I would prefer PBKDF2. Nothing beats it currently.
Using SHA with Salt too is not considered to be secure.
Using HMAC is also not secure enough. I prefer to link to an article which you can read and decide.
http://adambard.com/blog/3-wrong-ways-to-store-a-password/
I always go by PBKDF2 (Password Based Key Derivation Function version 2). It gives amble security and currently do not have any know weakness. Also, bruteforcing is way too costly and time consuming and thus offers good protection.
If you prefer some kind of obscurity, hash the email ids as well. Matching them against the hashes *will* be as simple as a normal email 'select' query from the db, but offers privacy. In case if the database gets leaked, the attacker has no way of knowing what the email id is! I have done that and it is a peace of mind since the email ids are also not exposed. Of course, there is a load on the server for multiple PBKDF2 operations, but my user information is protected in terms of email + password!
I prefer to do that for the login information which could be potentially used to identify the user and cause a risk to his privacy. The only caveat is that, email id will not be available for any other operations because you don't have it. I use a unique GUID kind of id (unique user id) / string associated with the logic to perform all other mapping operations instead of using the email (if email was used for any operations).
Hope it helps. Thanks.