How to Protect Your Email From Hackers: A 2026 Security Checklist

Why do hackers want your email more than almost anything else?

Most people think of their email account as a place where messages pile up, useful but not especially valuable. Attackers see it very differently. To a criminal, your inbox is not a pile of mail; it is the master key to your entire digital life, and it is worth more to them than almost any single account you own, including your bank login. The reason is simple and worth sitting with for a moment: nearly every other account you hold, your bank, your social media, your shopping, your tax portal, your cloud storage, was set up with this email address, and nearly every one of them will, on request, send a password-reset link straight to it. Whoever controls your email controls the reset button for everything else.

That is what makes email the highest-leverage target in a person's online life. An attacker who guesses one weak banking password gets one bank account; an attacker who gets into your email can walk down the list of services tied to it, click forgot password on each, intercept the reset links, and take over account after account while you remain unaware. Your inbox is also a searchable archive: statements, invoices, contracts, scanned documents, travel plans, the names of your family and colleagues, everything a criminal needs to impersonate you or answer your security questions. The mailbox is both the key and the dossier.

The threat is not abstract, and it is growing. Data breaches now expose stolen credentials at a scale that is hard to picture: the breach-tracking service Have I Been Pwned has indexed billions of unique email addresses alongside more than seventeen billion compromised account records, much of it circulating freely among criminals as ready-made login lists. The fraud that targets inboxes keeps climbing too: according to the FBI's Internet Crime Complaint Center, losses from the crimes that most directly exploit email, business email compromise and phishing among them, ran into the billions of dollars in 2025, and for the first time the FBI began tracking AI-enabled fraud as its own category, because attackers now use generative tools to make their lures faster and more personalized. The barrier to a convincing attack has dropped, which means the value of locking your door has risen.

The good news is that protecting your email is not a matter of being a security expert or buying expensive software, but of doing a handful of specific, concrete things and doing them properly. This guide is that checklist, laid out in the order that gives you the most protection for the least effort: the password that should never be reused, the second factor that stops a stolen password from mattering, how to recognize phishing, how to check whether you are already exposed in a breach, and the often-ignored settings, recovery information and forwarding rules, that attackers love precisely because nobody looks at them. None of it is hard; the point is to do all of it, because email security is layered, and no single control is enough on its own.

What makes a password strong enough to stop a hacker?

The single most important thing about your email password is not how strange it looks but whether you use it anywhere else. Reuse is the vulnerability that fuels the largest category of account takeover. When any service you have an account with suffers a breach, the email-and-password pairs from it end up on lists traded among criminals, who then try them automatically, at enormous scale, against other popular services, your email provider included. This technique, called credential stuffing, succeeds for one reason only: people reuse the same password across sites. If your email password is the same one you used on a forum breached three years ago, your email is effectively already compromised; the attacker just has not gotten around to it yet.

So the first rule is absolute: your email password must be unique, used for that account and nothing else. The second is that it should be long, because length defeats the other main attack, brute-force guessing, far more effectively than complexity does. Modern guidance from security bodies has moved away from the old advice of short passwords stuffed with symbols and forced changes every ninety days, which mostly produced predictable patterns like Password1! becoming Password2!. The current consensus favors length over arcane complexity: a long passphrase of several unrelated words is both far harder for a machine to crack and far easier for a human to handle. A genuinely strong email password today is long, unique, and unrelated to anything guessable about you, no birthdays, pet names, or the word password buried in it.

The obvious objection is that nobody can remember a different long password for every account they own, and that objection is correct. You are not supposed to. That is the job of a password manager, an application that generates a long, random, unique password for every account, stores them in an encrypted vault, and fills them in for you at login; you remember just one strong master password, or unlock the vault with your fingerprint or face. Reputable managers use zero-knowledge encryption, meaning the provider itself cannot read your vault: it is encrypted and decrypted only on your own devices. Well-regarded options include Bitwarden, with a capable free tier and open-source code, along with 1Password and the managers built into Apple and Google's ecosystems.

A password manager also defends you against phishing in a way you may not expect. Because it ties each saved login to the exact website address it belongs to, it will only fill your email password on the genuine login page; on a convincing fake with a lookalike address, it does not recognize the page and offers nothing. That silence is a signal: when your manager refuses to autofill where you expected it to, treat it as a warning that you may not be where you think you are. The manager catches the impersonation that your tired eyes, especially on a phone, might miss.

