If you want better security and privacy, pay
Free email services have to make money somehow. They do so through general adverts, adverts based upon the contents of the email and more. If something is free, how can you expect strong security and privacy? Look at paid-for Microsoft 365, and you will see no sign of ads; plus, you will know what region your emails are held in. On top of this, antimalware/antispoofing/antispam measures tend to be stronger. To top it off, you can get a custom domain rather than
Use BCC (blind carbon copy)
Most people are guilty of this. They type a slightly personal message and put the recipient's name into the 'to' field (the top field of the create email page) and not BCC. Using BCC instead means that not everyone sees the recipient's name, and if someone replies, it goes to the sender and not to everyone.
Consider a digital signature
In the non-cyber world, we verify contracts and cheques with hand-written signatures; only the signatory can tell if he or she signed it or if anyone has tried to tamper with or even forge the signature. A digital signature authenticates the origin and integrity of a document or email. On top of this, a s/mime certificate can encrypt emails as well. Digital signatures are more for high-value transactions than the average user.
Encrypt sensitive emails
Email is the main communication tool of the 21st century; however, with the ease and popularity of this form of technology, it also exposes users to hacking or interception. Recently, a UK Government Minister claimed that emails were “... as secure as a postcard”; somebody else observed that nothing should be included in an email “... that you wouldn’t want to see on the evening news”. Security has picked up since this quote, but encryption should be used. Either file encryption (better) or enforced TLS (okay).
Think twice before you send
Emails reach their intended destination in seconds and pass through various countries and networks. Messages are normally stored on the client's server and likewise at the recipient's end. An email sent months ago or even over a year could one day come back to haunt you. In addition, ISPs and companies often archive emails for compliance reasons. So, the next time you send an email, just bear this in mind.
Be careful what you open
Since the inception of email, malware has been passed around as attachments. Malware still travels around by email, but thanks to improved malware scanning, criminal gangs are now placing links within emails that lead to malicious software. So, the next time you receive an email from a stranger, do not click on a link or open any attachments. Malware scanners are not 100% accurate, so just because it says it's clean doesn't mean it is. File extensions are also not to be trusted, nor are QR.
Try not to use internet cafés
From personal investigation, some internet café computers have keyloggers installed which capture usernames and passwords. As well as keyloggers, someone may well be looking over your shoulder or capturing network traffic packets.
Disable macros in clients
A macro virus is a type of malware, so it's best to disable macros within email clients as well as the Office suite. Luckily, in 2025, it tends to be disabled by default for Mac & Windows; however, a quick check will not go amiss.
Disable automatic download
Images within emails can be used to track you. They can, for example, tell the sender when you opened it, your IP address, operating system, operating system language, location and so on. Within Outlook, or whatever your client is, turn it off.
Disable auto preview
Email clients may attempt to show you a preview of the message and attachment, which can allow malicious content to run. Try to disable such a feature.
Sign out and clear browser cache, history, cookies and passwords
When you finish your session on webmail remember to sign out and clear browser history, cache, cookies and passwords. This is imperative when using an un-trusted computer (which you should avoid in any case).
Choose a strong password and ‘forgot password’ question
Do not choose something that is short or in the public domain. The same applies to a ‘forgot password’ reset question. Do not use date of birth, place of birth, first school, favourite colour or the obvious; instead, choose something that cannot be researched or guessed.
Use two-factor authentication
Most email providers, even free ones offer this though it is not turned on by default and even in paid Microsoft 365, it is not. Enable it and enforce it for all staff if you are a business.
One email account for personal and one for business
Make sure you have separate email accounts for private life and business. Then, if one is broken into, not all of your private (or business) emails are leaked. This also stops your employer from monitoring what you are sending.
Watch out for QR codes
Email defences are reasonable at blocking attachments or scanning links, which means the bad guys need to try something else. If links are scanned on entry, scanned on click or stripped out, then a QR code is a cool loophole. QR codes are intended to be scanned by smartphones and can direct you to a phishing website. Either strip them out or ignore them. Some tools can decode the end destination.
Email anti-spoofing both ways
The average user has not heard of DKIM, SPF or DMARC. With the latter being the newest kid on the block. They are used to control emails received and sent. For free services, you can likely not change or even see the settings. In Microsoft 365 or other paid services these settings can be changed to control if the bad guys can spoof your domain and what happens to spoofed emails coming at you.