IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.
It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.
After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.
> IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.
I've been doing this years and I usually use the domain I'm signing up for as the address. Beware tho some people get really confused by how email works. I was requesting quotes for a home improvement project and I've had employees at these companies think I was either friends with the owner or that I hacked their email.
It gets super awkward when you have to read the email aloud. My optometrist spent five minutes trying to explain that they wanted my email when they tried to transfer a prescription from Warby Parker.
"My email/username for Warby Parker is 'warbyparker.com@...'"
There's no real need to use a name that actually matches the sender. Choose a random word; it's easy to identify later -- from the first mail to your inbox from that address.
You'll still be able to filter on it, or know if anyone sold your address for spam, or be able to abandon the address if you need to.
> it's easier to just buy a domain and route * to your inbox
There is the caveat of the domain getting into the wrong hands, if you look long enough down the road. What if you die, or simply can't afford to renew the domain well into the future? I know if I could look down from heaven after I die and saw someone re-registering my dropped domain, I would be furious!
Then there is the issue of even when you're alive, you could simply refuse to renew for whatever reason and the domain is suddenly someone else's.
MarkMonitor and Epik are the only companies that I know of that can safeguard against this. Epik has so called 'forever domains' and ensure the domain stays active well into the future.
I gave this some thought and decided it's actually worse with gmail. If google decides they don't like me, they can kill my email and I would lose access to pretty much everything.
But if my custom-domain email provider closes shop, I can at least take my domain with me.
You have a point though, I should just prepay for the next 10 years of my domain, and set myself a reminder to renew in 9 years :-)
It is probably a non-issue but one downside is that if people realize that you are doing this they can just pick a new "user" and reach you even if you have blocked their original address.
It would be interesting to do something like this with signatures. You could generate new addresses "on the fly" by picking a prefix and signing it. Then you can use this email and it can't be modified in a way to generate a new valid email.
For example you could have walmart-oaiua83n@yourdomain.example and they couldn't just change it to goodcompany@example.com.
I would do something like that but with a simple rule/cipher that can be computed mentally and is not completely obvious at first look. Like a shift cipher of the first two characters of the name:
How on earth is that anonymous? All of your emails are on the same domain, and nobody else is using that domain. As soon as I see an email @jamesboehmersdomain, I know that it belongs to jamesboehmer.
You're right, it's not 100% anonymous. But my name's not in the domain, and I use WhoisGuard with my registrar. It's reasonably effective, cheap, and a low effort way to deflect the bots and identify suspicious activity.
Another issue is that unless one also gets a new IP address for the mail server, it might be possible to associate the real domain with this "anonymous" one.
My experience with email in general has been so exhausting. This year I finally set up a new email address at a custom domain (with * catchall), but what I've found is that I'm afraid to give it to anyone. Right now I'm using it to communicate with like 3 people and it feels so nice.
I may use the * in the future for custom emails for groups of concerns (jobs@domain or applications@domain, hn@domain, banking@domain), but I'm worried it will just add to the heaping mental overhead I already experience when working with email (what was my address I use for this again...?, etc). I can't help the feeling that it's just a matter of time before it starts to look like my original email account where even unsubscribing from things seems like a labor of Sisyphus, but this time with the added noise of it going to an email naming system I've lost control of.
I do the catchall thing too, but Migadu has an API for creating aliases... I think it'd be pretty cool to create a little script to generate random aliases and keep track of them.
Sending email from your own domain is anything but easy. You need SPF, DKIM and DMARC at minimum. Are you going to host your own mail server? No one will accept your emails. Will you use sendgrid or postmark or SES? Enjoy having your emails (especially in the beginning) randomly end up in spam folders or worse completely quarantined (no bounce, nothing in spam folder) for various large institutions using MS Forefront.
Owning your own domain name for email and running your own email server are two completely different discussions. The first is recommended while the second is not.
This sure was the case before, and I'm likely in my own bubble when I say this. I think many spam filters are nowadays very good. SPF+DKIM+DMARC setup makes a huge difference. I have a small server that occasionally sends emails, and I never had a problem with emails ending up in spam.
The IP reputation matters a lot, followed by the content itself. I don't think email recipient servers downright mark all lesser known senders as spam.
Using your own private domain does not give you the same level of anonymity. Your domain name becomes a globally unique identifier that companies (and once leaked, anyone) can use to fingerprint you activity online.
