I love the idea of doing this. Just like I do the idea of using Apple's "hide my email" feature. But in reality you're completely locking yourself into that provider. What if I want to change provider or the provider decides to sunset this feature. My logins are now split up so much it'll be a full time job getting them set back to my primary email address. It's a trade-off I guess because you can't solve it any other way from what I know of!
Hi, one of the 1Password engineers who worked on this. Glad to hear that you like the idea!
One of the really nice parts of building this out with Fastmail is that you can create Masked Emails for your own domain. So, if you ever decide that Fastmail isn’t right for you, then you still receive all of those emails when you set up a wildcard alias with your new email provider.
Similarly, if you ever decide that 1Password isn’t right for you, that doesn’t stop you from receiving your emails. And the email addresses should still be part of your 1Password export.
I've had this thought for a product multiple times. I run my own mail server, and for years I've created a random email for every service. Main reason was to figure out who is selling my email addresses.
The main thing that always held me up was, how do you plan to avoid getting blacklisted at the domain level if people start abusing the ability to create random emails? A few services I use even disallow Gmail addresses.
Doesn’t that rather defeat the point though? I can set up a wildcard for fastmail and use any account name I want to sign up to services without any intervention from 1password.
Edit: saw someone point out this only works for one user per domain.
I already was doing something similar and have been for what…5 years I think? Anyway, I have an account with Fastmail and my own domain configured with their “catch all addressing” feature, such that anything before the @ doesn’t matter, it ALL goes to me and only me (I’m the sole user of said domain). So I can do things like apple@mydomain, microsoft@mydomain, playstation@mydomain and so on to both keep each address separate from the others and so if there’s a breach or other shady shit going down, I know at a glance who’s responsible and this have some idea of my exposure risk. Ideally though I’d like to be using UUIDs before the @ so specific targeting by guessing something like “I’ll bet his Venmo account is venmo@“ won’t be possible, I just haven’t started doing that yet.
Lately I’ve been combining this with cards via privacy.com to further limit my risk in the event of another data breach, and so far it’s working quite well, though I do have a long way to go to fully convert everything.
As for longevity, Fastmail has been around since 1999 in some form or another, and even made themselves independent again after being acquired by another company through an employee buy-out. https://en.m.wikipedia.org/wiki/Fastmail
In addition, wildcard forwarding isn’t a perfect substitute because email spambots love sending to addresses like webmaster@mydomain.com or john.doe@mydomain.com. The number of permutations they try is varied enough that an explicit allowlist is a must.
Have you encountered issues with signing up with certain services? I know a few run checks to see if the domain is a catch-all (eg. sending to `pwgen`@domain.example and checking for a bounce) and will block signup when that happens.
I really like fastmail as a service and business. It's being subject to Australian data laws that gives me pause. That's significant competitive disadvantage for fastmail when marketing internationally to privacy-conscious users.[1]
Which countries do you recommend using a similar service from? (And what are those services called?) OpSec is hard and sometimes you really do need perfect and not "good enough", but, like PGP, there need to actually be viable alternatives available today that you can make a recommendation for, unless you're just concern trolling. (Five Eyes countries are right out, fwiw.)
At the cost of manual effort or setting up a script (for registrars/mail providers with decent APIs), you can just use normal email aliases at a domain you own. That's what I do, most sites I register at get some sort of "sitetld_account@mydomain.com" alias. That's pretty portable, lots and lots of email providers (including standard "included with registration" ones at registrars like gandi.net) support essentially unlimited aliases (not like even tens of thousands of them represent any significant resource usage, they all ultimately feed to a single email account with said account's limits on storage and sending). I own the domain so I can point it wherever, and I can just copy/paste the entire list of aliases around.
Again that is more manual effort, though I don't consider it much effort given that I'm only signing up for a limited number of sites per year. And I suppose a little extra friction in one respect isn't even that bad a thing, makes me think a bit about whether I do actually want to sign up there. Ideally I'd like to see more efforts about making such things standardized across providers so that even regular people can get the benefits from near any registrar or email provider at all with whatever tooling they like. I guess that's probably either infeasible, or if it happens it'll be out of a rise of competing centralized masking providers raising the issue high enough in the general consciousness that demand drives it. If there are any existing open efforts around that I'd be delighted to know about them though!
