Email Security Checklist for Individuals: Settings That Reduce Takeover Risk

Overview

This checklist is designed to help you protect your email account before there is a problem. It focuses on settings that are widely available across major providers, including Gmail security settings and Outlook account security options, without depending on one brand or temporary feature layout.

For most readers, the highest-impact controls are straightforward:

• Use a long, unique password stored in a trusted password manager.
• Turn on multi-factor authentication and prefer stronger methods over SMS when possible.
• Review recovery email, phone number, and device trust settings.
• Remove old devices and third-party app connections you no longer use.
• Check forwarding rules, filters, and delegated access for anything unexpected.
• Keep your phone and computer updated, since a secure account can still be exposed on an infected device.

If you only do one pass today, start with this short version of the email security checklist:

1. Change your email password to a unique one.
2. Enable MFA and store backup codes safely.
3. Confirm your recovery email and recovery phone are current and still under your control.
4. Review recent sign-in activity and sign out of devices you do not recognize.
5. Check inbox rules, forwarding, recovery methods, and connected apps for changes you did not make.
6. Update your browser, email app, and operating system.

If you need help choosing a password storage approach, see Password Manager vs Built-In Browser Passwords: Security Tradeoffs That Matter. If your provider supports passkeys, Passkeys Explained: Where They Work, Where They Don’t, and When to Switch is a useful companion read.

Checklist by scenario

Use the scenario that best matches your situation. The items overlap on purpose. Good account security is usually a matter of closing several small gaps, not finding one magic setting.

Scenario 1: Setting up a new email account

If this is a primary personal inbox, take a few extra minutes at the start. Initial setup choices tend to stay in place for years.

• Create a unique password. Do not reuse a password from shopping sites, old forums, or work services. Reuse is one of the easiest paths to account takeover after credential leaks.
• Enable MFA immediately. If the provider offers app-based codes, hardware keys, or passkeys, those are generally preferable to SMS for high-value accounts. SMS can still be better than no MFA, but it carries SIM swap and interception risk. For more on mobile number takeover risk, see SIM Swap Attacks: Warning Signs, Prevention Steps, and Recovery Guide.
• Save backup codes offline. Store them somewhere separate from the email account itself, such as a secure note, printed copy in a safe place, or an encrypted vault.
• Choose recovery options carefully. Your recovery email should be another account you actively control and secure. Your recovery phone number should be current, not an old line you forgot to remove.
• Review account alerts. Turn on sign-in alerts, unusual activity notifications, and security prompts if your provider offers them.
• Record your setup date and recovery methods. A simple note helps later when you are trying to remember whether a change was expected.

Scenario 2: Hardening an existing account you already use daily

This is the most common case. The account works, so security settings often stay untouched until there is a phishing scare or breach notice.

• Audit your password first. If the password is old, reused, or memorable in a way others could guess, replace it.
• Check recent login history. Most major providers show device type, region, and time of sign-in. Look for unknown browsers, locations that do not match your travel history, or sessions from devices you no longer own.
• Review trusted devices and active sessions. Sign out of old phones, browsers, and borrowed computers.
• Inspect inbox rules and forwarding. Attackers sometimes create silent forwarding rules to watch mail or delete alerts from banks and social platforms. Search for rules that archive, delete, or forward messages containing words like “security,” “verification,” “invoice,” or “reset.”
• Review connected apps. Remove mail clients, productivity tools, and browser extensions you no longer use. Old third-party access can become an overlooked weak point.
• Check delegated access. Some email systems allow another account to read or send mail on your behalf. Make sure no unfamiliar delegate remains attached.
• Update security questions only if they exist. If a service still uses them, treat the answers like passwords rather than truthful public facts.

Scenario 3: After a phishing scare, suspicious login alert, or strange inbox behavior

If you clicked something questionable, approved an MFA prompt you did not expect, or noticed messages disappearing, act as if the account could be exposed until proven otherwise.

1. Change the password from a clean device. If possible, use a computer or phone you trust and have updated recently.
2. Revoke active sessions. Sign out everywhere, especially if your provider offers a global sign-out option.
3. Rotate MFA if needed. Remove unknown authenticator enrollments, disable suspicious push approvals, and regenerate backup codes.
4. Review recovery methods. Confirm no attacker-added phone number or backup email was inserted.
5. Search for changes to rules, forwarding, delegates, and app access. These changes often persist after a password reset if you do not remove them manually.
6. Check linked accounts. If your email is used to log into banking, payroll, shopping, or social media, review those accounts next. Email compromise can quickly become wider account takeover.
7. Scan your device. A password change helps, but not if a malicious browser extension or infostealer is still present.

If a phishing message arrived by text before it reached your inbox problem, review Is This Text a Scam? A Red-Flag Checklist for Suspicious SMS Messages. If you suspect wider exposure from a leak rather than a single phish, see Have I Been Breached? How to Check Exposure and Secure Your Accounts.

Scenario 4: Changing phones, laptops, browsers, or email apps

Device changes are a common moment for accidental security drift. Old sessions stay trusted while new ones are added.

