How to Use InboxWatch
InboxWatch scans your email account for security threats that traditional antivirus and spam filters miss. This guide covers everything you need to know to protect your email.
Getting Started
Setting up InboxWatch takes about 30 seconds.
Sign in with your email provider
Click Start Free Scan on the homepage and sign in with your Google or Microsoft account. InboxWatch uses your provider's secure sign-in — we never see or store your password.
Grant read-only permissions
You'll see a permissions screen from Google or Microsoft. InboxWatch requests read-only access to your email settings and metadata (sender, subject, date). We never read the content of your emails.
Your first scan runs automatically
Once connected, InboxWatch immediately scans your mailbox settings for threats. Your security score and any findings will appear on your dashboard within 1-2 minutes.
Your Dashboard
Your dashboard is the central hub for your email security. At the top you'll see:
- Security Score — A number from 0-100 reflecting your overall email security posture
- Grade — A letter grade (A+ to F) based on your score
- Active Findings — Security issues that need your attention
- Last Scan — When InboxWatch last checked your account
Running Scans
InboxWatch scans your account in two ways:
Automated scans (every 30 minutes)
InboxWatch automatically scans your mailbox every 30 minutes. You don't need to do anything — threats are detected and you're alerted automatically.
Manual scans (on-demand)
Click the Scan button in the bottom navigation (mobile) or dashboard header (desktop) to run a scan immediately. Use this after making changes to your email settings to verify they're secure.
Understanding Findings
When InboxWatch detects a potential security issue, it creates a finding. Each finding includes:
- Title — What was found (e.g., "External Email Forwarding Active")
- Severity — How urgent the issue is (Critical, High, Medium, Low)
- What we found — A plain-language explanation of the issue
- Why it matters — The potential impact if left unaddressed
- How to fix — Step-by-step remediation instructions
Click any finding card to expand the full details and fix steps.
Fixing Issues
Every finding comes with clear instructions on how to resolve it. Here's the typical workflow:
Review the finding
Click the finding to see the full details, including what was detected and which specific item (email address, rule, app) is affected.
Follow the fix steps
Each finding has numbered steps that walk you through the fix. These typically involve going to your email provider's settings and removing or changing the flagged item.
Run a new scan
After making changes, run a manual scan to confirm the issue is resolved. The finding will disappear from your dashboard.
Mark as dismissed (if intentional)
If the finding is something you did on purpose (e.g., forwarding to a personal backup), click Dismiss to tell InboxWatch it's expected. It won't alert you again.
Severity Levels
Your account may be actively compromised. Take action immediately — these issues can lead to data theft, fraud, or account lockout.
Significant security risk. Address within 24 hours — these create openings that attackers commonly exploit.
Moderate risk. Review when convenient — these may indicate misconfiguration or weak security practices.
Minor concern. Good to know about but not urgent — often informational or best-practice suggestions.
Dashboard Sections
Your dashboard has several sections, each focused on a different aspect of your email security:
Daily Brief
A short daily summary of what changed and what needs your attention
Security Findings
All detected issues with fix instructions
Scan History
Timeline of all scans and score changes
Email Threats
Suspicious inbound emails detected
Investigate Email
Paste a suspicious email's headers for an instant threat analysis
Breach Monitor
Check if your email appeared in data breaches
Email Exposure Map
See who sends you email and their trust level
Attack Paths
Correlated multi-step attack patterns
Account Security
Sign-in activity and suspicious logins
Sign-in Activity
Detailed sign-in locations and risk events (Microsoft accounts only)
Forwarding Rules
All active email forwarding and redirects
Domain Shield
DMARC, SPF, and DKIM monitoring for your domain
Brand Protection
Watch for lookalike domains and X accounts impersonating your brand
Smart Filtering
AI-powered analysis of your security patterns
Phishing Tests
Simulate phishing attacks to test your team
Trusted Senders
Manage your whitelist and known-safe senders
Email Alerts
InboxWatch sends email alerts to keep you informed without needing to check the dashboard:
- Critical alerts — Sent immediately when critical or high-severity issues are detected
- Morning digest — Daily summary of your security status and any new findings
- Weekly executive summary — High-level overview of your security posture for the week
- Breach alerts — Notification when your email appears in a new data breach
You can customize which alerts you receive in Settings → Notifications.
Teams
If you have a work email on a custom domain, you can invite team members to monitor your entire organization:
- Team Overview — See security scores across all team members (admin only)
- Invite members — Send email invitations to colleagues in your organization
- Org-wide insights — View aggregate threat data and team-level recommendations
Settings
Customize InboxWatch to fit your needs:
- Notifications — Choose which email alerts to receive and how often
- Connected Accounts — View and manage linked email accounts
- Billing — Manage your subscription and payment method
- Alert Severity — Set the minimum severity level for real-time alerts
Access settings from the gear icon in the sidebar or here.
Privacy & Security
We never read your emails
InboxWatch only accesses email metadata (sender, subject line, timestamps) and settings (forwarding rules, filters, connected apps). We never request or have access to email body content.
Encryption at rest
All OAuth tokens are encrypted with AES-256 before storage. Your scan results are stored in encrypted databases. We follow industry-standard security practices.
You can disconnect anytime
Remove InboxWatch's access from your Google or Microsoft account settings at any time. We'll stop scanning immediately and you can request data deletion.
Read-only access only
InboxWatch requests the minimum permissions needed. We can read settings but cannot modify your email, send messages, or change your password.