As a compromise, I use a catchall email adress, so @«my HN handle, without numbers».me comes to my single mailbox. Then I use sieve filtering to sort the emails into folders based on the address they're sent to; if there's no special filing rule, it comes to my inbox. So, when I want to sign up for a new service, I can just pick an email (usually based on the domain name), no setup required (unless I want it to be filled into some particular folder).
The downside is that you (and spammers)
can* send email to any random address and reach me, but in practice I have not found that to be a problem; I don't actually get spam at addresses which are not posted somewhere online. And it's in your best interest to contact me at a more specific email, because if I ever do get widespread spam, I'll swap the default rule to mark as spam, and only allow specific addresses. I recommend hn+«your handle»@«my domain».
On the off chance: I'm moving to NYC soon and am in the job market; feel free to shoot me an email if you're hiring at a company that's solving real problems for humans (not, say, selling ads).
If you already have a custom email domain (which is a good idea for the usual portability reasons) _and_ you pick an email provider that supports 'catch-all mailboxes', you can make it entirely frictionless.
When I sign up for a new service, I register on the spot as e.g. amazon@mydomain.com, the mails they send are considered as a 'mistaken sender' and are sent to the catch-all mailbox (which is just my regular mailbox!)
If you own the domain, you can just point the MX records to Fastmail/whatever and register to all the different service with, say, service@mydomain.com or you@service.mydomain.com. No need to set up the addresses or aliases, you can just make them up as you go and deliver everything for mydomain to your inbox.
Yeah, you either have to use one of our (Fastmail's) domains, or your own domain in which case it's linked to you by the domain registration. Not much choice there!
For sure we recommend (and make it very easy) using your own domain. We want you to stay because we're providing you enough value to be worth staying, not due to lock-in.
> I think a lot of people have been spoiled by gmail's longevity.
> I personally prefer trusting something with more longevity than fastmail
Fastmail launched 5 years before Gmail, in 1999. It's also a paid product with a sustainable business model. It's hard to get more longevity than that.
Buy a super cheap domain that you park all of these new email addresses at, like 7467j.com. Then, if you ever need to switch providers, take the entire domain with you.
I use Apple's Hide My Email to sign up on websites where I previously would have used a Temp-Mail-Service such as 10MinuteMail. These are websites I want to use anonymously (Hackernews for example). It's more convenient and they give you the option to reactivate disabled aliases later (useful if you need password reset). I don't think they made it to replace your primary email, although you could use it that way.
For "hide my email"-like feature you can use a domain with a catch-all address and either use somehash@yourdomain.tld or just servicename@yourdomain.tld for every login.
Good point, i'll keep that in mind. It seems then, this feature is best for throwaway type accounts, where one could just create another new accoint if they want to migrate.
For people who want to do this and care about retaining ownership, would be probably wise to run their own email servers and using different patterns of catch all addresses.
For cell phones we’ve legislated that you can take your number with you.
Email can be portable, but I think it’s gotta be easier to come up with a portable email address than expecting everyone to buy a domain and set up the DNS records? Does a registrar of email only domains exist today?
Long time Fastmail and 1Pass user here. While I agree that it would be best to not be locked in to particular providers, these are two of the providers who have a lot of my trust and to whom I’m paid up years in advance (at least in Fastmails case). Very excited to use this feature.
Thanks for the vote of confidence! If you have a custom domain at fastmail you can avoid any lock-in by using it for your masked addresses. Settings -> Domains -> Team Settings -> Masked email domain.
With that it's entirely portable. You can point your mx records at any other provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort.
Law enforcement or fastmail admins reading my personal email isn’t something I want, but isn’t so distasteful as for it to really be in my threat model such that I’m willing to go the lengths required to get an email provider that doesn’t have this ability, such as proton mail. I care about security and privacy and recommend fastmail, but I could see someone whose end all be all criterion of interest being privacy not wanting to use fastmail. But, this isn’t 99.999% of the population.
This would be a large personal disaster and a full time personal project if the service provider decides to shut down the service. One would have to crawl through all services they have signed up for to update the email addresses.
Instead get a domain. Configure email as well as a catch all address. Example anything@yourdomain.com would reach name@yourdomain.com which you use as your primary email address.
