Email Security Guide: 3 best practices to keep your emails safe from attackers.

Follow the best practices of this email security guide so no one can hack into your emails or abuse your data.

Email security guide with three best practices.

Keeping personal data safe online does not have to be difficult - if you make a few smart choices. As experts in email security, we have compiled a quick email security guide on how to keep your emails safe from attackers. By following just three best practices, you will not only safeguard your emails, but you will also protect your online identity.


Protect your online identity

For most people, email accounts are the gate to their online identity: Amazon, Facebook, Twitter - all these services are linked to people’s email addresses. And, unfortunately, all of these services provide a password reset feature via email.

This makes it so important that you maximize the security of your email account with the following best practices.

Threat to online identity

The email reset feature used by most online services poses a severe threat to your entire online identity: Should malicious attackers gain access to your email login, they can request a simple password reset for lots of services, thus, taking over your entire online identity, including your logins to Facebook, Amazon, PayPal and others.

In this quick email security guide, we explain how you can keep your email account safe from malicious attackers with just three best practices, whether you are a normal internet user or a prominent target.

Three steps to keep your emails safe from attackers

  1. Choose a strong password.
  2. Use two-factor authentication (2FA).
  3. Choose an email service without password reset via email.

1. Choose a strong password

The most important best practice for securing your email account is securing your login credentials. For this, you need to choose a strong password. Tutanota is one of the few email services that allows an unlimited length of passwords. Upon sign-up, Tutanota also checks whether your password is strong enough so that it can’t be broken by brute-force attacks.

This password check is crucial because your password is the weakest link. With Tutanota we provide the most secure email service. Making sure that your password is strong enough is essential to keep this promise.

2. Use two-factor authentication (2FA)

Once you have chosen a strong password, enable 2FA to protect your login to the maximum. This is one of the most important best practice and one that is often neglected as people believe it to be a hassle.

However, this does not have to be the case.

You can even store your login credentials on your device if you know no one else has access to your device. This way you make sure that you can access your email account fast, but at the same time securely. The most important part of adding two-factor authentication is that you protect your email account from remote malicious attacks such as phishing attacks.

Phishing emails are becoming more and more sophisticated which increases the risk of falling for such attacks. The sender of the phishing email usually tries to make you click a link where you are supposed to enter your password. Should this happen, the attacker can then easily steal your password. However, if a second factor has been activated on your account, the password will be useless to the attacker and your email account will be safe.

Here we explain email phishing attacks in detail.

Tutanota supports U2F (second factor with a hardware token) and TOTP (second factor with an authenticator app). Tutanota does not support second factors via SMS as these are considered not secure enough.

We strongly recommend to use U2F (a hardware token such as Nitrokey / YubiKey) as this is the most secure option.

3. No password reset via email

Password resets via email are one of the biggest threats to your online security. A password reset feature via email makes it very easy to take over your accounts with a targeted attack, such as a smartly crafted phishing email. The attacker could trick you into believing that you are simply resetting your password when clicking on a link in a phishing email which only pretends to be a password reset email. This risk is much higher than many of us believe.

Tutanota does not offer a password reset feature via email to keep your email account secure.

Instead, Tutanota offers a recovery code that enables you - and only you - to reset your Tutanota login credentials in case you lose access to your password or second factor.

To make sure you never lose access to your secure Tutanota mailbox, please write down your recovery code and store it somewhere safe.

All data encrypted for maximum email security

Encryption to maximize email security.

1. Tutanota encrypts mailbox, contacts & calendars

Tutanota is the most secure email service because we take your security into consideration at every step. Tutanota encrypts your entire mailbox - emails, contacts, calendars - automatically on all devices. Wherever you use Tutanota, your private data is always secure.

2. Dedicated desktop apps to guarantee security

Tutanota does not support IMAP/Pop3 because emails retrieved via IMAP/POP3 would be stored unencrypted on your device. Instead, Tutanota offers dedicated and open source desktop clients for Windows, Linux and macOS. Tutanota also comes with open source apps for Android and iOS. The Tutanota desktop clients and mobile apps work just as easy as Tutanota’s secure webmail client, which enables you to access your encrypted mailbox wherever you are.

3. End-to-end encryption

Tutanota does not only store all your data encrypted, it is most famous for offering a very easy option to send end-to-end encrypted emails to any email address in the world. This is very important because normal emails can be intercepted and read by third parties as easily as a postcard can be read by others. Whenever your email contains sensitive data that should not be published in the newspapers tomorrow, we recommend to encrypt your emails end-to-end.

Watch this YouTube video to see how easily you can encrypt any email with Tutanota.

Most services handle search on the server because they do not encrypt your data. This is insecure as it requires for the data to be accessible by a server that you as the user have no control over. Instead, Tutanota searches your encrypted data locally on your device. This innovative feature stores an encrypted search index on your device, which cannot be accessed by us or by any other third party.

5. DANE support

As a forerunner in email security, Tutanota was one of the first email providers to implement DANE support. The technology DANE is an SSL extension that makes email services independent of Certificate Authorities.

Get your own account now

Register your own encrypted mail account now.

When switching to Tutanota, you will find that securing your emails is much easier than expected.

Besides, with Tutanota you can encrypt literally any email. This comes in very handy if you need to send confidential information to a friend who does not use email encryption (yet).

The three explained best practices are already sufficient to increase the security of your email account a lot. For maximum security, you may also check the extended list of recommendations below.


Extended list of best practices

  1. Be informed about email security best practices.
  2. Create strong and unique passwords.
  3. Activate two-factor authentication.
  4. Don’t reuse passwords across accounts.
  5. Don’t change passwords.*
  6. Beware of phishing attacks.
  7. Don’t open unexpected or untrusted email attachments.
  8. Don’t open email attachments with strange file extensions.
  9. Don’t click links in emails, particularly when the link or sender looks suspicious.
  10. Don’t trust emails that land in your spam folder.
  11. Don’t use your business email for private issues.
  12. Don’t use a public Wi-Fi (without a VPN).

*Changing passwords regularly was a common recommendation until a couple of years ago. This is outdated now because if you follow this list of best practices, there is absolutely no need to change your passwords regularly. The reason why changing passwords is no longer recommended is the following: Researchers have found that changing passwords regularly does more harm than good as it encourages people to choose weaker passwords. Better choose a strong and unique password once, instead of regularly changing a weak one to another weak one.