Secure your email communications

به روز شده10 October 2024

An email is a text message (which can be accompanied by file attachments) that you send through the browser or using a mail client app installed on your device (for example Thunderbird or K-9 Mail). When you click the Send button, your message reaches your email provider's servers, where it is stored (usually in your Sent folder) and can also be backed up. Your provider then forwards it to the server of the provider used by your recipients, where it is stored (and can be backed up again). Finally, the email is delivered to your recipients, who read it through their browsers or mail clients of choice. At this point recipients can decide to either keep the email stored online or download it to their devices and delete it from their provider's servers.

Nowadays many people use email only rarely, and prefer to use encrypted chat apps or video calls for their everyday communications. However, we still use email for many different reasons, especially to create other online accounts and to organize our work and conversations based on different parameters.

By default, email is not the most secure method of online communication, since it is not encrypted, carries a lot of metadata, persists on the providers' servers and can expose you to phishing, malware infections and other attacks. Still, it is a resilient technology that will ensure the continuity of communications even if servers stop functioning for a while, and as explained in this guide, there are ways of making it more secure.

Choose an email provider

Ask yourself these questions to learn how to choose an email provider:

• Is it a mature platform? Is it actively maintained and developed? Does it have a large base of users?
• Where is the provider based? And where are the servers? Are they in a country that would comply with a request by authorities from your own country? And is that country enforcing human rights and consumer protection? It is important to know whether the email provider will respect your privacy and rights, and under what circumstances it will comply with requests to provide access to your information.
• Can you trust the owners of the servers both from a technical and an ethical point of view? What's their history and mission? Do they regularly publish transparency reports or canary statements? Have they been independently audited? Do they store information on their clients for a long time? If they ever received requests for information by state authorities, how did they respond?
• Do they use free and open-source software in their servers? If they offer a mobile app, is it also free and open-source?
• Do they encrypt email in transit with TLS? You can check if they do by running a test on checktls.com.
• Are individual mailboxes encrypted inside the server?
• Do they offer 2-factor authentication?
• Do they offer end-to-end encryption between their own users?
• Do they offer a way of encrypting emails in general through their app? Is this feature based on mature free and open-source software for end-to-end encryption like OpenPGP?
• Do they offer additional services like a calendar, a file storage platform or a VPN?
• Is it a paid service? If it's not paid, what's the provider's business model?

See our list of email providers to decide where to create your new email account.

In some situations, you may choose to activate an email account on a mainstream server like Gmail, for example to avoid using an uncommon domain name that is mainly used by activists. If this is the case, take into account the risk that a commercial email provider may hand over your data to the authorities in case of an investigation and consider encrypting your email.

• If you decide to create a Gmail account, read our guide on how to use Gmail more securely.

Secure your email account

When creating a new email account, immediately secure it with a strong password and, if possible, with 2-factor authentication.

When setting your new password, you will probably also have to set one or more recovery questions. In these cases, it's always a good idea to provide fake replies. Learn what kind of strategies you can apply in these cases in our guide on safe passwords.

Consider using a disposable mail account

• If you need an email address only to receive emails for a short period of time, you can create a disposable mailbox on Guerrilla Mail or on anonbox.

Consider using email aliases

• Create an alternative address connected to your mailbox, for example to prevent spam.
  • Learn how to create an alias on Proton Mail, Riseup, Autistici/Inventati, Disroot, Posteo and Mailfence.
  • Learn how to configure Thunderbird and K-9 Mail to send messages from an alias.

[Optional] Create an anonymous email

If you would like to create an email account that is not connected to your official identity and can't be traced back to you, follow the instructions in our guide on anonymity to learn how to create and use an email account anonymously.

Decide how to access your mailbox

• If the service you have chosen allows for it, use Thunderbird on your computer.
  • Learn how to set up an account in Thunderbird.
• If the service you have chosen does not offer a mobile app, use K-9 Mail on your mobile device or Thunderbird on Android.
  • Learn how to set up an account in K-9 Mail.
• If you have more than one email address, consider organizing all your mail in a mail client like Thunderbird for computers and Android and K-9 Mail for mobile devices.
  • Learn how to merge multiple mailboxes in a global inbox in Thunderbird.
  • Add a second account in K-9 Mail.

Consider regularly deleting mail stored on the server

If you can, use a mail client like Thunderbird to download your email to a secure device and delete it from the server using POP3. If you need to access your messages from different devices (like your computer and your phone), you will not want to delete them from the server and it may be best to use IMAP instead.

Organize your mailbox

• Organize your email in Thunderbird:
  • Get to know the Thunderbird interface and learn how to organize your email through tags and how to visualize tags together with folders.
  • Search your email with Thunderbird's quick filter.
  • Consider organizing your email by using just 4 folders.
  • Learn how to use filters in Thunderbird.
  • Learn how to train Thunderbird's spam filter.
  • Organize conversations through message threading in Thunderbird.
  • Learn how to create templates in Thunderbird and avoid writing messages from scratch.
• Read Cory Doctorow's tips on how to keep your inbox always empty.

Back up your mailbox

• Back up your email from your server to a secure device using Thunderbird with POP3 (you can choose to leave the mail on the server, if you need to access it from other devices).
• Learn how to back up your Thunderbird profile, including accounts, messages, address books, and settings.
• Learn how to restore the backup of your Thunderbird profile with the import tool.

Protect yourself from phishing and malware

• Get in the habit of noticing when an email tries to pressure you to act quickly or appeal to your emotions, as it may be an attempt at making you open a malicious link, download an infected attachment or enter your login data in a phishing web page.

[Advanced] Protect your email messages with end-to-end encryption

• Encrypt and sign your mail messages with OpenPGP using one of the following tools:
  • Thunderbird (Windows, Linux, macOS, Android)
  • K-9 Mail and OpenKeychain (Android)
    • Read the guide in the K-9 Mail website.
  • Mailvelope (Chrome/Chromium, Firefox, Edge)
• Try email services that support encryption
  • Proton Mail
    • NOTE: Proton Mail does not automatically encrypt mail to someone whose address is not on Proton Mail. To encrypt to someone who does not use Proton Mail, you must set a password the recipient can use to open the message or you may need to exchange encryption public keys.
  • Mailfence
    • NOTE: Mailfence does not automatically encrypt mail to someone whose address is not on Mailfence. To encrypt to someone who does not use Mailfence, you can set a password the recipient can use to open the message or you can exchange encryption public keys with your recipient.

[Advanced] Beyond the body: learn to read an email header

• Read the guide on how to view and extract raw messages in common email clients on the website of the Computer Incident Response Center Luxembourg (CIRCL).
• Learn how to analyze email headers in the section on email headers of Internews' Field Guide to incident response for civil society and media (2023, p. 60).