Your comprehensive reference for email security, privacy tools, and digital self-defense. 50+ terms explained simply.
Showing all 52 entries
Simple Mail Transfer Protocol. The standard protocol used for sending emails across the internet since 1982. SMTP operates on port 25 (unencrypted) or 587 (encrypted via STARTTLS). When you hit "send" on an email, SMTP handles the delivery from your email client to the recipient's mail server.
SMTP was designed in an era before security was a concern — it has no built-in encryption or authentication, which is why additional protocols like SPF, DKIM, and TLS were later bolted on.
Internet Message Access Protocol. The protocol used to retrieve and manage emails from a mail server. Unlike POP3, IMAP keeps emails stored on the server, allowing you to access them from multiple devices. Most modern email clients use IMAP.
Post Office Protocol version 3. An older protocol that downloads emails from the server to your local device and (by default) deletes them from the server. Rarely used today since IMAP is more flexible for multi-device access.
Mail Exchange Record. A DNS record that specifies which mail server is responsible for receiving emails for a domain. When someone sends an email to you@example.com, the sending server looks up the MX record for example.com to find where to deliver the message.
The hidden metadata attached to every email. Headers contain routing information (which servers the email passed through), timestamps, sender/recipient details, authentication results (SPF, DKIM, DMARC), and the email client used. Headers are crucial for investigating phishing emails and verifying sender authenticity.
How to view: In Gmail, click the three dots → "Show original". In Outlook, open the email → File → Properties → Internet Headers.
A disposable email address that automatically expires after a set period. Temp mail services like fake.legal provide instant, anonymous email addresses that require no signup or personal information. They're designed for one-time use: sign up for a service, receive the confirmation email, and let the address self-destruct.
Key benefits: Prevents spam from reaching your real inbox, protects your identity during signups, reduces your data breach exposure, and keeps your primary email clean.
An alternative email address that forwards to your real inbox. Unlike temp mail, aliases are permanent and linked to your account. Gmail supports "plus addressing" (yourname+shopping@gmail.com), while services like SimpleLogin and AnonAddy provide dedicated alias management.
Limitation: Many websites strip the "+" from Gmail addresses, and your real email domain is still visible in plus-addressed aliases.
Mail User Agent. The software you use to read and send emails — like Gmail, Outlook, Apple Mail, or Thunderbird. Your choice of email client affects your privacy: some clients block tracking pixels by default, while others load all remote content automatically.
A social engineering attack where an attacker sends fraudulent emails disguised as legitimate communications (from banks, tech companies, etc.) to trick recipients into revealing passwords, credit card numbers, or other sensitive information. Phishing is the #1 attack vector for data breaches.
Red flags: Urgent language ("Your account will be suspended!"), mismatched sender addresses, generic greetings ("Dear Customer"), suspicious links, and requests for personal information.
A targeted form of phishing aimed at a specific individual or organization. Unlike mass phishing, spear phishing uses personalized information (your name, company, role) to appear more convincing. Whaling is spear phishing specifically targeting executives or high-value targets.
Unsolicited bulk email, usually sent for commercial purposes. Approximately 45% of all email traffic worldwide is spam. While most spam is just annoying marketing, some contains malware, phishing links, or scam offers. Using temp mail for non-essential signups dramatically reduces the spam reaching your real inbox.
A tiny, invisible 1×1 pixel image embedded in emails that tracks when you open the message. When your email client loads the image, it sends a request to the sender's server, revealing your IP address, location, device type, operating system, and exact open time. Over 70% of marketing emails contain tracking pixels.
Defense: Disable remote image loading, use Apple Mail Privacy Protection, or use temp mail so tracking fires against an expired address.
An incident where unauthorized parties gain access to confidential data. In 2025, over 1,800 confirmed breaches exposed 22+ billion records globally. When a service you signed up for gets breached, your email, password, and personal data end up on the dark web — forever.
Why temp mail helps: If you signed up with a disposable address, the breached data contains an already-expired email that can't be used to target you.
An automated attack where stolen username/password pairs from one breach are tested against other services. Since many people reuse passwords, credential stuffing has a success rate of 0.1–2% — which across millions of stolen credentials means thousands of compromised accounts.
Defense: Use unique passwords for every account and enable 2FA.