And say, if I am signing up for Netflix, I would give the email as netflix@yourdomain.com. The email automatically reaches my single primary inbox with the catch-all behavior. And if I find a lot of spam to netflix@yourdomain.com, I know which service is leaking my email address and I can quickly block all emails sent to netflix@yourdomain.com
One mild word of caution on this method. I too have done this forever but recently I have been running into a few businesses that get really upset if their name is in your email address and they will flag it as fraud despite there being no logical reason to do so. It isn't like I am using a domain name matching their name. The most staunch and stubborn of these I ran into recently was The Tractor Supply Company. I've been trying for a month to get a gift card reimbursed that they cancelled the order on because I had their name in the email address. There are a couple gaming companies that do this as well. Just pick a name that is unique and put it in your password database.
Yes, although so far I have not run in to being flagged for fraud, some have been very confused by it. So I have started doing short variations of it to make it less obvious, so The Tracor Supply Company would be something like trasu@s.domain.tld
And instead of having a catchall on my domain.tld I have it on a subdomain, like s.domain.tld , easy way to keep them separate.
I haven't run into many companies that disallow their name in email addresses. AliExpress and Amazon come to mind.
I have, however, run into a number of large companies where I've been talking with employees who see my email for whatever reason, and have received the "Oh, do you work here too?" question.
A custom domain with wildcard for catch all is how I have been creating logins for the past 17 years. It is fascinating to see which addresses suddenly start getting spam down the road.
It is also very easy to nuke an address this way once it is a spam trap.
About 10 years here and hundreds of different addresses given out. I get surprisingly little spam. Most spam I get comes to addresses that were leaked in data breaches, or email to my old gmail address which is forwarded. I'd say maybe 5 of them have ever started getting spammed.
Do you have any issues with spam being sent to whatever_random_user@yourdomain.tld ?
This concern has been my #1 reason for not doing the same setup. Basically a fear of a never-ending list of random addresses to blacklist, which won’t have any meaningful effect because the next spammer will just use a different random value.
1. It’s not frequent that someone hands out your address to a 3rd party and when it does, it’s usually exactly the site you would expect. I’ve had it happen 1 time in the last 3 years across 150 different aliases.
2. It doesn’t work well for apps with weird URLs (lots of subdomains, shared domains etc.). You forget how you the address and now can’t login. Yes, maybe you have a password manager, but password managers fail frequently in my experience (e.g. they record the wrong username etc)
3. You are still traceable since ultimately all your addresses are in the same domain. Sure, advertisers aren’t looking for that pattern, but it’s not like you are truly hidden.
4. Domain hijacking can happen. So now you have to be mindful of your domain since it’s a juicy target; Someone hijacker’s your domain, redirects your banking email for a password reset.
2. Again, not a problem. Everyone should be using a pass manager.
3. If you use the same domain/email for your banks (or any other financial/important service) as you do for social media/gaming/whatever, then that's on you.
It's basic security practice to separate the important things so basic hacks like the one you mention are useless.
4. The purpose of this is basic privacy and security, not to be truly hidden.
Good point. It is a bad idea to set up something as lasting as email addresses with a somewhat proprietary solution by two commercial entities and stray from pure standards. Temporary convenience turning into long term lock-in is a poorly understood issue, especially by people that don't necessarily have a technical background.
I have used aliases to catch spam and have gathered about 200 email aliases this way over the last 12 years or so, and it works well. Rather than using a catch-all, I manually create the alias with a script.
In this day and age, if you don't own the domain, you don't own your email. It is worth the 10 bucks to get your self a domain just so you can have a long term email.
> A canary trap is a method for exposing an information leak by giving different versions of a sensitive document to each of several suspects and seeing which version gets leaked.
If you sign up for league of legends, which email do you use? Riot? RiotGames? Lol? LeagueOfLegends?
Presumably you can always scan backwards to find your email address in your inbox, but maybe not. I guess maybe a password manager can help you remember, if you're diligent about always using it (and never end up locked out of your vault).
I recently started signing up for things with the + trick for gmail, but now I'm worried about having a bunch of email addresses I have no way of keeping track of.
Ideally, one would use me+uber@domain.tld / me+amzn@domain.tld / me+apple@domain.tld but then the identity me@domain.tld isn't masked.
