editione1.0.0
Updated October 9, 2023This is a question I hear a lot. No email provider is perfect. Using email from large providers, such as Google and Microsoft, might have privacy trade-offs as they have a history of allowing scanning of emails for advertising purposes. On the other side of the token, you might find you are locked into a specific email provider because of the technology ecosystem you have—if all your devices are Apple products, then it might be natural to gravitate towards an iCloud email account.
The best way to tell if your email provider is safe is to see if you can make it through the steps outlined earlier for protecting your account. If there are features that are not available, like 2FA, then it is a dealbreaker when it comes to security.
danger 2FA should be considered the bare minimum. If your provider doesn’t allow it, then this is a dealbreaker and it is time to set up a new email with a provider who does. There is a great community-created website called 2FA Directory that you can use to find a new email provider. This can be a huge pain to set up, but in the long run you will thank yourself. Especially with the rise of security breaches through weak security configurations, that unsafe email provider is probably one bad press release or low valuation away from selling or shutting down that headache service.
I have a few email accounts; this is the burden of an IT nerd. So when going through these steps, I have to perform them for a few different accounts. I have one main personal account, one (very old) backup account that is nearly old enough to drive, and three work accounts. Here is how I work on protecting those:
For my personal account, I use four (!) layers of authentication. I stay logged in on the main devices I use every day, so I rarely have to assemble the four keys like in some dramatic rocket launch sequence. One layer is a physical hardware security key, the second is a backup physical hardware security key, and the third is a mobile device push notification, and the final is an obnoxiously long password.
My backup personal account, which I use for account recovery for my primary account, is protected by a similar four layers. I use this for any career-related accounts or subscriptions, but nowadays it is mostly there as a backup account so my main personal email doesn’t rely on a work email for account recovery.