Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Recovery Email Address Should I Use?

They can be critical, and critical to get right

What Recovery Email Address Should I Use?

Your recovery email address is easy to overlook and forget, but it can be critical to regaining access to a compromised account. Here's what you need to do.
Question: What email should I use as a “recovery email” for my own account? A friend’s? Or should I use my own email?

With few exceptions, your recovery email address should be an email address you control.

Let’s look at not only those exceptions, but some additional characteristics of a recovery email address you’ll want to be aware of to keep all your accounts safe and secure.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

A recovery email address is used to regain access to an account you’re unable to sign in to. Generally it should be an account under your control, and on a different email service. What’s most important, though, is that you periodically make sure it’s working rather than finding out it’s not when you need it most.

Recovery email address

Your recovery email address, sometimes called an “alternate” address, is an additional email address you list in your account settings, often in security settings. It is used when you are unable to sign in normally to “recover” access by setting a new password.

Let’s say your primary email account is me@somerandomservice.com. As part of its configuration, you specify a different email address — say, me@randomisp.com — as your recovery email address.

One day, you can’t log in to your primary somerandomservice.com account. Perhaps you forgot your password, or perhaps your account was compromised. You click on the “I forgot my password” link, and somerandomservice.com sends an email to your alternate email address: me@randomisp.com. You prove you got it by clicking a link in that email or by entering a code from that email.

This proves you’re the person who configured it as the recovery email in the first place: the account owner. With that proof, somerandomservice.com lets you set a new password, and you recover access to the account.

The recovery email address (like the similarly used recovery telephone number) is important. If you lose access to it, and you’re unable to log in to the primary account for which it was configured as the recovery address, you may lose access to that primary account forever.

Should it be yours or a friend’s?

I generally recommend recovery email addresses be your own. That way, you’re in control of exactly how they’re used and when.

Besides, it’s not uncommon for someone who is a trusted friend today to be less so in the future. For example, I’ve seen many accounts compromised when relationships (including marriages) end, and one partner decides to extract some sort of revenge via their access to the other’s email.

That being said, there are scenarios where it makes sense for an alternate email address to be someone else’s. This might be required in a corporate setting, or perhaps a very trusted acquaintance who helps you with your technology. If you do elect to use a friend’s email account for your recovery address, be sure to remember to change it should your relationship change.

In my case, I have my own alternate email addresses set up as addresses I control. My wife’s accounts, on the other hand, generally have one of my emails as the recovery email.1

Choosing a recovery email address

A recovery email address should be on a different email service. For example, I wouldn’t recommend setting up a Gmail address as your recovery address for your primary Gmail account. In theory that should work, but there are scenarios where both could fail at the same time. It’s better to have the recovery address be on a different service — perhaps Outlook.com, Yahoo.com, or something else.

You might never need to use your recovery address, but it’s important you keep it active. Sign in to it every so often so it isn’t closed for lack of use. If that happens, and you suddenly need it, you’re probably severely out of luck.

Some folks use a “throw away” account as their recovery email address — one they use to sign up for things they suspect might get them more spam or otherwise invade their inboxes. That’s fine, as long as you never actually throw it away.

Cross-linked recovery

Your recovery email address is, of course, an account all to itself. It, too, will probably include the ability to specify an alternate email address in case you ever need to regain access to it.

It’s perfectly valid to cross-link them: set A to be the recovery address for B, and B to be the recovery address for A.

Except…

If you’re in the process of recovering account A, and suddenly realize you’ve also forgotten the password to B because you haven’t used it in ages, you’re once again out of luck. You’re unable to use either account to prove you’re the rightful owner of the other.

This might lead you to think you need to create a third account to be the recovery account for B. That’s one solution, I suppose.

In reality, it underscores the need to periodically make sure your access to B is working, before you actually need it.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: Apparently, after 40 years of marriage, I’ve proven trustworthy. So far.

10 comments on “What Recovery Email Address Should I Use?”

  1. It’s also a good idea to have at least one recovery email account which doesn’t require a second factor to log in when you travel. I’ve found https://gmx.com to work well for that. They also offer several top-level domains such as .de, .co.uk, .at, .ch, .es, .net and more (most European top level domains). gmx.net is the same website as gmx.de so I wouldn’t recommend it if you don’t speak German.

    Reply
  2. I’d use an email for recovery that can be configured w/POP or IMAP: even if you don’t normally use a desktop email client (which I’d recommend, if only for backup), configuring it to regularly check your recovery email will save you having to remember to log into it, just to keep it active.

    Reply
  3. I signed up for the Whatsapp Recover program. I also paid my fees for 1 month. However till now I cant use the Whats Recover to see the deleted messages,

    Please help. if not just return me my fees paid.

    Reply
  4. I have a Yahoo Mail email address to serve as a recovery account shortcut on display beneath my Google Search bar to send the Verification Code to establish my ownership of my primary Gmail email address. What could be the URL of the Yahoo Mail recovery account?

    Reply
  5. Something else to watch for , maybe, is that something like Yahoo is the company which provides email service for AT&T, then a user using AT&T email address as recovery email for his Yahoo address might not be the best choice; and that user choosing Yahoo email as recovery address for AT&T email address might not be the best choice either.

    Reply
  6. Something else that could also work, is if two different email accounts on something like somefavoriteservice.com, if user chooses each as the recovery address for the other; then he could deal with each but in two separate browsers.

    Reply
  7. I am wanting to set up an Inactive Account Plan for my gmail account (for when I kick the bucket) and need a recovery email address (not gmail).

    I tried to login to my outlook.com account and discovered it is/has gone dormant after 270/365 days of no login.

    What do you suggest for a recovery account that may need to survive a year or two of inactivity?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.