How to Protect Your Personal Email Address

Your personal email address is more than a way to receive messages. It's your identity anchor across dozens of services, your account recovery route, the target of phishing attempts, and a direct line to your inbox that marketers and data brokers aggressively try to obtain. Protecting it is worth the small effort it requires. Here's a practical checklist.

The threat model: what are you protecting against?

Email protection has two distinct layers — you need different tools for each:

• Privacy threats — spam, marketing, data brokers, unwanted contact. Your address being shared, sold, or harvested.
• Security threats — account compromise, phishing, credential stuffing attacks. Someone gaining access to your email account itself.

Most people conflate these. A strong password protects against account compromise but does nothing to stop spam. A disposable email prevents marketing but doesn't protect the content of your existing emails from interception. Both layers matter.

Privacy protection: keeping your real address off spam lists

• Use disposable email for low-trust sign-ups. Any website asking for your email that you don't genuinely trust or plan to return to — use a temp mail address instead. InboxDrop generates one in zero seconds.
• Use email aliases for ongoing accounts. For services you'll use regularly but want to protect your real address from, use an alias from SimpleLogin or Apple's Hide My Email. Each service gets a different alias — if one starts spamming you, disable it.
• Never post your real address publicly. Forum profiles, GitHub issues, social media bios, contact pages — these are scraped by bots within hours. Use an alias or a contact form.
• Opt out of the edited electoral roll. In the UK, this is the version of the electoral register that can be sold to data brokers. Opt out when registering or updating your registration.
• Read privacy policies before signing up. Look for "share with partners" or "third parties" language. If a site's privacy policy allows data sharing, use a disposable email or alias.

Security protection: keeping your email account safe

• Use a strong, unique password. Use a password manager (Bitwarden is free and open source) to generate and store a unique password for your email account. Never reuse passwords.
• Enable two-factor authentication (2FA). An authenticator app (Google Authenticator, Aegis, Authy) is more secure than SMS-based 2FA. This prevents account takeover even if your password is stolen.
• Check for breach exposure. Visit haveibeenpwned.com and enter your address. If it's appeared in breaches, change your password immediately. Set up alerts for future breaches.
• Be sceptical of links in emails. Phishing emails impersonating banks, HMRC, couriers, and well-known brands are the primary mechanism for account compromise. Hover over links before clicking. When in doubt, go directly to the service's website rather than clicking the email link.
• Review connected apps and permissions. In Gmail, Outlook, and Apple Mail, periodically review which third-party apps have access to your inbox and revoke anything you don't recognise or use.

What to do if your address is already compromised

If you're already receiving significant spam, a data breach has exposed your address, or you suspect your account has been accessed:

1. Change your password immediately and enable 2FA if you haven't already
2. Check haveibeenpwned.com to understand which breaches exposed your address
3. Consider submitting removal requests to data brokers
4. For your real address going forward, start using disposable email and aliases for all new sign-ups
5. Consider a fresh email address for high-sensitivity accounts (banking, HMRC, healthcare) if the current one is widely compromised