I do something like this too except the aliases are manually created. I went one step further and made an optional learning period for addresses so anything from a previously unseen sender address after x days is dropped. I also added an optional lifespan to the address so it is only valid for Y days.
I have a similar setup, but use it on a subdomain, e.g. *@sub.example.com
This makes it harder to just randomly spam <anything>@example.com because you need the subdomain, which is what spammers do - just randomly generate local parts that might exist. info, john, sales, etc.
I'm use a catchall-domain for 10 years or so, never got any botspam like that. Only think I got sometimes was spam to info@domain, and this can be easily ignored.
Do those bots really exist? I would think the TLD I use is just not interessting enough for them, but it's from a big country.
I like the way Fastmail handles this. Your normal email is user@domain.tld, and you can configure the service to also treat emails to <anything>@user.domain.tld as having been sent to you.
I have never seen bots try random addresses on a subdomain.
This is an interesting reminder... I've been using catch-all on @mydomain for at least 15 years, and I went through a phase where I'd get a lot of random strings @mydomain. I set up dummy honeypot@mydomain accounts and added a lot of crap as aliases so they'd get tucked away in a disabled account. (I also do that with any "valid" email addresses that start to get spam.) It was a pain in the butt, but it also stopped quite a while ago. With newer domains, I tend to see stupid common ones like "info", "postmaster", etc. getting spam, but haven't seen the random gibberish ones.
Do people not already get their primary inboxes flooded with spam anyway? I've found my email provider's spam filtering pretty good anyway, it hasn't been an issue.
This is a terrible solution. Updating aliases takes a few seconds, you can even shorten this time by creating a simple script adding the new alias and updating the aliases db.
What's bad about it? Been doing this for more than a year now and I've not encountered any problems. I've had catchall emails for every domain I own for 20 years or so and the worst I get is cold sales emails to info@ and sales@.
If I want to block an incoming address it's a few clicks away, I've just never needed to because spam filtering works pretty well. Perhaps that might change some day and I'll switch to a whitelist approach.
And what happens when FireFox decides to drop this option 1-2 years into the future? I reckon they'll give time to change the email address on all the pages one used it for, but still...
nvm, it's in the FAQ:
"What happens if Mozilla shuts down the Firefox Relay service?
We will give you advance notice that you need to change the email address of any accounts that are using Relay aliases."
Note that one cannot reply using this service (yet). So the whole anonymity is gone as soon as one wants to contact some service without disclosing the real address (?)
While you're here, can you test the relay dashboard (where you can create aliases) on Firefox for Android 84.1.4 ? The scroll is incredibly sluggish, I don't know what scroll effect you added but please have a look. It's a bit unfortunate for a Mozilla service ^^ I can provide you a screen capture if needed.
> And what happens when FireFox decides to drop this option 1-2 years into the future?
The same thing if any other company did it. That said, I do hope they'll offer an option to pay for more email relays which could also ensure its viability. Having 5 relays for free is nice, but I'd personally use a unique address per service.
I'm probably going to use it for "throw-away" email. As in, I just need to receive a link right now so the service think they have my real address, after that the alias might as well be trashed.
The only thing I'm worried is that this domain will soon be blacklisted by services (especially those I don't want to give my email address to).
For that use case you can just use a temporary email provider like temp-mail.org which are harder to blacklist since they have a lot of random domains.
Same. I have been using Tresorit Send [1] and Visée's (developer of ffsend CLI tool) Firefox Send instance [2] in the meantime. Visée is also looking for donations [3] to support hosting of that instance.
Founder of Owl Mail [https://owlmail.io] here. It's easy for me to promise Owl Mail will not shut down without significant advanced notice (hopefully that never happens, but if it does I will provide a clear transition plan for all users).
As a token of confidence, I've moved all ~150 of my online accounts (including all banking, financial, and healthcare accounts) to Owl Mail – it needs to exist for my life to operate smoothly.
Big name websites generally have enough users that email "just works". Smaller websites are more likely to use misguided measures such as a bad email validating regex (hello to anyone with a non-standard TLD!), only allowing gmail, or blacklisting domains like these.
One time email domains and email forward services are usually blocked, there are very long block lists for such domains.
From my personal experience it is best to have a secondary email account on a provider that is usually not blocked (like gmail), to keep your primary email account clean.
> use misguided measures such as a bad email validating regex
Ever heard of Magento? They have that built in, at least in version 1. But it's a fixed list with "valid TLDs", anything not on that is not accepted when registering.