If you prefer email forwarding, then: Cloudflare announced a free email-forwarding service just yesterday [0]. Not sure if they provide unlimited email forwarding rules. Other domain registrars like domains.google and namecheap.com also support email forwarding at no-cost.
If you prefer a managed mailbox, then: Zoho Mail, Fresh Mail, AWS WorkMail et al are nice if you'd also like to send emails using the address you sign up with.
Other than that, if you're technically inclined, then have SES plonk incoming emails in to S3 [1]
Be careful registering domain.tld without whois shield and/or with TLDs that require registrant to publicly reveal ownership (like .in)
I use fastmail for this. It works great although my email address sometimes confuses people. For example, a small company I ordered something online from called me to ask why their business name is in my email address. I have 2 separate domains going to the same inbox, each domain can have any subdomain and email address I want. I can send emails from any of those addresses as well.
Many registrars offer catch-all forwarding (to your free personal email), which would be your best bet if you don't expect to need to send email.
If you can afford $6/mo, Google Workspace isn't bad, there's generally better security and it grants you a lot of control over your account's settings (and will remove ads from the Gmail app on your phone, even when only looking at your @gmail account inbox).
Otherwize, Zoho works, but now costs $12/user/year (it used to be free) so ymmv. Great if you were planning on pure POP/IMAP usage anyways.
I can strongly recommend 33Mail for this. I've used it for years with zero hiccups. $1/month allows you to connect a custom domain. https://33mail.com/
I've done this a bunch in past, but wish it was easier to go back and change existing services.
Also found a couple that reject sign-ups when their name is in the username part.
As a user of both 1Pass and Fastmail for years, this is a really neat addition.
Next I'd love 1Pass to generate random phone numbers to use that I can recall quickly for things like supermarket checkout where I need to enter a number to get their discounts, and I don't want to use my real one. Doesn't even need to be a genuine phone line, just a 10 digit code.
* register a pseudonymous domain and use Fastmail to forward it in to my real email
* use Twilio + a little TwiML to register a real phone number in my area code & have all messages/calls forward to my cell
This let me establish trust domains: when I share my email with an untrusted entity they get companyname@mypseudonym.com & the phone number I registered before. I always have the ability to know where the communications come from & can quickly cut off junk/spam at either source[1]. And if a company is trustworthy I could always move them to my real domain/phone if I so wanted.
[1]: Phone is obviously harder as there's only one number, but legitimate companies seldom if ever call – their junk is from a consistent text source that's easier to block. My burner & my clean numbers get about the same amount of autodialer calls, sadly.
I've also found many, many companies that blacklist several keywords including "spam" (before using unique emails for all services I used spam@mydomain.com for most sign ups).
Kroger, at least, let's you change your "alternate ID" to any 10 digit number that isn't used by someone else. Just log in to the web site and change it.
I do this with fastmail already. I have a domain that accepts email to *@domain.tld —- all the messages reach one inbox. All my online accounts have the form service-name@domain.tld
Makes it easy when I receive spam to see who sold my email address.
There’s also zero overhead to “create” a new one. It works for any address.
I did this with even less setup. accountname+extratext@gmail.com has worked forever and you can do the same with a custom domain. I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.
I actually don't accept *@domain.tld even though I have a custom domain because I got too many fishing emails that weren't caught in spam. I didn't have the patience to deal with it. That might have changed over the decade+, though.
> unless you keep meticulous records, there's no way to figure out the exact email you used very easily
I haven't found this to be a problem. Usually it's in my password manager. Otherwise they've sent me an email, which I can quickly search my inbox for.
Be aware that using the “+” is giving you the illusion of privacy and control. A privacy research has shown, back in 2020, that companies like Oracle’s Bluekai (a massive ‘data broker’) has functions to normalize email with + in them to help with ad targeting and matching.
Other vendors and companies like FB are surely doing this too, as companies send FB emails for matching / ad targeting.
> I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.
Does one need to keep records? I just do service@domain.tld, for example: ycombinator@example.net.
I started receiving a lot of sexually-explicit spam addressed to recruiting@mydomain.tld, so now I know that one of the recruiters to which I gave this email address had their inbox/contact-list compromised.
A lot of services already worked out the + trick. Not many know about this feature of gmail yet: You can also put a dot anywhere inside your username. eg.