• Never reuse your email password anywhere else; reuse is what makes credential-stuffing attacks work.
• Favor length over symbol-soup complexity; a long passphrase of unrelated words is both stronger and easier to handle.
• Use a password manager to generate and store a unique password for every account so you only remember one.
• Pick a manager with zero-knowledge encryption, where the provider cannot read your vault; Bitwarden, 1Password, and the built-in Apple and Google managers are solid choices.
• Let the manager double as a phishing check: if it will not autofill on a login page, you may be on a fake site.

How much does two-factor authentication actually help, and which kind should you use?

A strong, unique password is the lock on your front door; two-factor authentication is the deadbolt, and it is the single most effective thing you can add to your account after the password itself. With two-factor authentication, also called 2FA or two-step verification, logging in requires not just something you know, your password, but also something you have, a code or approval on a device that is physically yours. So even if an attacker steals your password through a breach, a phishing page, or a guess, they still cannot get in without your second factor. The stolen password becomes nearly useless on its own, which is why turning on 2FA is the highest-value step on this checklist after fixing your password.

Not all second factors are equal, though, and the differences matter enough to choose deliberately. The weakest common form is a code sent by text message. It is genuinely better than no second factor, and if it is a service's only option you should use it, but SMS codes are vulnerable to SIM swapping, in which a criminal tricks your mobile carrier into transferring your phone number to a device they control so your codes arrive on their phone. They can also be intercepted and are routinely phished, since a fake login page can simply ask you to type the code you just received and relay it in real time. So treat SMS as the fallback, not the goal.

A meaningfully stronger option is an authenticator app, sometimes called a TOTP app for the time-based one-time passwords it produces. Apps like Google Authenticator, Microsoft Authenticator, Authy, and the code generators built into many password managers create a fresh six-digit code every thirty seconds on your device. Because the codes are generated locally rather than sent over the phone network, they cannot be SIM-swapped or intercepted in transit, which closes the biggest hole in SMS. They can still be phished, but the bar is considerably higher, and for most people an authenticator app is the right default for email.

The strongest options of all defeat phishing outright, and they are what you should reach for on your email account if offered. A hardware security key, a physical device such as a YubiKey you plug in or tap, and its software successor the passkey both use cryptography bound to the genuine website's address, so they simply will not authenticate to a fake site, even a pixel-perfect one, and a phishing page cannot capture anything reusable. A passkey, in particular, replaces the password entirely with a cryptographic credential unlocked by your fingerprint or face: there is no shared secret to steal, no code to phish, nothing for a breached database to leak. The major email providers now support passkeys, and adopting one is the most future-proof move on this list.

1. 1

   Open your email account's security settings

   In Gmail, Outlook, Yahoo, or your provider's equivalent, find the section labeled security, sign-in, or two-step verification.

2. 2

   Choose the strongest second factor offered

   Prefer a passkey or a hardware security key. If neither is available, set up an authenticator app. Use SMS only as a last resort.

3. 3

   Register the factor and save backup codes

   Follow the prompts to add the factor, then download or print the one-time backup codes the provider gives you and store them somewhere safe and offline.

4. 4

   Add a second factor as a backup

   Register a second method or a spare key where possible, so losing one device does not lock you out of your own account.

5. 5

   Test it by signing out and back in

   Confirm the second factor is actually required on a fresh sign-in, so you know the protection is live before you rely on it.

How do you recognize the phishing that tries to steal your login?

A password and a second factor protect you from an attacker trying to break the lock. Phishing is the attacker knocking politely on the door and asking you to open it. It is the most common way people hand over their own credentials, and it works not by defeating your security but by routing around it: a phishing message tricks you into typing your password, and sometimes your second-factor code, into a fake page that forwards both to the criminal. Because it targets your judgment rather than your software, no setting fully prevents it; recognizing it is a skill, and one of the most valuable you can build. For a thorough field guide, see our companion piece on how to spot a phishing email, but the essentials below will catch the large majority of attempts.