Feels strange, when you can't register on your own shop...
I've always been extremely annoyed by these attempts to "detect fake email addresses/accounts".
People can have more than one email address, so if your goal is "one account/offer/trial membership per real person", email ain't the way to achieve that, period.
Even worse are sites that disallow registering via "freemail providers" and require you to "use your ISPs or employer's". (Haven't seen this one in a while, but it definitely used to be a thing.)
The goal isn't to have one account/offer/trial per person, the goal is to ward off bots and spammers who are going to misuse your service. Since they know they are doing that and they know they could be held liable for what they do, they use sketchy disposable email addresses.
My sites and apps have a blacklist and we don't allow email accounts from those. It's just me running this thing. If I had the security and engineering workforce of even a mid-sized tech company, I wouldn't have to do this. Alas.
I encourage you to instead try out https://forwardemail.net. I'm launching our browser extension and our SMTP service very soon. It's completely open-source and free. No logging either. We're the only service that doesn't write emails let alone logs to disk nor store any metadata.
You can use unlimited custom domains and create disposable aliases on the fly as well!
Should always use two or more of such services in a cascade to generate a mix network for true anonymity. Wait: The E-Mail forwarder would actually need to remove the To: fields to support this...
Hi niftylettuce – I'm working on something similar – Owl Mail [https://owlmail.io].
I've discovered some cool new products in this thread and Forward Email looks great. I'm glad there are other people out there working on solving this problem!
I generate long completely random aliases also for other reason: to help with phishing detection.
I store aliases in DB along with a short description of to whom they were issued, and some extra flags. My mail client then highlights emails sent to these aliases in green color and shows their description instead of the alias itself in the "From" column of the message list.
I always give random aliases to online services, eshops, shipping companies, etc. These private aliases will never receive SPAM, or phishing, unless leaked by the company.
Anything that looks like a transactional email from some service, and is not sent to private alias, just gets deleted right away. It's not even worth opening, no matter how good it looks.
And I can keep my phishing guard up on much lower volume of green emails. It also makes whitelisting transactional email easier, without allowing random SPAM to the Inbox, because filtering based on the "shared secret" per company delivery address will allow in all important email from the company, regardless of how or from what address it was sent.
Services like this usually get banned by a lot of websites for various reasons. One solution could be to rotate domains from time to time, but I doubt they gonna do this.
To be fair to Firefox, the only reason there is such a high rate of churn with their services is that they are trying to preserve their mission in the face of competition with Big Tech giants like Google. The more you support Firefox, the more likely it will be that this service will stick.
Readit News
It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.
After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.
I've been doing this years and I usually use the domain I'm signing up for as the address. Beware tho some people get really confused by how email works. I was requesting quotes for a home improvement project and I've had employees at these companies think I was either friends with the owner or that I hacked their email.
"My email/username for Warby Parker is 'warbyparker.com@...'"
"No, they need your email, not theirs."
"..."
I had a customer support on the phone insisting I was not giving them a valid email. “It should have something like @gmail.com or @yahoo.com”.
You'll still be able to filter on it, or know if anyone sold your address for spam, or be able to abandon the address if you need to.
There is the caveat of the domain getting into the wrong hands, if you look long enough down the road. What if you die, or simply can't afford to renew the domain well into the future? I know if I could look down from heaven after I die and saw someone re-registering my dropped domain, I would be furious!
Then there is the issue of even when you're alive, you could simply refuse to renew for whatever reason and the domain is suddenly someone else's.
MarkMonitor and Epik are the only companies that I know of that can safeguard against this. Epik has so called 'forever domains' and ensure the domain stays active well into the future.
But if my custom-domain email provider closes shop, I can at least take my domain with me.
You have a point though, I should just prepay for the next 10 years of my domain, and set myself a reminder to renew in 9 years :-)
It would be interesting to do something like this with signatures. You could generate new addresses "on the fly" by picking a prefix and signing it. Then you can use this email and it can't be modified in a way to generate a new valid email.
For example you could have walmart-oaiua83n@yourdomain.example and they couldn't just change it to goodcompany@example.com.
wolmart.yq@example.com
w+2 = y and o+2 = q
I may use the * in the future for custom emails for groups of concerns (jobs@domain or applications@domain, hn@domain, banking@domain), but I'm worried it will just add to the heaping mental overhead I already experience when working with email (what was my address I use for this again...?, etc). I can't help the feeling that it's just a matter of time before it starts to look like my original email account where even unsubscribing from things seems like a labor of Sisyphus, but this time with the added noise of it going to an email naming system I've lost control of.