The trouble with *@domain.tld is that you get that many times as much spam. Unless your spam filter is 100% accurate, that increases the amount of spam that gets through.
I work through this by only accepting wildcards on a subdomain. I have a 'real' email address on the parent domain for actual human correspondence. Services and salespeople get the subdomain.
I am using name@random_site.mydomain because i encountered a few sites that rejected name+random_site@mydomain. reduces the "random name @ domain" spam, but still works good.
I do this too, have for 15 years. It works really well. I run a well configured postfix mail server for inbound and outbound mail. Incoming mail gets delivered to my fastmail acct. I get very little SPAM, a few messages per week, but I have spent a lot of time over the years getting it that way.
I do this too. My only issue I am having right now is I am "locked" to my current registrar because of how it is set up. Do you have a mail server you are using or just having your registrar do it? I am looking for alternate solutions that dont cost much.
Exact same for me. So far the only addresses (in probably around 200) that have been sold/leaked/spammed have been the one on my public site and Facebook, where it was public for a time.
At least for me, the main advantage is that I can instantly block or delete a "masked" email address. With a catch all, you'll still be receiving mails.
I knew fastmail was building JMAP but I didn't think to look at JMAP when I was trying to find fastmail's API that can be used to integrate this in other services. This is really nice compared to the SOAP/XML monstrosity I stumbled upon, heh.
I really wish that fastmail wasn't based in australia..
edit because of downvote: I'm referencing the new data control laws (it is even beyond surveillance at this point), which makes it impossible to anyone who cares to use any autralia based products. I should have made that more clear.
The laws in question have no meaningful impact on Fastmail, and the amount of FUD concerning those laws is unreal.
Fastmail wasn't end-to-end encrypted to begin with, so laws requiring backdoors have no relevance to Fastmail. And every civilized country has some legal method to compel information from companies relating to significant criminal activity.
You're right, of course, but this simply switches the "reason not to use Fastmail" from "based in Australia" to "not e2e encrypted and can rat out your entire email history".
As much as this is a cool feature, the distoypian anti-privacy laws Australia [0] (where Fastmail is based) prevents me from ever using their service. I know it isn't their fault but it has to be said.
Readit News
One of the really nice parts of building this out with Fastmail is that you can create Masked Emails for your own domain. So, if you ever decide that Fastmail isn’t right for you, then you still receive all of those emails when you set up a wildcard alias with your new email provider.
Similarly, if you ever decide that 1Password isn’t right for you, that doesn’t stop you from receiving your emails. And the email addresses should still be part of your 1Password export.
The main thing that always held me up was, how do you plan to avoid getting blacklisted at the domain level if people start abusing the ability to create random emails? A few services I use even disallow Gmail addresses.
myaccount+alias@mydomain.com
automatically?
Edit: saw someone point out this only works for one user per domain.
Deleted Comment
Lately I’ve been combining this with cards via privacy.com to further limit my risk in the event of another data breach, and so far it’s working quite well, though I do have a long way to go to fully convert everything.
As for longevity, Fastmail has been around since 1999 in some form or another, and even made themselves independent again after being acquired by another company through an employee buy-out. https://en.m.wikipedia.org/wiki/Fastmail
[1] https://en.m.wikipedia.org/wiki/Mass_surveillance_in_Austral...
Deleted Comment
Again that is more manual effort, though I don't consider it much effort given that I'm only signing up for a limited number of sites per year. And I suppose a little extra friction in one respect isn't even that bad a thing, makes me think a bit about whether I do actually want to sign up there. Ideally I'd like to see more efforts about making such things standardized across providers so that even regular people can get the benefits from near any registrar or email provider at all with whatever tooling they like. I guess that's probably either infeasible, or if it happens it'll be out of a rise of competing centralized masking providers raising the issue high enough in the general consciousness that demand drives it. If there are any existing open efforts around that I'd be delighted to know about them though!
The downside is that you (and spammers)
can* send email to any random address and reach me, but in practice I have not found that to be a problem; I don't actually get spam at addresses which are not posted somewhere online. And it's in your best interest to contact me at a more specific email, because if I ever do get widespread spam, I'll swap the default rule to mark as spam, and only allow specific addresses. I recommend hn+«your handle»@«my domain».On the off chance: I'm moving to NYC soon and am in the job market; feel free to shoot me an email if you're hiring at a company that's solving real problems for humans (not, say, selling ads).