• Before migrating, confirm access to MFA. Make sure your authenticator, hardware key, or passkey method will still work after the move.
• Export or transfer passkeys and authenticator setups carefully. Do not wait until your old device is wiped.
• Remove access from the old device after the switch. Logging out of the email app alone may not fully revoke trust.
• Check mail app permissions. Some mobile mail apps request broad access or use outdated authentication flows. If you are installing a new app, verify it carefully; Fake App Warning List: How to Check Whether a Mobile App Is Safe Before You Install can help.
• Update your recovery inventory. If your old number, old laptop, or old browser profile was part of account recovery, replace it.

Scenario 5: Using email for freelance work, side projects, or a small business

Personal and business activity often mix in one inbox, which increases the cost of compromise.

• Separate roles where practical. Consider different accounts for personal life, finance, and business communication to limit blast radius.
• Use stronger MFA methods on any account tied to invoices, payroll, clients, or admin access.
• Review mailbox rules more often. Attackers in business email compromise cases often hide payment fraud discussions or redirect invoice threads. Related reading: Business Email Compromise Red Flags: How to Catch Invoice and Payroll Fraud Early.
• Confirm domain admin and email admin paths are secured separately. If one personal inbox can reset everything else, it deserves your strongest settings.
• Schedule recurring reviews. Small teams benefit from a simple quarterly account audit. See Small Business Cybersecurity Checklist: Essential Controls to Review Every Quarter.

What to double-check

This section covers the settings and details users most often miss. These do not always stand out on a dashboard, but they matter because they can preserve attacker access even after a password change.

• Recovery email address: Is it still yours? Is it protected with MFA too? A weak backup email can undermine a strong primary account.
• Recovery phone number: Is it current and under your control? Remove old family plan numbers, recycled lines, or work numbers you may lose access to.
• Backup codes: Do you know where they are? Have you replaced them after a security incident or major MFA change?
• Forwarding rules: Is mail automatically sent anywhere else? Attackers often forward messages silently to monitor resets and alerts.
• Filters and rules: Are there rules deleting, archiving, marking as read, or labeling sensitive mail in unusual ways?
• Delegated access and aliases: Can another account read, send, or receive mail on your behalf?
• Connected apps and OAuth access: Are old productivity tools, add-ons, and mobile apps still attached? Remove what you do not need.
• Trusted devices: Does the list include phones, tablets, browsers, or laptops you no longer have?
• Sign-in prompts: Are you using push approvals in a way that could invite accidental approvals? If repeated prompts are becoming background noise, read MFA Fatigue Attacks Explained: How Push Bombing Works and How to Stop It.
• Notification settings: Will you actually see unusual sign-in alerts, or are they buried in the same inbox an attacker could manipulate?

Also double-check the device side of the equation. Even the best email security settings can be weakened by:

• outdated operating systems,
• unpatched browsers,
• malicious extensions,
• shared household devices without separate profiles,
• automatic logins on public or work-shared machines.

If your concern follows a broader breach notification, the first-day response priorities are covered in What To Do After a Data Breach: Priority Checklist for the First 24 Hours.

Common mistakes

Most email account compromises do not happen because someone ignored security entirely. They happen because one or two practical gaps remained open.

• Using MFA, but only through one fragile path. If your only second factor is a phone number you could lose, your setup is stronger than password-only but still brittle.
• Securing the password but ignoring recovery options. A stale recovery email or old phone line can become the easiest reset path.
• Changing the password after a scare, but not checking rules and sessions. This is one of the most common cleanup failures.
• Keeping legacy devices trusted indefinitely. Old tablets, spare phones, and browser profiles are easy to forget.
• Mixing personal and high-risk workflows in one inbox. The more accounts that rely on one email address, the more severe the impact if it is lost.
• Approving prompts too quickly. Habit can override caution, especially during work hours or travel.
• Assuming a familiar-looking message is safe. Account takeover and spoofing often imitate ordinary service notices. If a message asks you to act urgently, navigate to the service directly rather than using the embedded link.

A good rule is to treat your email account like an identity provider, not just a mailbox. If someone controls it, they may control your resets, your receipts, your cloud notifications, and often your proof of ownership across many services.

When to revisit

Email security is not a set-and-forget task. Revisit this checklist whenever the underlying inputs change. A short review a few times a year is usually enough for most people, and it is especially useful before seasonal travel, tax filing periods, major device upgrades, or job changes.

Use this practical review schedule:

• Every 3 to 6 months: Review active sessions, recovery methods, forwarding rules, delegates, and connected apps.
• When you change phones or laptops: Verify MFA access, remove old devices, and test account recovery before wiping anything.
• When your mobile number changes: Update recovery settings immediately and review SIM-based recovery dependence.
• After any breach notice affecting reused credentials: Change the password, review linked accounts, and check exposure. The guide Have I Been Breached? How to Check Exposure and Secure Your Accounts is a strong next step.
• After a suspicious email, text, or MFA prompt: Treat it as a reason to inspect account activity and recovery settings, even if you did not fully fall for the lure.
• When your provider adds new security features: Reassess whether passkeys, stronger MFA methods, or improved sign-in alerts now make sense for your account.

To make this sustainable, create a simple personal checklist you can repeat in ten minutes:

1. Open account security settings.
2. Review password, MFA, and backup codes.
3. Check recovery email and phone.
4. Inspect recent sign-ins and trusted devices.
5. Review forwarding, filters, delegates, and app connections.
6. Update your devices and remove anything you no longer use.

The best email security checklist is the one you will actually revisit. Keep it short, keep it current, and treat any change in devices, phone numbers, or workflows as a trigger to review your setup again.