Updated 08/17 for clarity, removal of an erroneous example and the addition of more privacy advice.
Nearly 2 billion people use the free Gmail email service from Google, which rightly boasts plenty of measures to protect user privacy and secure accounts from malicious activity. With more than 300 billion emails flowing through the service every day, you might be surprised to learn that one simple mistake could wreck all of that and expose your email messages to complete strangers. Making this mistake not only compromises your privacy, but also has the potential to compromise account security beyond the boundary of just email. Stop being “clever” with your email address or you could be leaking confidential information like a sieve.
Gmail Security Is Already Top Notch
It’s not just cybercriminals, hackers or even family members who comprise a threat to your email; your biggest enemy could actually be yourself. Unlocking the door to your inbox, and especially your Gmail inbox given how it is the most widely used of email providers, is a prime target for those looking to get hold of everything from account login credentials to confidential personal information. Luckily, Gmail has some of the best security measures to ensure your inbox remains private and would-be snoopers are kept at bay.
Google’s Advanced Protection Program, of interest mostly to high-risk users such as politicians, activists and journalists, provides the most secure option for ensuring only you can access your account. In July, Google made this an even more attractive security option by doing away with the need to purchase expensive hardware keys and instead opening the program up to users with passkeys as well.
Then there’s the use of AI large language models to protect Gmail users from malware and spam, capable of detecting twice as much malware than bog-standard third-party antivirus and security products, according to Google. And talking of spam and malware, Google has also implemented strict authentication for bulk senders of email to Gmail users in an effort to further dilute the risk of malicious messages getting through.
So, what’s the one thing that some Gmail users are doing that can drive a huge hole straight through much of this protection? The answer is try to be clever with addressing.
Please Don’t Mess Around With Your Gmail Address
Both my inbox and online Gmail support groups are testament to the fact that people like to be clever with their email addressing and can end up making a huge mistake when it comes to privacy and security as a result.
I know all too well from my own personal experience how someone can fall foul of this mistake without having any idea that they have. I used to have a Gmail account of the [email protected] variety, which I used as an alias for certain investigative journalism activities many years ago. Any incoming email addressed to this account was automatically forwarded to another account which I monitor more often. Over time, I forgot about that alias address, and it was even purged from my password manager. I have no way of accessing it now even if I wanted to, and so no way of disabling that forwarding rule. Which is a shame, because someone with the same [email protected] account apparently thought they were being clever and using a version of [email protected] instead.
The issues start when you realize, as Google makes quite clear in a support document, however, that dots don’t matter in Gmail addresses, so if your email is [email protected], you own all the dotted versions of that address. So anyone sending email to [email protected] won’t see the replies but the owner of [email protected] will.
“If anyone tries to create a Gmail account with a dotted version of your username,” Google said, “they’ll get an error saying the username is already taken.” But [email protected] and [email protected] are not the same, and that’s where the confusion sits.
As users on X have pointed out, this is rare and people also make the mistake of missing letters or numbers in the middle or at the end of a firstnamelastname address and just enter their name instead for online contact forms. The result is the same though, and care needs to be taken regardless of email platform.
Mitigating The Privacy Problem Of Using Dotted Addresses
I should point out that, of course, this could come under the broader remit of forwarding email to an incorrect email address, a typo, and as such applies to any email platform rather than being an underlying Gmail security issue. Better still, just don’t do it at all. Apple users can make use of the Hide My Email which generates unique, random email addresses that are forwarded automatically to your personal inbox. My preferred email client, Proton Mail, also has a hide-my-email alias feature that works in the same way.
I approached Google for comment and a spokesperson pointed me toward the Dots don’t matter in Gmail addresses support document mentioned earlier. If you get an email that is obviously meant for someone else, Google suggests notifying the sender, saying that they have the wrong address, and reporting anything that might be suspicious as spam or a phishing message. Obviously, do not click on any links in such emails. I would also suggest sending an email to the recipient who has made the mistake in using a dotted address so they are aware of the problem. This is what I did, but the messages still kept on coming, so I created a filter rule that deleted them on arrival.
Additional Privacy Tips For Google Account Holders
Google offers a free privacy checkup for your Google account, and will make suggestions that can help you take better control of your privacy when using Google services, including Gmail.
For example, you may wish to enable the auto-delete feature for location history which can trash the data every three, 18 or 36 months. Assuming you have location history enabled, that is. You can disable it entirely across your Google account services. Location history creates a personal timeline map illustrating where you’ve been and routes that you have taken. If this is of no interest, then switch it off. Similarly, you can set an auto-delete option for your YouTube history or disable it altogether. This is used to provide better recommendations as well as a tailored home page.
Gmail Confidential Mode Offers An End-To-End Encryption Halfway House
If you don’t want to switch from Gmail to a fully privacy-focused commercial email service such as Proton Mail, you can opt for an encryption halfway house. Google’s infrastructure means that your messages are already encrypted at rest and while in transit between data centres, but that’s not the same as the end-to-end encryption Proton offers when sending email to another Proton Mail account. However, there’s a seemingly little-known Gmail option called confidential mode that you can access when composing a new message. It’s available from the toolbar at the bottom of the compose window, just click on the padlock icon.
The aim is to help protect sensitive information from unauthorized access and it does this by setting an expiration date for messages, provides the capability to revoke access to the message at any time, and control over forwarding, copying, printing and downloading. Google admits that it can help prevent accidentally sharing of a confidential message, it doesn’t stop a recipient from screenshotting the email and if their computing has malware they may be able to copy and download as well.
To use confidential mode, click the icon, set an expiration date and passcode. Google says that “If you choose “No SMS passcode,” recipients using the Gmail app will be able to open it directly. Recipients who don’t use Gmail will get emailed a passcode. If you choose “SMS passcode,” recipients will get a passcode by text message.“ Google also reminds users they need to enter the recipients phone number and not their own.
Google Security Check
Google also has a highly recommended account security checkup that offers advice for Gmail use as well as other services. For example, when I took the security checkup the first thing it did was to remind me that I have a Gmail forwarding rule set up for the account in question and prompted me to remove it if no longer required.
The checkup will walk you through several steps to better security, including enhanced safe browsing, recent security activity, account recovery options, sensitive settings and so on. One step I would advise to check carefully is which third-party apps and services you have connected to your Google account. Although these connections are usually things that have added usability to whatever product they apply to, they can also have access to sensitive information. This is especially true when talking about your Gmail account. Make sure to remove any that you no longer use or, in a worse case scenario, you don’t remember connecting in the first place.