Forging the sender ("From") address in an email to make it appear to come from someone else. Because SMTP has no built-in authentication, spoofing is trivially easy without proper protections. SPF, DKIM, and DMARC were created specifically to combat spoofing.
An attack where a third party secretly intercepts communication between two parties. In email, MITM attacks can occur when emails are transmitted without TLS encryption, allowing attackers on the same network to read or modify messages in transit.
Malicious software that encrypts your files and demands payment (usually cryptocurrency) for the decryption key. Email is the primary delivery mechanism — 94% of ransomware is delivered via email attachments or links. Never open unexpected attachments, even from known senders.
A sophisticated scam where attackers impersonate executives or business partners to trick employees into transferring money or sharing sensitive data. BEC caused over $2.9 billion in losses in 2023 according to the FBI. Unlike typical phishing, BEC emails rarely contain links or attachments — they rely purely on social engineering.
Transport Layer Security (formerly SSL). Encrypts the connection between email servers so that messages can't be read in transit. When you see a padlock icon in your browser, that's TLS at work. Most modern email providers use TLS by default, but it only protects emails during transmission — the email provider can still read your messages at rest.
Encryption where only the sender and recipient can read the message — not even the email provider. E2EE uses public-key cryptography: you encrypt with the recipient's public key, and only their private key can decrypt it. Services like ProtonMail and Tutanota offer E2EE by default.
Key difference from TLS: TLS protects emails in transit. E2EE protects emails everywhere — in transit, at rest on the server, and in storage.
Pretty Good Privacy / GNU Privacy Guard. A public-key encryption standard used for signing, encrypting, and decrypting emails. PGP uses a Web of Trust model where users verify each other's identities. While powerful, PGP has been criticized for being complex and difficult for average users to set up correctly.
Sender Policy Framework. A DNS-based email authentication method that specifies which mail servers are authorized to send email on behalf of a domain. If someone tries to send email claiming to be from your domain but uses an unauthorized server, SPF allows the receiving server to flag or reject the message.
DomainKeys Identified Mail. An authentication method that attaches a digital signature to outgoing emails. The receiving server can verify this signature using the sender's public key (published in DNS), confirming that the email wasn't modified in transit and actually came from the claimed domain.
Domain-based Message Authentication, Reporting & Conformance. Builds on SPF and DKIM by adding a policy layer. DMARC tells receiving servers what to do if an email fails SPF/DKIM checks: none (monitor), quarantine (spam folder), or reject (block entirely). It also provides reporting so domain owners can see who is sending email on their behalf.
An extra layer of security requiring something you know (password) plus something you have (phone, hardware key). Even if your password is stolen in a breach, 2FA prevents unauthorized access. Best options: Hardware keys (YubiKey) > Authenticator apps (Google Authenticator, Authy) > SMS codes (vulnerable to SIM swapping).
A system design where the service provider has zero access to your data. Your data is encrypted on your device before being sent to the server, and only you hold the decryption key. If the provider is breached, attackers get only encrypted data they can't read. ProtonMail and Tresorit use this architecture.
Virtual Private Network. Encrypts your internet traffic and routes it through a server in another location, hiding your IP address from websites and your ISP. A VPN protects your network identity but doesn't protect your email identity — you still need temp mail for that.
The Onion Router. Free software that anonymizes your internet traffic by routing it through multiple volunteer-operated servers (nodes), encrypting it at each step. Tor provides stronger anonymity than a VPN but is significantly slower. Used by journalists, activists, and privacy-conscious users.
Software that generates, stores, and auto-fills strong, unique passwords for every account. Instead of remembering dozens of passwords, you remember one master password. Popular options include Bitwarden (open source), 1Password, and KeePass (offline).
Why essential: The average person has 100+ online accounts. Without a password manager, password reuse is virtually inevitable — and password reuse is the #1 enabler of credential stuffing attacks.
A technique that identifies your browser based on its unique configuration: screen resolution, installed fonts, browser version, plugins, timezone, language, canvas rendering, and dozens of other attributes. Combined, these create a "fingerprint" that's unique to your device — allowing tracking even without cookies.
Defense: Use Tor Browser (designed to make all users look identical) or Brave Browser (built-in fingerprinting protection).
A protocol that encrypts your DNS queries (website name lookups) over HTTPS. Without DoH, your ISP can see every domain you visit, even if the connection itself is encrypted. Popular DoH providers include Cloudflare (1.1.1.1), Quad9 (9.9.9.9), and NextDNS.