When I sign up for a new service, I register on the spot as e.g. amazon@mydomain.com, the mails they send are considered as a 'mistaken sender' and are sent to the catch-all mailbox (which is just my regular mailbox!)
For sure we recommend (and make it very easy) using your own domain. We want you to stay because we're providing you enough value to be worth staying, not due to lock-in.
> New Masked Email addresses will be created @fastmail.com. You can change this in Settings → Domains
I agree with you, and I'm looking forward to be trying this out.
I think a lot of people have been spoiled by gmail's longevity. Unless you're using your own domain it's a wash anyways right?
I think this is an acceptable trust. I personally prefer trusting something with more longevity than fastmail (apple hide my email).
> I personally prefer trusting something with more longevity than fastmail
Fastmail launched 5 years before Gmail, in 1999. It's also a paid product with a sustainable business model. It's hard to get more longevity than that.
> I personally prefer trusting something with more longevity than fastmail (apple hide my email).
Fastmail (launched 1999) is older than Gmail (launched 2004).
For people who want to do this and care about retaining ownership, would be probably wise to run their own email servers and using different patterns of catch all addresses.
Email can be portable, but I think it’s gotta be easier to come up with a portable email address than expecting everyone to buy a domain and set up the DNS records? Does a registrar of email only domains exist today?
Wait till 2038 so you can say "aha! I told you so!"
or have peace of mind during the prime of my life for the next two decades
With that it's entirely portable. You can point your mx records at any other provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort.
Disclosure - I run Fastmail, though also only had tangential involvement in this effort.
You can use your own domain.
But only if you use Fastmail for that domain.
I can't recommend using an email system like this to anyone who cares about security or privacy.
Fastmail admins can themselves read your entire email history, as well as any law enforcement fishing expedition in US or AUS.
Instead get a domain. Configure email as well as a catch all address. Example anything@yourdomain.com would reach name@yourdomain.com which you use as your primary email address.
And say, if I am signing up for Netflix, I would give the email as netflix@yourdomain.com. The email automatically reaches my single primary inbox with the catch-all behavior. And if I find a lot of spam to netflix@yourdomain.com, I know which service is leaking my email address and I can quickly block all emails sent to netflix@yourdomain.com
And instead of having a catchall on my domain.tld I have it on a subdomain, like s.domain.tld , easy way to keep them separate.
I've had a few people ask "That's your email?" and just briefly explained that I own the domain and get all email sent to it.
I have, however, run into a number of large companies where I've been talking with employees who see my email for whatever reason, and have received the "Oh, do you work here too?" question.
It is also very easy to nuke an address this way once it is a spam trap.
This concern has been my #1 reason for not doing the same setup. Basically a fear of a never-ending list of random addresses to blacklist, which won’t have any meaningful effect because the next spammer will just use a different random value.
1. It’s not frequent that someone hands out your address to a 3rd party and when it does, it’s usually exactly the site you would expect. I’ve had it happen 1 time in the last 3 years across 150 different aliases.
2. It doesn’t work well for apps with weird URLs (lots of subdomains, shared domains etc.). You forget how you the address and now can’t login. Yes, maybe you have a password manager, but password managers fail frequently in my experience (e.g. they record the wrong username etc)
3. You are still traceable since ultimately all your addresses are in the same domain. Sure, advertisers aren’t looking for that pattern, but it’s not like you are truly hidden.
4. Domain hijacking can happen. So now you have to be mindful of your domain since it’s a juicy target; Someone hijacker’s your domain, redirects your banking email for a password reset.
2. Again, not a problem. Everyone should be using a pass manager.
3. If you use the same domain/email for your banks (or any other financial/important service) as you do for social media/gaming/whatever, then that's on you. It's basic security practice to separate the important things so basic hacks like the one you mention are useless.
4. The purpose of this is basic privacy and security, not to be truly hidden.
I have used aliases to catch spam and have gathered about 200 email aliases this way over the last 12 years or so, and it works well. Rather than using a catch-all, I manually create the alias with a script.
There has to be a name for it; the closest I've come across is a canary trap.
https://en.wikipedia.org/wiki/Canary_trap
> A canary trap is a method for exposing an information leak by giving different versions of a sensitive document to each of several suspects and seeing which version gets leaked.
