Build & Defend Newsletter 14

One email a week - something from which I hope you'll get real value. We talk about things we can build, and how to defend them. That can apply to cybersecurity, physical buildings, digital products, and .... just about anything. It gives me a lot of latitude in what I can write about, but the two concepts are important for progress - as individuals, and as society.

I'm a bit late today as I'm on holilday in Taipei.

Today's topic is: email. What? Yup. But "that sounds boring!" you'll say.

Email is not boring.

In fact, email may be one of the least boring boring things in your entire digital life. It sits there quietly, full of newsletters you don't read, receipts you forgot about, password reset links, calendar invites, flight confirmations, bank alerts, random things from your child's school, and that one person from 2017 who still sends you PDFs with no context, to say nothing of all those Nigerian princes who want to give you millions. (But if it's millions in Naira, definitely don't accept.)

But underneath all that, your email account is probably the master key to your entire life.

If someone controls your email, they can reset your bank password. They can reset your social media passwords. They can get into your cloud storage. They can see what services you use. They can impersonate you. They can lock you out of things. They can do a lot of damage before you've even had coffee.

And if a provider locks you out?

Well, now the problem is different, but the result can be similar.

You don't have your email.

That's bad.

I've talked before about local AI, agents, software, WIFE (Water, Internet, Food, Energy), SELF (Strategy, Education, Leverage, Freedom), and other things that help you become more capable and more resilient.

Your inbox belongs in that same category.

Most people don't think of email as infrastructure. They think of it as an app. Gmail. Outlook. iCloud. Proton. Fastmail. Whichever.

That's understandable, because most people experience email through an app. But email is really identity infrastructure. It is the control panel behind a shocking amount of your life.

So if we were going to build this properly, where would we start?

First, with a domain.

You should have your own domain name. Ideally something simple, boring, and yours. Your name if you can get it. Your family name if you can get it. A business domain if that's what makes sense. It doesn't have to be fancy. In fact, it probably shouldn't be. I use  Internet BS (yes, really) for my domains.

The point is that your email address should not be permanently tied to someone else's consumer product. It's okay to have that too, just not as your main source of everything.

If your main email is [email protected], that works until it doesn't. Google may be excellent technically, but you don't own Gmail. Google does. Same with Outlook, iCloud, Yahoo, or whatever else. You have an account there. You do not have sovereignty there. (For that matter, Google hasn't updated Gmail in what .... fifteen years? The same four tabs is all we get for all time?)

If you own yourname.com, then your email can be [email protected]. If you don't like your email provider, you can move. If a provider gets weird, expensive, annoying, political, incompetent, or simply decides you are somehow a problem, you can point the domain somewhere else.

That's the key.

The domain is the root.

The email provider is replaceable.

This is one of those small architectural decisions that seems unnecessary right up until the moment it becomes very, very necessary.

Second, use aliases.

This is one of those things that sounds nerdy but becomes useful almost immediately.

You can have:

You don't need to go crazy with it, though of course I have gone crazy with it because apparently that's just who I am. I literally sign up for things with "[email protected]". The reflex is the "Oh, you also work for [company]?" And then I educate them on what catchall email addresses are. It's why customer service folks love me!

(Yes, technically you can do this with gmail; you can use the "+" with your existing name. So: [email protected] becomes "[email protected]", It's still their servers and they decide what happens with the service. (Like never refreshing it.))

Aliases give you separation. If one address starts getting spammed, you know where it leaked. (Also, this is a surprisingly interesting thing to watch over time, as sold/leaked addresses often get sold and/or leaked again.) If one address is used for financial accounts, you can treat it differently. If one is for newsletters, you can filter it. If one is for family, you can make sure it gets your attention.

You can also use unique addresses per service if your provider supports it. Apple has Hide My Email. Fastmail has masked email. Proton has SimpleLogin. 1Password has integrations for this too. There are lots of ways to do it.

The point is not the tool.

The point is separation.

Third, back it up.

I know. Email backup sounds like the least exciting Saturday project imaginable. It may actually be the least exciting Saturday project imaginable, and I say that as someone who has spent weekends making machines talk to other machines for fun and profit.

But you should still do it.

Your email contains contracts, receipts, recovery codes, travel records, family stuff, business stuff, tax stuff, random things you will absolutely need at some point and absolutely will not be able to find when you do.

If your provider disappears, locks you out, corrupts something, syncs badly, or an AI assistant accidentally does something exciting to 220,000 emails (not that I would know anything about that), you want a backup.

You can use a desktop mail client. You can export via IMAP. You can use provider tools. You can store copies locally. You can back those up again.

The exact method matters less than the fact that you have one.

Fourth, think about the registrar.

This is the part people miss.

If your domain is the root of your email, then your domain registrar account is the root of the root.

That account needs to be protected like a financial account. Maybe more.

