The fact images are loaded by its self now means the person sending the email has the capability to see your external IP address. Now they have the potential to run a script to try and take over your router/modem and turn it into a zombie botnet.
Probably not necessarily something that would happen here in this case, but it reinforces what I already said above about NOT parsing HTML and loading external like images by default. Those two options need to be turned off. And as I said, emails will start to look like fud, but it's a way better way to roll from a security/privacy standpoint. If, and ONLY if you can't see the email and you trust the email sender, and can verify with 100% certainty the email sender is legit, you can
temporally turn on the parsing of HTML and loading of external content like images. But after you view that one and only email you need to go back in and turn those two options back off BEFORE you load another email again.
I know this stuff very well. I could probably find your email right now with a little OSINT (Open Source Investigation) because you chose to use your first and last name as a username here on this forum.
In terms of 2FA (two factor Auth) and passwords. Go to the haveibeenpwned.com website and subscribe each email you own with their service. Now if your email ends up in a leaked database you'll get an alert. This WILL happen all the damn time. Databases are leaked and hacked like free Halloween candy. If you do as I said and control what services use such and such email address, if that email address appears to be on a leaked database, you can cross check it to all websites that you used it with that particular email, go to that website/s and change your password. Bear in mind if the password you used is pretty damn long and complex and IF the website is using at least Bcrypt or Argon hashing, it'll be next to impossible to know what your password is from the leaked database. Never the less, you may not be purvey to that information so change the password anyway. And Never use the same password twice.
With 2FA, I highly recommend Authy. It is available for Android, iOS and Windows. Install it on ALL devices. Don't ever forget your backups password for Authy. Use 2FA for all websites that offer it. You'll either scan their QR code with your phone or tablet, or if available, copy/paste the long sting of numbers to the Authy client on the computer. That'll add your 2FA account and will sync across all devices with Authy installed. Stay far, FAR away from SMS 2FA. That's rife with hack crap due to something called sim card swapping. If they don't offer real 2FA and just email or SMS, then use email. If they only offer SMS, then you have no choice. Certainly better than nothing I suppose. But not full proof at all. Not in the slightest. You realy don't want email or SMS 2FA at all. Yet JP Morgan Chase is using that. Pathetic. Would you believe their own damn TLS Cert. for their website is worse then mine for my website? LOL! Is good, but one grade lower. Mine's an A+, there's an A and yet they have the money to buy a decent Cert. and offer real 2FA Unreal.
The most common password length people use today is a lousy 9 characters. Don't do that. And don't use freaking "love" in the password either. I don't know why people do that. Use a good, reputable password manager. If you're not tech savvy, Dashlane looks promising, but it's only free for one device and limited to 50 entries. LastPass has been hacked so many times it's not even funny. Look them up on Wikipedia. 1password is cheaper, but they are partners with Venture Capital. I'm just not that fond of paying for something I can use free and not from a major company. In my case I use the free Keepass password manager. But you have to backup its database yourself. And do so every time you add crap, and back it up all over hell least you lose it. For Android there's Keepass2Android which will work with Keepass database's. There's one for iOS, but I don't remember its name off hand. I like this method because I alone control where my database sits and how I use it. I encrypt it again with a cascade of ciphers and it's backed up to many locations; hard drives, computers, a thumb drive, and three cloud providers.
If you use Keepass, do EXACTLY what I'm about to say here. I know how, and have cracked a Keepass database that was meant to be cracked offered from an ethical hacking website. Nothing was found in the database of course.
Use Argon2 hashing. Use ChaCha20 for the password. Up the number of iterations to at least 100. Memory to 10 MB, and Parallelism to 1. All this is found under File | Database Settings. Again, Keepass is more for computer guys like me.
Now of course since you'll have all passwords, backup 2FA codes and God knows what else in your password manager, you'll of course want to use a good quality password for this password manager. Preferably one that is NEVER written down somewhere and only easily memorized. So how do you accomplish that? Very easily. It should be at least 15 characters long with numbers and symbols. Many say just length matters, but as a hobbyist/dork/computer nerd/password cracker for fun, I can tell you length * character type makes all the difference in entropy. So an easy way to do this is to just think of a sentence that only you'll remember. It can be very odd or what ever. It's not completely ideal to use real dictionary words, I'd at least opt for some three letter acronyms as well as part of the password. Maybe think of your own acronym.
So a good password may look like this:
the Zebra is a fat red house 453 * & Now combine it all or leave the spaces. Your choice. Notice how I capitalize the Z? You'll want at least one capital letter. Refrain from capitalizing the first letter. Password masks used in password cracking focus on that. And that goes without saying not to cap the last letter either. HAHAHA. Using an acronym as part of the password to thwart a dictionary word password mask may look like this:
the Zebra is a fat red house TSA 453 * &. See the acronym TSA that's been added? Now I'm sure there are massive lists of acronyms for password breaking, but it would help to thwart against a known dictionary word brute force. By and large, and as of right now, no one can crack a password like that at home or using an AWS server instance and crap. Maybe the NSA. Speaking of, have a gander at my post
here about that. It's straight up hypothetical, but I find it interesting none the less. Read my opinion on Edward Snowden
here, too. LOL It might enlighten you to a different viewpoint beyond the media and the populace's group think brain on what they want you to believe.
Anyway... You asked if someone can help. I fulfilled my free duty.