1. Use a privacy focused email application and provider
Using a modern, privacy focused email provider is key for making sure that your emails are not read by the platform that offers email services in the first place. Some email providers have a better track record than others when it comes to data breaches and privacy violations. Confirm that the email application, whether offered by your email provider or third-party, is also secure. The app should -at least- offer sign-in with a password and should use SMTPS or another encrypted method of authentication and mail transfer.
Here are two email providers which have a proven to care for security and privacy (no affiliation or sponsorship)
2. Don't allow image loading or fully rendered HTML
Many emails contain content that has not been transmitted with the email. Instead this content is later loaded by your device directly, therefore exposing your device's details (such as IP address and possible location). You should instead opt to open such content only for senders you trust.
3. Use different email accounts for different websites
Since tracking cookies are out of favor with legislators, emails addresses are more valuable than ever for data correlation and tracking of user activity. According to the Electronic Frontier Foundation, email is already being proposed as the most important identifier by some Silicon Valley firms. Using one email address everywhere is a sure way to have your behavior correlated and sold to advertisers and tech providers.
Instead you can use CatchMailNot (that's us) to make up a new email address, or alias, for each sign up. The emails then get forwarded to your real address without anyone knowing. You can even reply from each alias without having to configure a new mailbox.
4. Use Two-factor authentication
Whenever possible use token or app based Two-factor authentication. Do not use SMS based Two-factor as this can be circumvented or intercepted easily.
5. Secure attachments
Attachments are often overlooked when it comes to email security. Especially if you use Gmail, do not attach your attachments as Google Drive links. Gmail will share the file as a link, which anyone with access to the original URL can open. It is more secure to split the files and transfer under the 25 MB limit.
6. Don't click the unsubscribe button unless you trust the sender
The unsubscribe button next to an email address (see example) is not controlled by your email provider.
It was put there by the sender of the email and can either refer to a web based unsubscribe request or an email request. These requests can also be abused to redirect you to a phishing site or confirm that you are an active recipient.
7. Sign out
Don't leave your email account open on a work or public computer.
8. Beware of public Wi-Fi
Any public Wi-Fi, whether password protected or not, can be used to sniff on email traffic. Email traffic is especially easy to intercept as the original email protocols were not built with security and privacy in mind. Email servers and clients often accept any security certificate, which makes them easy targets for Man in the Middle attacks using a self-signed certificate.
9. Be conscious of irregular emails
If you receive an email that seems out of place, like a purchase confirmation from a service you have never heard of, then it is best to ignore it. CatchMailNot can also protect you from phishing or if your email was leaked.
CatchMailNot scans email dumps and warns you if one of your email addresses was found in a leak. It also protects you from domain cross-talk (that is if a provider sells your email). Since you can create unlimited email addresses, one for each service, you would immediately know if your email is used by another service. For example; if you get an email from your bank on your Netflix alias - that should raise some eyebrows.
10. Limit your email communication for sensitive messages
Any sensitive information you send in an email will remain out there forever. Whomever you send the email to might never delete the message, or could potentially forward it to others. Services like ProtonMail allow you to send expiring messages, which delete after a given time. Alternatively you could send important data in a Signal message (no affiliation or sponsorship).