Almost every phishing message shares a small set of tells, and learning to feel for them is more useful than memorizing any single example. The first is manufactured urgency: the message insists you act immediately or face a consequence, because urgency pushes you to act before you think, which is precisely when judgment fails. The second is a request for credentials or sensitive action: a legitimate provider will essentially never email you a link asking you to log in to confirm your password, yet that is the entire purpose of most phishing. The third is a mismatch between what the message claims and where its links actually go, which you can check by hovering over a link on a computer, or long-pressing it on a phone, to preview the real destination before clicking.

The hardest tells to rely on are the ones people were taught a decade ago, because attackers have largely fixed them. Spelling mistakes and crude logos were once reliable giveaways; now, with generative writing tools freely available, phishing is frequently flawless and perfectly formatted, and even the sender address can be forged closely enough to fool a quick glance, its own large topic covered in our guide on email spoofing. The lesson is to react to the structure of the request, not the production quality: anyone pressuring you to log in, pay, or reveal something through a link deserves suspicion however professional it looks.

The most important habit, the one that makes you genuinely hard to phish, is to verify out of band whenever a message asks for anything consequential. If an email appears to be from your bank, your email provider, or any service and asks you to log in, do not click its link. Instead, open a new browser tab and type the address yourself, use a saved bookmark, or call the organization on a number you already have. By reaching the real service through a channel you control, you sidestep the fake page entirely. This single discipline, never logging in through a link in an unexpected message, neutralizes the overwhelming majority of credential phishing.

How do you check whether your email is already exposed in a breach?

Everything so far assumes you are securing an account that has not yet been compromised. But given the scale of modern data breaches, it is worth assuming your address has been caught up in at least one and checking directly, because the fix differs depending on what was exposed. The standard tool is Have I Been Pwned, a free, well-respected service run by security researcher Troy Hunt that aggregates data from thousands of publicly disclosed breaches. You enter your email address and it tells you which known breaches included it and, broadly, what data was exposed, addresses, passwords, names, phone numbers. Having indexed billions of breached addresses, it is the closest thing to a definitive answer to the question.

If your address appears in a breach, do not panic, but do act, because what to do depends on what leaked. The most urgent case is a breach that exposed passwords: change that password immediately, and just as important, change it anywhere else you reused it. This is the most direct argument for the password manager described earlier: with unique passwords everywhere, a breach at one service exposes one password and stops there, instead of handing an attacker the key to everything. Where a breach exposed only your address, phone number, or name, the risk is more about targeted phishing than immediate takeover, but it is a useful prompt to confirm 2FA is on.

Checking once is good; staying informed is better, because new breaches happen constantly and the one that exposes you may not have occurred yet. Have I Been Pwned offers a free notification service that emails you if your address turns up in a future breach it indexes, and several password managers build the same capability in, monitoring your saved accounts against known breaches and alerting you so you can change the relevant password promptly. Treat a breach alert like a recall notice: not a cause for alarm, but a specific, time-sensitive prompt to rotate one credential before anyone can exploit it.

One caution about how you check matters enough to state plainly. Use a reputable breach-checking service such as Have I Been Pwned, and be wary of obscure sites that promise to tell you if you have been hacked, especially any that ask for your password rather than just your email address. A legitimate breach checker never needs your password; it matches on your email address. A site that asks you to type your actual password to see if it has been breached may itself be a trap designed to harvest exactly that.

1. 1

   Visit a reputable breach checker

   Go to Have I Been Pwned (haveibeenpwned.com) and enter your email address. Never use a site that asks for your password to check breaches.

2. 2

   Read which breaches included you

   Note each breach listed and, importantly, what data was exposed, addresses and names are lower risk than leaked passwords.

3. 3

   Change any exposed or reused password now

   If a password leaked, change it on that service and everywhere you reused it. This is where a password manager makes the cleanup fast.

4. 4

   Turn on breach notifications

   Subscribe to the free notification service, or enable your password manager's breach monitoring, so future exposures alert you automatically.

What hidden settings let a hacker keep reading your mail after you lock them out?

Here is the part of email security that almost nobody checks, and that sophisticated attackers exploit precisely because nobody checks it. When a criminal gains access to an inbox, the smart ones do not just read it once and leave; they change the account's settings so they keep getting your mail even after you change your password, quietly, through features your provider built for legitimate convenience. The two settings they abuse are recovery information and automatic forwarding rules, and an attacker who has tampered with either can retain access long after you think you have locked them out. This is the silent hijack, and it is the most important thing in this guide you have probably never looked at.

