Skip to main content
Your UGMail account controls access to outbound mail infrastructure, API tokens, and domain credentials — making it a high-value target. Two-factor authentication (2FA) ensures that even if your password is leaked or guessed, an attacker still cannot sign in without the one-time code generated by your authenticator app. Enabling 2FA is the single most impactful step you can take to protect your account.

Why 2FA Matters for Email Infrastructure

Email infrastructure accounts are particularly sensitive. An attacker who gains access can send mail as your domain, exfiltrate contact lists, revoke your own access, or abuse your sending reputation until your domain is blocklisted. A time-based one-time password (TOTP) second factor expires every 30 seconds, so stolen static credentials are not enough to get in.

Enable Two-Factor Authentication

1

Sign in to your account

Go to https://my.ugmail.co and sign in with your email address and password.
2

Open Security Settings

Click your account avatar in the top-right corner, then navigate to Settings → Security.
3

Start the 2FA setup

Click Enable Two-Factor Authentication. UGMail will generate a unique QR code and setup key for your account.
4

Scan the QR code

Open your authenticator app — Google Authenticator, Authy, 1Password, or any TOTP-compatible app — and scan the QR code displayed on screen. If you cannot scan the code, tap Enter key manually in your app and type the setup key shown below the QR code.
5

Confirm with a one-time code

Enter the current 6-digit code from your authenticator app into the confirmation field and click Verify. This confirms that your app is correctly synced before 2FA is activated.
6

Save your backup codes

UGMail will display a set of single-use backup codes. Copy them and store them somewhere secure — a password manager, an encrypted note, or printed and kept offline. You will need one of these codes if you ever lose access to your authenticator app.
Backup codes are shown only once. If you lose both your authenticator app and your backup codes, you will be locked out of your account and will need to contact UGMail support to recover access. Store backup codes in at least two secure, separate locations.

App Passwords

What Are App Passwords?

App passwords are separate credentials you create for a specific client or integration — an SMTP relay script, a mail client, a CI/CD pipeline, or a third-party service. Each app password is independent: it grants access only to the service or protocol you configure it for, and you can revoke it at any time without touching your main account password or any other integration.

Why Use App Passwords?

When you connect an external tool to UGMail’s mail server (mail.ugmail.co) using SMTP, IMAP, or POP3, that tool needs a password. Giving it your main account password creates unnecessary risk:
  • If the tool is compromised, your entire account is exposed.
  • Rotating your main password to cut off the compromised tool also breaks every other integration using that password.
With app passwords, each integration has its own credential. Revoking one has no effect on the others.

Create an App Password

  1. Go to Settings → Security → App Passwords in your account at my.ugmail.co.
  2. Click Create New, give the app password a descriptive label (for example, transactional-mailer-prod or thunderbird-desktop), and click Generate.
  3. Copy the generated password immediately — it is shown only once.
  4. In your mail client or integration, enter your UGMail email address as the username and the app password (not your main account password) as the password when configuring the SMTP, IMAP, or POP3 connection.
To revoke an app password, return to Settings → Security → App Passwords, find the entry by its label, and click Revoke.
Use a unique app password for every programmatic SMTP or IMAP connection. Descriptive labels like order-confirmations-service or legacy-crm-integration make it easy to identify and revoke specific credentials without auditing your entire infrastructure.
Last modified on July 17, 2026