The privacy principle of collecting and sharing only the minimum data necessary for a given purpose. Applied to email: use temp mail for non-essential signups so that services don't accumulate your real identity data. What doesn't exist can't be breached, sold, or misused.
A free service by security researcher Troy Hunt that lets you check if your email address has appeared in known data breaches. The database contains over 12 billion compromised accounts. If your email appears in multiple breaches, your address is almost certainly on spam lists and at risk for credential stuffing attacks.
General Data Protection Regulation. The EU's landmark data protection law (effective May 2018). GDPR gives individuals the right to access, correct, delete, and port their personal data. Companies must obtain explicit consent before collecting data and can be fined up to 4% of annual global revenue for violations. GDPR applies to any company processing data of EU residents, regardless of where the company is based.
California Consumer Privacy Act / California Privacy Rights Act. California's equivalent to GDPR, giving state residents the right to know what data companies collect, opt out of data sales, and request deletion. CPRA (effective January 2023) strengthened CCPA by creating a dedicated enforcement agency and adding new rights.
Controlling the Assault of Non-Solicited Pornography And Marketing Act. US federal law (2003) regulating commercial email. Requires senders to include a physical address, provide an unsubscribe mechanism, honor opt-out requests within 10 days, and use accurate subject lines. Penalties up to $50,120 per violation.
Under GDPR, individuals have the right to request that organizations delete their personal data when it's no longer necessary, consent is withdrawn, or the data was unlawfully processed. Also known as the "right to erasure." Google alone received over 1.4 million requests by 2024.
Digital Services Act / Digital Markets Act. EU regulations (2022-2024) targeting large online platforms. The DSA requires platforms to be more transparent about content moderation and advertising. The DMA prevents tech giants from engaging in anti-competitive practices and gives users more control over their data and device choices.
| Situation | Recommendation | Why |
|---|---|---|
| Free trial signup | ✅ Temp Mail | No ongoing relationship needed |
| E-book / whitepaper download | ✅ Temp Mail | One-time access, high spam risk |
| Wi-Fi captive portal | ✅ Temp Mail | Zero trust situation |
| Random forum registration | ✅ Temp Mail | High breach risk, low value |
| Social media (browsing only) | ✅ Temp Mail | Throwaway access account |
| Newsletter subscription | ⚠️ Alias or Temp | Alias if you want to keep it; temp if testing |
| Online shopping | ⚠️ Alias | Need order confirmations & receipts |
| Banking / financial | ❌ Real Email | Critical account recovery needed |
| Government services | ❌ Real Email | Legal identity verification required |
| Healthcare portal | ❌ Real Email | Medical records and appointments |
| Provider | E2EE | Zero-Knowledge | Open Source | Jurisdiction |
|---|---|---|---|---|
| ProtonMail | ✅ Yes | ✅ Yes | ✅ Yes | Switzerland 🇨🇭 |
| Tutanota | ✅ Yes | ✅ Yes | ✅ Yes | Germany 🇩🇪 |
| Posteo | ⚠️ Optional | ⚠️ Partial | ❌ No | Germany 🇩🇪 |
| Gmail | ❌ No | ❌ No | ❌ No | United States 🇺🇸 |
| Outlook | ❌ No | ❌ No | ❌ No | United States 🇺🇸 |
| fake.legal | N/A (temp) | ✅ No signup | ✅ Yes | Privacy-first 🛡️ |
| Action | Difficulty | Impact |
|---|---|---|
| Use unique passwords for every account | Easy (with password manager) | 🟢 Critical |
| Enable 2FA on all important accounts | Easy | 🟢 Critical |
| Use temp mail for throwaway signups | Easy | 🟢 High |
| Disable remote image loading | Easy | 🟢 High |
| Check HaveIBeenPwned regularly | Easy | 🟡 Medium |
| Use a VPN on public Wi-Fi | Easy | 🟡 Medium |
| Switch to a privacy-focused email provider | Moderate | 🟢 High |
| Set up email aliases for different categories | Moderate | 🟡 Medium |
| Enable DNS over HTTPS | Moderate | 🟡 Medium |
| Use PGP for sensitive communications | Hard | 🟡 Situational |
Every disposable email address you use is one less data point in the next breach.
Create a Free Temp Email