Email is the root of trust for the vast majority of online accounts. Password resets almost universally rely on verifying access to an email address. This means that whoever controls the email address associated with an online account controls that account. The password reset route to gaining access to an online account means that unless the service provider of the online account offers higher security options, the security of most online accounts is equal to the security of the email associated with the account. This post will explore why users should care about email security and briefly cover some ways they can improve their security.

For this post, the relevant actors are as follows:

  • the user who has an email account
  • multiple web services or websites that the user has accounts with
  • the email service provider which facilitates sending and receiving email

Loss of Use

For the average user, the biggest potential problem associated with email is loss of use. If a user is unable to login to their email account and a web service attempts to verify the account by emailing a verification link, the user will not be able to access their account. At the very least, this causes the user some delay and additional work to contact the web service to recover their account. The two biggest causes of loss of use of an email address are account takeover and email service provider account lockout.

In the case of email account takeover, when an attacker gains access to a user’s email account, the attacker will change the password and other account information to lock out the legitimate user and make recovery more difficult. When the user contacts their email provider after account takeover, support agents may attempt to verify the user’s identity by asking about other account details such as predefined “security” questions, recovery email addresses and phone numbers, credit cards, or billing addresses. If the attacker has changed these, the user might actually end up looking like the bad actor when attempting to recover the account.

The next case is email service provider account lockout, where some internal process at the email provider flagged the account as suspicious and disabled it. Although this is not very likely to happen, the difficulty of regaining access to a suspended account makes this a concern worth minimizing. Often the account recovery process is stressful and intimidating; users must upload copious amounts of identification, but receive little to no feedback from the email provider on the status or outcome of the recovery process.

No matter the cause, losing control of an email address could mean losing access to multiple accounts associated with the email addreess. Email is a critical system and we should invest an appropriate amount of effort into its security.

Mitigations

User Owned Email Domain

Most people use an email service provider to facilitate sending and receiving email. Most people also use the email service provider’s domain as their primary email address, for example, @gmail.com. Understandably, most people go this route because it is the easiest thing to do and many providers do not charge for this service. Unfortunately, if the email provider suspends an account, the user does not have much recourse and will likely spend hours attempting to recover the account, but recovery efforts are not always successful.

On the other hand, if a user uses and email service provider in conjuction with their own email domain, such as acme-mail.com, and the email provider suspends their service, the user still has options to continue receiving email. The user could sign up for a new email service provider and adjust the MX records for acme-mail.com to begin receiving emails at the new email provider. While the user will still have to try to recover their account with the previous email service provider, they do not have to make any changes to their accounts at other websites since messages to existing @acme-mail.com addresses will be delivered to the new email provider.

Using a user owned email domain with an email service provider such as Fastmail takes maybe an hour to setup with no ongoing maintenance. While this approach is not for everyone, the setup and maintenance is minimal and the benefit of eliminating the possibility of losing access to your email is well worth it.

Update: After I posted this, my friend Anchal pointed out that Cloudflare has an Email Routing feature that can make the transition to a user owned email domain even easier. Users can still get the benefit of email provider agility without having to immediately abandon their existing inbox; in case the target email account is suspended, simply adjust the configuration in Cloudflare and new mail for the domain will still be delivered. I also want to clarify the transition strategy; users moving to a user owned email domain should go through their password manager and find all websites they signed up for with their old email address and them to use the new domain. With Cloudflare, these can be forwarded to the existing inbox. To assist with fully moving to the user owned email domain, I recommend writing an inbox rule to flag emails that are not addressed to your new email address(es).

Account Security

Users who do not want a user owned email domain must rely on an email service provider’s email domain. These users should thoroughly examine the security options available with the email service provider and configure them as securely as needed for the use case. Since most users have a single email address for everything from social media to financial services, it is wise to treat email for the highest security application.

As an example of configuring strong email security settings, below are some non-exhaustive tips for Gmail.

  1. Set a strong password that you do not use on any other websites or apps
  2. Configure a recovery email address: https://myaccount.google.com/recovery/email
  3. Configure a recovery phone number: https://myaccount.google.com/signinoptions/rescuephone
  4. Configure 2-Step Verification: https://myaccount.google.com/signinoptions/two-step-verification

While this post will not discuss 2-Step Verification in depth, there are several different options with varying security levels. At a minimum, all users should print and safely store Backup Codes. Users with higher security requirements should strongly consider using hardware Security Keys (enroll at least one primary and a backup hardware security key). Security Keys are simple to use and greatly increase resistance to phishing. Google users with the highest threat profile should consider using Google Advanced Protection Program: https://landing.google.com/advancedprotection/.

While this outline is Google/Gmail specific because that is what most users have, similar options are available in Fastmail. Users should consider the available security options and account recovery processes when selecting an email service provider.

Summary

In closing, users should consider how critical email service is to their online presence and accounts with other websites. I believe that email should be treated as equal in importance to financial services because email often serves as a backdoor to online accounts through the password reset process.

If you would like to discuss this post or other security topics, please reach out.