Start with recovery information, the backup phone number and email address your provider uses to help you regain access if you are locked out. An attacker who controls your inbox, even briefly, can change these to point at a phone or address they own. The danger is subtle but severe: once the recovery details belong to the attacker, they can later trigger a password reset and have it sent to themselves, walking back in even after you changed your password and thought the incident over. A safety net for you becomes a permanent back door for them. So the moment you suspect any compromise, and periodically even when you do not, confirm that every recovery phone number and backup email is genuinely yours, removing anything you do not recognize.

The second and sneakier mechanism is the automatic forwarding rule, or filter. Every major email service lets you create rules that act on incoming mail automatically: forward messages to another address, delete them, or move them to a folder. These exist for good reasons, but they are a gift to an intruder. A classic attack sets a rule that silently forwards a copy of every incoming message, or every one containing words like invoice, payment, or confidential, to an address the attacker controls. You keep receiving your mail and notice nothing, while a complete copy streams to the criminal in the background. Security researchers have documented this as a favored technique precisely because it is so quiet: it survives a password change, and some attackers even add rules that auto-delete the very security alerts that would warn you.

Because these rules are both far-reaching and easy to overlook, auditing them should be a routine part of securing your email, not just something you do after a known incident. Open your email settings and look at every forwarding address and every filter or rule. Forwarding to an unfamiliar address, or a rule that deletes or forwards messages you never set up, is a serious red flag that someone has been in your account, and it needs to be removed at once. Make this a periodic habit and an immediate one any time you suspect compromise. If you find evidence that someone has actually been in your account, our guide on recovering a hacked email walks through the full lockdown, recovery rules and forwarding included, step by step.

Why should you review active sessions and app passwords?

Two more account settings deserve a deliberate look, because both can grant an attacker continued access in ways a password reset does not automatically close. The first is your list of active sessions, the devices and browsers currently signed in to your email. Every major provider keeps a record, often labeled recent activity, devices, or active sessions, showing each one's rough location, device type, and last activity. Reviewing it is one of the fastest ways to catch an intruder: a session from a city you have never visited, a device you do not own, or a browser you never use strongly suggests someone else has your credentials. Providers let you sign out of individual sessions remotely, so if you spot something wrong, you can end it and, paired with a password change, evict the intruder.

Make checking sessions a periodic habit and an immediate response to any worry, and where your provider offers it, turn on alerts for sign-ins from new devices or locations, which converts this from a chore into an automatic warning. If you ever see an unrecognized session, the safe sequence is to sign it out, change your password, and then run through the recovery and forwarding audit from the previous section, because an attacker who had a live session may well have planted one of those quieter back doors before you noticed.

The second setting is app passwords, worth understanding because they can silently undercut the two-factor authentication you carefully turned on. An app password is a single-purpose password that some providers let you generate so that an older application unable to handle a 2FA prompt, an aging mail program or connected device, can still sign in. The catch is that it bypasses your second factor by design: it is a long-lived credential that grants access on its own. An attacker who briefly controls your account can generate one and use it to log back in indefinitely even after you change your main password and your 2FA stays on, because the app password is a separate secret those changes do not revoke.

Because of that, app passwords belong in the same audit as recovery info and forwarding rules. Open the section of your account where they are listed, confirm you recognize each and that it matches an application you actually use, and revoke anything unfamiliar or obsolete. Better still, prefer modern sign-in methods that support 2FA directly and keep app passwords to a minimum, since each is an additional key that sidesteps your strongest protection. Reviewing active sessions and app passwords together closes the two most common ways an attacker keeps a foothold after the obvious door has been locked.

• Check your provider's active sessions or recent-activity list for devices and locations you do not recognize.
• Sign out unfamiliar sessions remotely, then change your password to fully evict an intruder.
• Turn on alerts for sign-ins from new devices or locations so a break-in warns you automatically.
• Review app passwords and revoke any you do not recognize; each one bypasses your 2FA.
• Prefer modern sign-in methods that support 2FA over app passwords, and keep app passwords to a minimum.

How do your devices and network affect your email security?

