure Your Email Account
Enable Strong Authentication
Two-Factor Authentication (2FA) is non-negotiable:
| Provider | 2FA Setup Path |
|---|---|
| Gmail | myaccount.google.com → Security → 2-Step Verification |
| Outlook/Hotmail | account.microsoft.com → Security → Advanced security options |
| Yahoo | login.yahoo.com/account/security → Two-step verification |
| ProtonMail | Settings → Security → Two-factor authentication |
| iCloud | appleid.apple.com → Sign-In and Security |
2FA Methods (ranked by security):
- Security keys (YubiKey, Titan) — Most secure, phishing-resistant
- Authenticator apps (Raivo, 2FAS, Aegis) — Very secure, works offline
- SMS codes — Better than nothing, but vulnerable to SIM swapping
- Email codes — Only use as last resort (circular dependency)
Action items:
- Enable 2FA on ALL email accounts
- Use authenticator app or security key (not SMS if possible)
- Save backup codes in password manager and printed copy
- Remove old/unused recovery phone numbers
Use a Strong, Unique Password
Password requirements:
- Minimum 16 characters
- Mix of uppercase, lowercase, numbers, symbols
- Never reused on any other site
- Generated by password manager (not human-created)
Examples of strong passwords:
✓ Xk9#mL2$pQ7@nR4!vB8 (password manager generated)
✗ John1985! (personal info, predictable)
✗ Password123 (common pattern)
✗ iloveyou (dictionary word)
Action items:
- Install password manager (Bitwarden, KeePassXC)
- Generate new password for primary email
- Update password on all email accounts
- Never share email password via any channel
Review Account Recovery Options
Recovery settings to check:
-
Recovery email address
- Should be an account you control
- Must also have 2FA enabled
- Consider using a different provider than primary
-
Recovery phone number
- Keep current and accessible
- Be aware this can be used for SIM swapping attacks
- Consider using Google Voice or similar as buffer
-
Security questions
- Use nonsense answers stored in password manager
- Never use real answers (mother maiden name, pet names, etc.)
- Example: Question “What city were you born in?” → Answer “Correct-Horse-Battery-Staple-42”
-
Trusted devices and sessions
- Review list of logged-in devices
- Remove any you do not recognize
- Log out of all sessions periodically
Action items:
- Review and update recovery email
- Verify recovery phone number is current
- Replace security question answers with random strings
- Review active sessions, remove unknown devices
Step 2: Choose a Secure Email Provider
Recommended Providers
| Provider | Encryption | Jurisdiction | Free Tier | Best For |
|---|---|---|---|---|
| Proton Mail | End-to-end | Switzerland | Yes (500MB) | Most users |
| Tuta (Tutanota) | End-to-end | Germany | Yes (1GB) | Privacy focus |
| Mailbox.org | PGP optional | Germany | No (€1/month) | Business |
| Fastmail | PGP optional | Australia | No ($3/month) | Features |
Why Consider Encrypted Email
Benefits:
- Provider cannot read your messages (zero-knowledge encryption)
- Protected from most subpoenas and data requests
- Secure from internal employee access
- Messages encrypted at rest and in transit
Limitations:
- Metadata (sender, recipient, date, subject) often still visible
- Both parties need encrypted email for full end-to-end protection
- Some features limited compared to Gmail/Outlook
- Search functionality may be reduced
Action items:
- Evaluate if encrypted email fits your threat model
- Consider Proton Mail or Tuta for sensitive communications
- Keep existing email for non-sensitive accounts (gradual migration)
- Understand limitations before switching
Step 3: Practice Email Hygiene
Compartmentalize Your Email Addresses
Use different addresses for different purposes:
| Email Type | Purpose | Example Provider |
|---|---|---|
| Primary/Personal | Family, close friends, important accounts | Proton Mail |
| Financial | Banks, investments, taxes | Separate Proton account |
| Shopping | Online purchases, retail accounts | Alias service |
| Public/Disposable | Forums, social media, one-time signups | Temporary email |
Use Email Aliases
Alias services forward email without revealing your real address:
| Service | Type | Cost | Features |
|---|---|---|---|
| SimpleLogin | Forwarding | Free-$10/mo | Owned by Proton, unlimited aliases |
| AnonAddy | Forwarding | Free-$12/mo | Open source, custom domains |
| Apple Hide My Email | iCloud+ | Included | iOS/Mac integration |
| Firefox Relay | Forwarding | Free-$1/mo | Mozilla-backed, 5 free aliases |
| DuckDuckGo Email | Forwarding | Free | @duck.com addresses |
How aliases work:
- Create alias (e.g.,
shopping-123@simplelogin.com) - Use alias when signing up for services
- Emails forward to your real inbox
- If alias is compromised, disable it instantly
- Real email address never exposed
Action items:
- Sign up for alias service (SimpleLogin recommended)
- Create aliases for shopping, forums, newsletters
- Update existing accounts to use aliases where possible
- Disable aliases that receive spam
Step 4: Recognize and Avoid Phishing
Common Phishing Indicators
Red flags in emails:
- Urgency: “Act now!” “Account will be closed!” “Immediate action required!”
