Fastmail: The Privacy-Focused Email Alternative
Fastmail is a premier choice for users who want to move away from the "data-mining" models of Google and Microsoft. Because Fastmail is a paid service, their business model is aligned with your privacy. However, email remains the "Primary Key" for most of your other digital accounts. If an attacker gains access to your Fastmail, they can reset the passwords for your banks, your social media, and your cloud storage.
1. Hardening Your Account
Mandatory Hardware MFA
Fastmail has excellent support for FIDO2 Security Keys (YubiKey). Given the criticality of your email, you should never rely on SMS for 2FA. Action: Go to Settings > Privacy & Security > Two-step verification. Add at least two hardware security keys. Once configured, you can also use "Authenticator Apps" as a secondary backup.
App Passwords: Least Privilege for Email
If you use a third-party email client (like Apple Mail, Outlook, or Thunderbird), you should never use your "Master Password" to log in. The Policy: Use App Passwords. These are unique, randomly generated passwords for a specific device or app. If your laptop is stolen, you can revoke the App Password for that device without needing to change your master password or affecting your other devices.
Action: Generate App Passwords under Settings > Privacy & Security > App Passwords.
Masked Emails (The "Disposable" Identity)
Fastmail integrates with 1Password to offer "Masked Emails." These are unique email addresses for every service you sign up for. Why it matters: If a service you use is breached, and your email is leaked, the attacker only has a "Masked Email" that is useless for attacking your primary Fastmail account. It also makes it trivial to identify and block spam.
2. Failsafe Recovery Preparation
The Recovery Code
Like other high-security services, Fastmail provides a Recovery Code when you enable 2FA. The Strategy: This code is your only way back into your email if you lose your phone and your security keys. Print this code and store it in your physical safe.
Secondary Recovery Email & Phone
Ensure your recovery contact information is up to date and itself secured. Expert Tip: For a privacy-focused account like Fastmail, consider using a recovery email that is also privacy-focused (like Proton) rather than a standard Gmail account, to avoid creating a "data link" between your anonymous and public identities.
3. The "Logged In" Session Audit
Fastmail allows you to see every active session, including the IP address and the specific app being used. Action: Once a month, review "Logged in sessions." If you see an IP address from a country you haven't visited, or an old device you no longer own, revoke that session immediately.
For more information on the underlying principles, see our articles on MFA Fundamentals and Password Security.
Why This Matters
The Importance of MFA
Multi-Factor Authentication (MFA) is your strongest defense against account takeover. Even if a physical or digital attacker obtains your password, MFA provides a critical second layer of defense that is much harder to bypass. Learn more about MFA best practices.
Unique, Strong Passwords
Never reuse passwords across different services. If one service is breached, every other account using that same password becomes vulnerable to "credential stuffing" attacks. Every online service should have its own unique, long, and complex password managed by a reputable password manager. Learn why unique passwords are critical.