How to Secure Your Email — The Key to Everything Else
By Sophie Bennett · · 9 min read
Your email account is the master key to your online life, because nearly every other service uses it to reset passwords. Secure it with four things and you protect everything downstream: a long, unique password, two-factor authentication, up-to-date recovery options, and a regular check of your forwarding and filter rules. Get those right and an attacker who steals one website password still cannot reach your inbox — or use it against you.
Why your inbox is the crown jewels
Think about what happens when you forget a password. You click "forgot password", a reset link arrives in your email, and you set a new one. That convenience is also the risk: whoever controls your inbox can trigger those resets for your bank, your shopping accounts, your social media and more. Compromising one ordinary password is a nuisance; compromising your email can unravel your whole digital life. That is why it deserves your very best protection.
Step 1: A long, unique password
Your email password should be unlike any other you use and long enough to be impractical to guess. Length matters more than fiddly symbols, so favour a lengthy random string or a memorable passphrase of several unrelated words. Create one with our password generator and, if you want reassurance, paste a candidate into our password analyser to see its estimated strength — all without anything leaving your browser.
Crucially, this password must be unique. If you have reused your email password anywhere, change it now, because a leak from that other site would hand over your inbox too. Our guide to why reusing passwords is so dangerous explains exactly how that chain reaction unfolds.
Step 2: Two-factor authentication
This is the single highest-value setting on your email account. With a second factor enabled, a stolen password is no longer enough to sign in. Choose an authenticator app or a passkey rather than text-message codes where you can, since those are harder to intercept. If the terms feel unfamiliar, our plain-English guide to two-factor authentication and passkeys walks through the choices. Remember to save your backup codes somewhere safe and offline.
Step 3: Keep recovery options current
Account recovery is a double-edged sword. The backup email address and phone number on file are how you get back in if you are locked out — but they are also a route an attacker can exploit if they are outdated or point to something you no longer control. Review them once or twice a year, and whenever you change your number. Make sure every recovery method genuinely belongs to you, and remove any you no longer recognise.
Be cautious with security questions, too. Answers like your first school or pet's name are often discoverable or guessable. Where you must use them, treat the answers like passwords: invent something unrelated and store it safely rather than giving the honest, findable answer.
Step 4: Check forwarding and filter rules
This is the step almost nobody thinks of, and it is a favourite trick of attackers. If someone gains brief access to your inbox, they may set up a rule that quietly forwards copies of your mail to themselves, or that automatically files and hides messages from your bank. Even after you change your password, that rule can keep leaking your mail or hiding alerts.
Open your mail settings and review the forwarding, filters and rules sections. Delete anything you did not create yourself. Make this part of your routine review, especially after any sign-in alert you cannot explain. It takes two minutes and closes a gap that can otherwise go unnoticed for months.
Step 5: Notice the signs of trouble
Stay alert to small warnings: sign-in notifications from places you have not been, password-reset emails you did not request, or messages in your sent folder you did not write. Any of these is a cue to change your password immediately, enable or re-check 2FA, and review your rules and recovery options. If you suspect a wider exposure, our calm seven-step breach plan gives you a clear order to work through.
A note on phishing
Many inbox compromises start with a convincing fake login page rather than a clever hack. Treat unexpected "verify your account" emails with suspicion, never sign in via a link in a message, and reach the site by typing its address yourself. The pressure tactics behind these messages are predictable once you know them — see our guide to recognising social engineering.
The bottom line
Treat your email as the most important account you own, because in practice it is. A unique password, a strong second factor, current recovery options and a clean set of forwarding rules turn your inbox from a single point of failure into a well-defended hub. Spend twenty minutes on it today and you will protect dozens of other accounts at the same time.
Frequently asked questions
Why is my email account so important to protect?
Almost every other account uses your inbox for password resets. Anyone who controls your email can request reset links and quietly take over your other accounts, so it deserves your strongest protection.
What is the single best thing I can do for email security?
Combine a long, unique password with two-factor authentication, ideally an authenticator app or passkey. Together they stop the vast majority of email takeovers.
What are email forwarding rules and why check them?
Forwarding and filter rules can silently send copies of your messages elsewhere or hide them. Attackers sometimes add these after gaining access, so reviewing your rules helps you spot and remove anything you did not set up.
How often should I review my recovery options?
Check them once or twice a year and whenever you change phone number. Make sure the backup email and phone listed are still yours, so you can always recover the account and an attacker cannot.
Should I use my main email to sign up for everything?
Consider a separate address for newsletters and shopping, keeping your main inbox for important accounts. This reduces exposure and makes suspicious messages to your primary address easier to notice.
This article is general online-safety education, not professional security advice.