- Generic greetings: “Dear Customer” instead of your name
- Suspicious sender address:
support@amaz0n-security.cominstead ofamazon.com - Unexpected attachments: Especially .exe, .zip, .scr files
- Requests for sensitive info: Passwords, SSN, credit card numbers
- Mismatched links: Hover to see actual URL does not match displayed text
- Poor grammar/spelling: Professional organizations proofread emails
- Threats: “Your account will be suspended” or legal threats
Verification Steps
Before clicking any link or attachment:
- Check sender address carefully — Look for subtle misspellings
- Hover over links — See actual destination URL before clicking
- Navigate directly — Go to website by typing URL, not clicking email links
- Contact through known channel — Call company using number from their official website
- Check email headers — Advanced users can verify SPF/DKIM/DMARC
Action items:
- Learn to identify phishing indicators
- Never click links in unexpected emails
- Verify suspicious emails through independent channel
- Report phishing to provider and appropriate authorities
Step 5: Secure Email in Transit
Use HTTPS Always
Verify secure connection:
- URL should start with
https://(nothttp://) - Look for padlock icon in browser
- Never enter credentials on HTTP pages
- Consider HTTPS Everywhere browser extension
Consider PGP Encryption (Advanced)
What is PGP:
- Pretty Good Privacy encryption standard
- End-to-end encryption for email
- Requires both sender and recipient to use PGP
- Messages encrypted before leaving your device
PGP setup overview:
- Generate key pair (public + private key)
- Upload public key to key server
- Share public key with contacts
- Keep private key secure and password-protected
- Use email client with PGP support (Thunderbird + Enigmail, Mailvelope)
Limitations:
- Steep learning curve
- Both parties must participate
- Metadata still visible
- Limited mobile support
- Key management complexity
Action items:
- Ensure HTTPS is always used for webmail
- Consider PGP only if you have contacts who use it
- For most users, encrypted email provider is simpler alternative
Step 6: Monitor for Compromise
Check for Data Breaches
Services to monitor your email:
| Service | Purpose | URL |
|---|---|---|
| Have I Been Pwned | Breach notifications | haveibeenpwned.com |
| Firefox Monitor | Breach alerts | monitor.firefox.com |
| Google Dark Web Report | Google account monitoring | One.google.com |
What to do if breached:
- Change password immediately
- Enable/strengthen 2FA
- Review account activity for unauthorized access
- Update passwords on any accounts using same password
- Monitor for identity theft
Review Account Activity Regularly
Check monthly:
- Login history and locations
- Forwarding rules (attackers may add rules to hide activity)
- Filters and labels (may be used to hide evidence)
- Connected apps and permissions
- Sent items for messages you did not send
Action items:
- Sign up for breach monitoring (Have I Been Pwned)
- Review account activity monthly
- Check for unknown forwarding rules
- Audit connected third-party apps
Quick Reference: Email Security Checklist
Immediate Actions (Today)
- Enable 2FA on all email accounts
- Update to strong, unique passwords
- Review and update recovery options
- Check active sessions, log out unknown devices
- Sign up for breach monitoring
Short-Term (This Week)
- Set up email alias service
- Create compartmentalized email addresses
- Review and clean up connected apps
- Learn phishing indicators
- Consider encrypted email provider for sensitive communications
Ongoing Practices
- Never click suspicious links
- Verify unexpected requests through independent channel
- Review account activity monthly
- Keep software and apps updated
- Monitor for breach notifications
What NOT to Do
Never:
- Reuse email password on other sites
- Click links in unexpected emails
- Enter credentials on pages reached via email links
- Share passwords via email, SMS, or messaging apps
- Use personal info in passwords or security questions
- Leave email logged in on shared computers
- Ignore 2FA setup (it is critical)
- Use SMS for 2FA if authenticator app is available
- Store password in browser (use password manager)
- Open attachments from unknown senders
Sources and Further Reading
Credible Sources:
- EFF Surveillance Self-Defense: https://ssd.eff.org/
- CISA Email Security Tips: https://www.cisa.gov/shield
- FTC Phishing Resources: https://www.consumer.ftc.gov/articles/how-avoid-phishing-scams
- Proton Mail Security Guide: https://proton.me/security
- NIST Email Security Guidelines: Cybersecurity Framework | NIST
Recommended Reading:
- EFF Deeplinks Blog: Deeplinks Blog | Electronic Frontier Foundation
- Krebs on Security: https://krebsonsecurity.com/
Related Tutorials in This Series
- Tutorial #14: OPSEC - Password Management
- Tutorial #15: OPSEC - Two-Factor Authentication Setup
- Tutorial #16: OPSEC - Browser Privacy Hardening
- Tutorial #18: OPSEC - Social Media Privacy
OPSEC Tutorial Series - Tutorial #17: Email Security Basics
Last Updated: April 2026
Sources: EFF, CISA, FTC, NIST, Provider Documentation
Legal Notice: This guide is for educational and defensive security purposes. Always comply with applicable laws and regulations in your jurisdiction.