They're all tucked away in your password manager anyway, so there isn't any effort or tracking needed.
I've had this system for about two years now and have yet to receive any junk mail with the new domain.
Sending email is complicated.
The IP reputation matters a lot, followed by the content itself. I don't think email recipient servers downright mark all lesser known senders as spam.
Deleted Comment
(Source, I run https://owlmail.io and this is a common question.)
This makes it harder to just randomly spam <anything>@example.com because you need the subdomain, which is what spammers do - just randomly generate local parts that might exist. info, john, sales, etc.
Do those bots really exist? I would think the TLD I use is just not interessting enough for them, but it's from a big country.
I have never seen bots try random addresses on a subdomain.
This is a terrible solution. Updating aliases takes a few seconds, you can even shorten this time by creating a simple script adding the new alias and updating the aliases db.
If I want to block an incoming address it's a few clicks away, I've just never needed to because spam filtering works pretty well. Perhaps that might change some day and I'll switch to a whitelist approach.
nvm, it's in the FAQ:
"What happens if Mozilla shuts down the Firefox Relay service?
We will give you advance notice that you need to change the email address of any accounts that are using Relay aliases."
Note that one cannot reply using this service (yet). So the whole anonymity is gone as soon as one wants to contact some service without disclosing the real address (?)
https://github.com/mozilla/fx-private-relay/pull/770
The same thing if any other company did it. That said, I do hope they'll offer an option to pay for more email relays which could also ensure its viability. Having 5 relays for free is nice, but I'd personally use a unique address per service.
The only thing I'm worried is that this domain will soon be blacklisted by services (especially those I don't want to give my email address to).
[1] https://send.tresorit.com
[2] https://send.visee.com
[3] https://gitlab.com/timvisee/ffsend/-/issues/100#note_3763163...
As a token of confidence, I've moved all ~150 of my online accounts (including all banking, financial, and healthcare accounts) to Owl Mail – it needs to exist for my life to operate smoothly.
Does your system track which online service gets which email, or do you track that yourself in a password manager?
Services usually just verify you control the new email address.
Big name websites generally have enough users that email "just works". Smaller websites are more likely to use misguided measures such as a bad email validating regex (hello to anyone with a non-standard TLD!), only allowing gmail, or blacklisting domains like these.
From my personal experience it is best to have a secondary email account on a provider that is usually not blocked (like gmail), to keep your primary email account clean.
The only correct to validate email addresses is to just send a message there and see if the user can click the confirmation link.
Chances are that would be the next step in any signup flow anyway, so why introduce this artificial middle step of "validating the email address"?
Ever heard of Magento? They have that built in, at least in version 1. But it's a fixed list with "valid TLDs", anything not on that is not accepted when registering.
Feels strange, when you can't register on your own shop...
People can have more than one email address, so if your goal is "one account/offer/trial membership per real person", email ain't the way to achieve that, period.
Even worse are sites that disallow registering via "freemail providers" and require you to "use your ISPs or employer's". (Haven't seen this one in a while, but it definitely used to be a thing.)
My sites and apps have a blacklist and we don't allow email accounts from those. It's just me running this thing. If I had the security and engineering workforce of even a mid-sized tech company, I wouldn't have to do this. Alas.
I use owlmail.io for hundreds of accounts (major sites included) and haven't had an issue.
You can use unlimited custom domains and create disposable aliases on the fly as well!
(I'm the creator, lmk any questions!)
I've discovered some cool new products in this thread and Forward Email looks great. I'm glad there are other people out there working on solving this problem!
So how do you prevent abuse?
I store aliases in DB along with a short description of to whom they were issued, and some extra flags. My mail client then highlights emails sent to these aliases in green color and shows their description instead of the alias itself in the "From" column of the message list.
I always give random aliases to online services, eshops, shipping companies, etc. These private aliases will never receive SPAM, or phishing, unless leaked by the company.
Anything that looks like a transactional email from some service, and is not sent to private alias, just gets deleted right away. It's not even worth opening, no matter how good it looks.
And I can keep my phishing guard up on much lower volume of green emails. It also makes whitelisting transactional email easier, without allowing random SPAM to the Inbox, because filtering based on the "shared secret" per company delivery address will allow in all important email from the company, regardless of how or from what address it was sent.
What a letdown to see this service so quickly retired.