Use a strong unique password. Use MFA. Ideally use a hardware security key. Lock the domain if the registrar offers that. Make sure the recovery email for the registrar is not the same email that depends on the domain.

Read that last part again because it matters.

If [email protected] is hosted through your domain, and your registrar account recovery goes to [email protected], and something goes wrong with the domain, you may have built a beautiful little circular dependency.

Computers love doing exactly what you told them to do. They do not care if what you told them to do creates a loop that ruins your afternoon.

So have an out-of-band recovery path.

That can be a separate secure email account, a spouse's account, a hardware key, printed recovery codes, or some combination of those.

Fifth, document it.

Not publicly, obviously. Don't make a Notion page called "How to steal my entire life" and then share it with the internet. (Use Evernote. (Just kidding, don't do it.))

But somewhere safe, you should know:

This matters for you.

It also matters if you get hit by a car. (From personal experience, I don't recommend it.)

I've worked in technology and security long enough to know that most people's "plan" is vibes and a password their spouse may or may not know.

That's not a plan.

If your family depends on your digital infrastructure, and many families do whether they realise it or not, then you need to leave them a map.

So how do we defend this?

First, multi-factor authentication. Everywhere. Especially email. Especially your registrar. Especially your password manager.

I said this in the first newsletter, and I'll probably keep saying it until I die, and then my ghost will continue to say it from whatever poorly secured smart speaker is nearby.

Turn on MFA.

Authenticator app is better than SMS. Hardware key is better still. Passkeys are good when implemented properly. Use the best thing available for the account.

Second, use a password manager.

You cannot remember strong unique passwords for everything. You just can't. If you think you can, you are either using patterns, reusing things, or lying to yourself in a way that will eventually become inconvenient.

I use 1Password. There are others. Pick one you trust and actually use it.

Third, separate your blast radius.

Don't use the same email address for everything. Don't use the same recovery path for everything. Don't make your entire life depend on one free consumer account and one mobile number.

If your phone gets stolen, can you recover?

If your email gets locked, can you recover?

If your domain registrar account gets compromised, can you recover?

If your password manager needs recovery, can you recover?

If the answer is "uhhhhh", that's okay. That's why we're thinking about it now, before the bad thing happens.

Fourth, beware of forwarding chains.

You set up an old Gmail account to forward to your new domain. Then the new domain forwards to something else. Then a rule moves things into a folder. Then an app has access. Then an old automation still runs. Then you wonder why a password reset email ended up in a mailbox you forgot existed.

Every forwarding rule is infrastructure.

Every forwarding rule is also a possible leak.

Audit them every so often.

Fifth, watch for account recovery weakness.

Attackers often don't need your password if they can get around it. Recovery questions, old phone numbers, weak backup emails, helpdesk processes, SIM swaps, family-member impersonation, and social engineering can all bypass the beautiful security setup you thought you had.

That doesn't mean panic.

It means don't leave the side door open while you reinforce the front gate.

Sixth, know what is actually important.

Not every account deserves the same level of paranoia. The account you used once to order a novelty T-shirt does not need the same treatment as your bank, registrar, primary email, password manager, cloud storage, brokerage, crypto wallet, business accounts, or government login.

Prioritise.

This is the defence part people sometimes miss. Security is not about being perfectly secure. That's impossible. Security is about understanding what matters, reducing the obvious risks, and making yourself a harder target than you were before.

If you do that consistently, you're ahead of almost everyone.

Boring infrastructure is fun. The things people depend on that they don't see or think about. I like boring infrastructure, and probably you should too, but I won't hold it against you if you don't. Boring infrastructure is what lets you do interesting things. A domain name. A password manager. Backups. Email aliases. DNS records. Recovery codes. A hardware security key in a drawer.

None of this is glamorous. None of this will get you invited onto a podcast to discuss "the future of human potential in an AI-driven world" or whatever phrase LinkedIn is currently punishing us with aside from Zero Trust.

But it matters.

If you build a company, your domain matters.

If you build software, your domain matters.

If you build an audience, your domain matters.

If you build wealth, your email matters.

If you build anything that takes time, reputation, money, or trust, then the boring control plane underneath it matters.

So this week, do something small:

Don't do all of it if that feels like too much.

Do one thing.

Then do another one later.

That's how things actually get built. And defended.

1Password

https://www.1password.com

Gmail

https://www.gmail.com

Internet.BS

https://internet.bs

Proton Mail

https://www.proton.me/mail

No one (of the fifteen of you or so that are reading consistently) mentioned whether I should include rental income in passive income. So still at roughly $325 / month.

Thanks for reading this newsletter! Feel free to respond any time.

Thomas

Was this forwarded to you? Subscribe at builddefend.fyi.

Had enough? [Unsubscribe] - no hard feelings.*

* Well, a little bit.