Your email account does not exist in isolation; it is reached through devices and over networks, and a weakness in either can hand an attacker your mail no matter how strong your password and 2FA are. Start with the devices, your phone and computer, because that is where you read and write email and where credentials live while you are signed in. The most important habit here is unglamorous and decisive: keep your operating system and apps updated. A large share of the security updates that device makers push out exist to close holes attackers are already exploiting, and an out-of-date device is a known way in. Turning on automatic updates means those holes close on their own. Pair that with a screen lock and installing apps only from official stores, and your devices stop being the soft underbelly of your security.

Beware especially of malware that captures what you type or steals saved session tokens, because it defeats good password hygiene entirely. If a device is infected with a keylogger, the attacker can read your email password as you enter it, unique and long though it is, and certain malware can lift the tokens that keep you logged in, sidestepping even 2FA. This is why device fundamentals matter as much as account settings: updates, official app sources, and wariness of unexpected attachments and downloads, the latter covered in our guidance on whether it is safe to open an email attachment.

Then there is the network you connect over, and the headline risk is public Wi-Fi, the free networks in cafes, airports, and hotels. On an open network you do not control, others may be in a position to observe your traffic, and a malicious actor can even set up a rogue hotspot with a friendly-looking name to lure you onto equipment they own. The reassuring development is that this risk has shrunk, because essentially all reputable email now travels over encrypted connections, the same protected transport that secures banking and shopping sites, so your session contents are not simply readable to a stranger on the same Wi-Fi. That encryption makes ordinary use of public Wi-Fi far safer than its reputation suggests.

Even so, a few precautions on untrusted networks are worth keeping. Avoid anything highly sensitive on public Wi-Fi when you can wait for a trusted connection, and be skeptical of any network that throws up odd login or certificate warnings, which can signal interference. For an added layer, a reputable virtual private network, or VPN, encrypts all of your device's traffic and routes it through a server you trust, which shields your activity from others on a local network and is a reasonable investment if you frequently work from cafes or while traveling. A VPN is not a substitute for the account controls in this guide, but a sound complement to them when you are away from networks you control.

Can email aliases limit how exposed your real address is?

Most of this guide is about defending the account you have. Email aliases take a complementary angle: they reduce how exposed your real address becomes in the first place, which shrinks the surface that attackers and breaches can reach. An alias is a distinct email address that forwards to your real inbox without revealing it; you can hand a unique alias to each service you sign up for, so the address a company stores, and the address that leaks if it is breached, is never your true one. (Plus-addressing, a tag after a plus sign in your address, is a lightweight version, though dedicated alias services hide your real address far more thoroughly.)

The security payoff is real, even though an alias is not by itself a lock on your account. Because each service has a different alias, a credential exposed in one company's breach cannot be reused against your other accounts, since the leaked address is unique to that one signup and tied, ideally, to a unique password as well. Aliases also make your exposure traceable: if a particular alias suddenly starts receiving spam or phishing, you know exactly which company leaked or sold it, and you can disable that single alias without changing the address you give to everyone else. In an era where your address ending up on criminal lists is close to inevitable, aliases let that happen on disposable addresses instead of the one tied to your identity.

It is worth being honest about what aliases do and do not accomplish, because they are sometimes oversold. An alias is a privacy and exposure-reduction tool, not a replacement for the core protections in this guide. It limits where your real address spreads and contains the blast radius of any single leak, but it does nothing to protect the underlying inbox the aliases forward into; that account still needs a strong unique password, 2FA, and the rest of the checklist. Think of aliases as the outer fence that keeps your real address off as many lists as possible, with the password and second factor as the locked door behind it.

• Use a unique alias per service so the address a company stores is never your real one.
• A breach of one service then leaks only that alias, which cannot be reused against your other accounts.
• If an alias starts getting spam, you know exactly who leaked it and can disable just that alias.
• Remember aliases reduce exposure but do not secure the inbox itself; it still needs a strong password and 2FA.
• Many password managers and privacy providers generate aliases for you at signup, making the habit easy.

What does the complete email security checklist look like?

We have covered a lot of ground, so here is the whole thing in one place, ordered roughly from highest impact to supporting measures. The point of laying it out as a checklist is that email security is layered, and the protection comes from doing the set, not from picking a favorite. Any single control can fail, a password leaks, a phishing message slips through, a device is lost, and the other layers are what hold the line when one gives way. Work down the list, do each item properly, and you will have moved your account from the soft target most inboxes are to one that resists the attacks that catch nearly everyone else.

