How to Harden Your Email Security: A Complete Guide Beyond Just a Strong Password

If someone gains access to your email account, they effectively gain access to everything. Your bank sends password reset links to your email. Your social media accounts use your email for recovery. Your cloud storage, your investment accounts, your shopping accounts, your healthcare portal — they all rely on your email as the ultimate authentication channel.

Compromising your email is the master key that unlocks every other door.

And yet most people protect their email with nothing more than a password they also use on three other sites and maybe, if they've been nagged enough, SMS-based two-factor authentication that's vulnerable to SIM swapping.

Your email deserves the strongest security you can give it. Here's exactly how to do that, step by step, for the two most popular email providers.

Gmail: Advanced Security Settings

1. Use a Strong, Unique Password

This should go without saying, but your Gmail password should be completely unique — never used anywhere else — and randomly generated by your password manager. If you haven't already made the switch to a password manager, our password creation guide explains why and how.

2. Enable the Strongest Available 2FA

Go to myaccount.google.com/security and navigate to the "How you sign in to Google" section.

The hierarchy of 2FA strength for Google accounts, from strongest to weakest:

Passkeys (best option). Google now supports passkeys, which use biometric authentication (fingerprint or face) on your devices. Passkeys are phishing-resistant — they can't be intercepted or stolen through fake login pages. If your devices support them, this is the best option.

Hardware security keys. Physical keys like YubiKey that plug into USB or connect via NFC. These are also phishing-resistant and are the gold standard for high-security accounts.

Google Authenticator or similar TOTP app. Generates time-based codes on your device. Much stronger than SMS because it can't be intercepted through SIM swapping.

SMS-based codes (avoid if possible). Vulnerable to SIM swapping attacks, as we covered in our SIM swapping article. Use only as a last resort.

3. Review Recovery Options

Go to your Google Account → Security → Ways we can verify it's you. You'll see your recovery phone number and recovery email address.

Make sure your recovery email is also a secured account. If your recovery email is a forgotten Hotmail account from 2008 with the password "sunshine123," an attacker can compromise that account and use it to take over your Gmail.

Consider whether you need a recovery phone number at all. It provides convenience for account recovery but also creates a SIM swapping attack surface. If you're using strong 2FA (passkey or hardware key) and have backup codes stored securely, you may not need a recovery phone number.

4. Review Connected Apps and Devices

Go to myaccount.google.com/permissions and review every app that has access to your Google account. Revoke access for anything you don't actively use.

Go to myaccount.google.com/device-activity and review all devices currently signed into your account. If you see a device you don't recognize, remove it immediately and change your password.

5. Enable Google's Advanced Protection Program

For users who want maximum security, Google offers the Advanced Protection Program. This requires hardware security keys for login and adds extra protections including stricter download filtering, limited third-party app access, and enhanced account recovery procedures.

It's designed for journalists, activists, political campaigns, and anyone at elevated risk — but anyone can enroll.

6. Check Email Forwarding Rules

Attackers who gain temporary access to your email sometimes set up forwarding rules that silently copy all incoming email to their own address. Even after you change your password, they continue receiving copies of everything.

In Gmail: Settings → See all settings → Forwarding and POP/IMAP. Make sure no forwarding addresses are configured that you didn't set up.

Also check: Settings → Filters and Blocked Addresses. Look for any filter rules that automatically forward, archive, or delete emails. Attackers sometimes create filters that move security alerts to trash so you never see them.

Outlook/Microsoft: Advanced Security Settings

1. Strong Password + Microsoft Authenticator

Same principle as Gmail — unique, randomly generated password stored in your password manager.

For 2FA, Microsoft pushes its own Authenticator app, which supports passwordless sign-in through push notifications. This is convenient and reasonably secure. Hardware security keys are also supported.

Go to account.microsoft.com/security to manage these settings.

2. Review Account Aliases

Microsoft accounts can have multiple email aliases (alternative addresses that log into the same account). Go to account.microsoft.com → Your info → Manage how you sign in. Make sure there aren't any aliases you don't recognize.

3. Review Sign-in Activity

Go to account.microsoft.com → Security → Sign-in activity. Review recent logins for unfamiliar locations or devices.

4. Check Inbox Rules and Forwarding

In Outlook Web: Settings → Mail → Rules. Review all rules for anything you didn't create. Also check Settings → Mail → Forwarding to ensure no unexpected forwarding is configured.

Universal Email Security Practices

These apply regardless of your email provider.

Use Email Aliases for Account Registrations

Don't use your primary email address to register for every service. Use aliases (Apple's Hide My Email, SimpleLogin, Firefox Relay) so that if a service gets breached, your primary email address isn't exposed.

Be Extremely Careful With Email Links

Phishing remains the #1 way email accounts get compromised. Never click on a link in an email asking you to "verify your account" or "update your payment information." Go directly to the service's website by typing the URL yourself.

Don't Access Email on Public Wi-Fi Without Protection

If you must check email on a public network, use a VPN. Public Wi-Fi networks can allow attackers to intercept your traffic, and email credentials sent over an insecure connection can be captured.

Set Up Login Notifications

Both Gmail and Outlook can notify you when your account is accessed from a new device or location. Enable these notifications so you can detect unauthorized access as quickly as possible.

Consider Email Encryption for Sensitive Messages

For messages containing genuinely sensitive information — medical records, legal matters, financial details — consider using end-to-end encrypted email. ProtonMail provides encryption by default between ProtonMail users, and encrypted communication with non-ProtonMail users through password-protected messages.

Recognize Email Compromise Indicators

Sometimes an email account is compromised without the owner immediately noticing. Watch for these signs that your account may have been accessed by someone else:

Emails in your "Sent" folder that you didn't send. Replies from people to messages you didn't write. Missing emails that others claim they sent you (an attacker may be deleting them). Login notifications from locations or devices you don't recognize. Password reset emails arriving for services you didn't request.

If you notice any of these signs, immediately change your password, review all account settings (especially forwarding rules and connected apps), terminate all active sessions, and check other accounts that use the same email for recovery.

Practice Email Hygiene for Long-Term Security

Your inbox is an archive of sensitive information stretching back years. Old emails contain password reset links, financial statements, private conversations, and enough personal details to enable identity theft.

Periodically delete old emails you no longer need — especially those containing financial information, personal identification, or password-related messages. Don't keep ten years of bank statements in your inbox "just in case." Download what you need to a secure local backup, then delete the emails.

Disable email preview panes if you receive a lot of suspicious email, as some tracking pixels and exploits can trigger just by previewing a message.

Create and Store Backup Codes

When you enable 2FA, you're usually given a set of backup codes. These are your emergency access if you lose your phone or your authenticator app. Print them. Store them in a physically secure location. Don't store them on the same device you use for authentication.

The Email Security Audit Checklist

Run through this list right now:

• Password is unique and randomly generated
• 2FA is enabled (passkey > hardware key > authenticator app > SMS)
• Recovery email is also a secured account
• Recovery phone number is reviewed (consider removing if using strong 2FA)
• All connected apps/services are recognized and currently used
• All signed-in devices are recognized
• No unexpected forwarding rules or email filters
• Login notifications are enabled
• Backup codes are generated and securely stored

Your email is the foundation. Everything else rests on it. Secure it like it matters — because it does.