Treat the items near the top as non-negotiable and the rest as the hardening that makes a determined attacker give up and move on. A long unique password and a phishing-resistant second factor together defeat the two most common attacks outright, credential stuffing and stolen-password reuse. The phishing awareness protects you from handing over your own keys. The breach check tells you where you are already exposed. And the audits of recovery info, forwarding rules, sessions, and app passwords close the quiet back doors that let an attacker linger after you think the door is locked. None of it is difficult. The discipline is simply in doing all of it, and then revisiting the audits periodically rather than once.

How does AI Emaily strengthen your email security?

Most of this checklist is work you do once and then, ideally, remember to repeat. The hardest parts to sustain are the ones that demand constant vigilance, spotting every phishing message, noticing the one forwarding rule that should not be there, because that attention does not scale across the hundred-plus messages a real inbox receives in a day, and attackers count on exactly that fatigue. AI Emaily is built on the premise that the watchfulness should be the software's job, not yours, so the protection is automatic rather than dependent on your being careful at the worst possible moment.

The most visible piece is phishing and scam detection. AI Emaily reads incoming mail for the hallmarks of a credential-harvest or payment-redirect attack, the manufactured urgency, the request to log in or pay through a link, the mismatch between a friendly display name and the address behind it, the lookalike domain a swapped letter away from a brand you know, and raises a clear suspicious-message warning when the pattern fits, instead of letting a dangerous message sit in your inbox looking ordinary. This is the layer that catches the attack designed specifically to bypass your password and 2FA by tricking you into surrendering them.

Just as important is how AI Emaily connects to your mail in the first place, because a tool that reads your email could easily become a new risk of its own. AI Emaily connects through minimum-scope OAuth, the standard, revocable authorization your provider offers, which means it never sees or stores your email password; you grant a limited set of permissions you can withdraw at any time from your provider's settings, and the assistant operates inside those bounds rather than holding the keys to your account. The credentials it does hold, the access tokens that authorize the connection, are kept in encrypted storage, as are message contents, so the sensitive material is protected at rest. The design goal is that adding AI Emaily strengthens your security rather than widening your exposure.

Two further details round out the picture. AI Emaily blocks tracking pixels, the invisible images embedded in many messages that report back when and where you opened them, which protects your privacy and denies spammers a confirmation that your address is live and worth targeting. And the whole thing is built to be private: AI Emaily never trains its models on your email, works across every provider you already use, and analyzes a message only in service of protecting you, not of harvesting your correspondence.

If you want the always-on layer without having to be the always-on watchman, you can try AI Emaily free. The Free plan costs nothing and lets you see the phishing flags, tracking-pixel blocking, and suspicious-sender warnings in your own inbox, a far more honest test than any description on a page. If it earns a place in your day, the Pro plan is 17.99 dollars a month billed annually. You can create an account in a couple of minutes at app.aiemaily.com/signup, and it sits alongside the checklist above rather than replacing it, handling the vigilance that does not scale while you handle the one-time setup that does.

The bottom line on protecting your email from hackers

Your email account is the most valuable target in your digital life because it is the recovery key to everything else, which is precisely why it deserves more protection than any single app. The encouraging truth running through this guide is that protecting it does not require expertise or expense, only a handful of specific actions done properly: a long, unique password in a manager, a phishing-resistant second factor like a passkey, the judgment to never log in through a link in an unexpected message, a periodic breach check, and a look at the quiet settings that attackers exploit because almost nobody else thinks to.

The single most important framing to carry away is that email security is layered, not a single lock. Any one control can fail, a password can leak in a breach, a phishing message can slip past your guard, a device can be lost, and the checklist works because the other layers hold when one gives way. That is why doing the whole set matters more than doing any one part of it well. Work down the list, then make the audits a habit you return to a few times a year, and you will have moved your account out of the large, soft population of inboxes that attackers harvest at scale.

And for the parts of the job that demand constant attention rather than one-time setup, you do not have to be the watchman yourself. That is the work we built AI Emaily to take on, detecting phishing and scams, warning you about suspicious senders, and blocking tracking pixels, connected through minimum-scope OAuth that never sees your password, with tokens and messages kept encrypted, across every provider, and built to be private so your mail is never used to train its models. You can try it free on your own inbox and let it handle the vigilance that does not scale, while the checklist above handles the foundation that does. Together, the setup and the always-on layer are what keep your email yours.