If you sign up for league of legends, which email do you use? Riot? RiotGames? Lol? LeagueOfLegends?
Presumably you can always scan backwards to find your email address in your inbox, but maybe not. I guess maybe a password manager can help you remember, if you're diligent about always using it (and never end up locked out of your vault).
I recently started signing up for things with the + trick for gmail, but now I'm worried about having a bunch of email addresses I have no way of keeping track of.
I can get a domain pretty easily but I hate the idea of managing my own email. Do you recommend a particular provider? Zoho or something?
If you prefer email forwarding, then: Cloudflare announced a free email-forwarding service just yesterday [0]. Not sure if they provide unlimited email forwarding rules. Other domain registrars like domains.google and namecheap.com also support email forwarding at no-cost.
If you prefer a managed mailbox, then: Zoho Mail, Fresh Mail, AWS WorkMail et al are nice if you'd also like to send emails using the address you sign up with.
Other than that, if you're technically inclined, then have SES plonk incoming emails in to S3 [1]
Be careful registering domain.tld without whois shield and/or with TLDs that require registrant to publicly reveal ownership (like .in)
See also: simplelogin.io and anonaddy.com
[0] https://archive.is/BEKi7
[1] https://archive.is/2iQCN
If you can afford $6/mo, Google Workspace isn't bad, there's generally better security and it grants you a lot of control over your account's settings (and will remove ads from the Gmail app on your phone, even when only looking at your @gmail account inbox).
Otherwize, Zoho works, but now costs $12/user/year (it used to be free) so ymmv. Great if you were planning on pure POP/IMAP usage anyways.
So you can sign up for new companies with random@someservice.mydomain.com and have it still route into our inbox.
https://www.fastmail.help/hc/en-us/articles/360060591053-Plu...
I've done this a bunch in past, but wish it was easier to go back and change existing services.
Also found a couple that reject sign-ups when their name is in the username part.
As a user of both 1Pass and Fastmail for years, this is a really neat addition.
Next I'd love 1Pass to generate random phone numbers to use that I can recall quickly for things like supermarket checkout where I need to enter a number to get their discounts, and I don't want to use my real one. Doesn't even need to be a genuine phone line, just a 10 digit code.
* register a pseudonymous domain and use Fastmail to forward it in to my real email
* use Twilio + a little TwiML to register a real phone number in my area code & have all messages/calls forward to my cell
This let me establish trust domains: when I share my email with an untrusted entity they get companyname@mypseudonym.com & the phone number I registered before. I always have the ability to know where the communications come from & can quickly cut off junk/spam at either source[1]. And if a company is trustworthy I could always move them to my real domain/phone if I so wanted.
[1]: Phone is obviously harder as there's only one number, but legitimate companies seldom if ever call – their junk is from a consistent text source that's easier to block. My burner & my clean numbers get about the same amount of autodialer calls, sadly.
This is how you know not to use that company.
Makes it easy when I receive spam to see who sold my email address.
There’s also zero overhead to “create” a new one. It works for any address.
I actually don't accept *@domain.tld even though I have a custom domain because I got too many fishing emails that weren't caught in spam. I didn't have the patience to deal with it. That might have changed over the decade+, though.
I haven't found this to be a problem. Usually it's in my password manager. Otherwise they've sent me an email, which I can quickly search my inbox for.
Other vendors and companies like FB are surely doing this too, as companies send FB emails for matching / ad targeting.
https://twitter.com/WolfieChristl/status/1288428611100454912
Does one need to keep records? I just do service@domain.tld, for example: ycombinator@example.net.
I started receiving a lot of sexually-explicit spam addressed to recruiting@mydomain.tld, so now I know that one of the recruiters to which I gave this email address had their inbox/contact-list compromised.
a.ccountname@gmail.com is the same as
ac.countname@gmail.com
acco.untname@gmail.com
and so on.
For example: jdoe+netflix@example.org would be the address used on a netflix account.
However I do appreciate the additional anonymity a randomized or hashed user part provides
["MaskedEmail/set", { "create" : { "k1" : { "state" : "enabled", "description" : "Hacker News", "url" : "https://news.ycombinator.com" } } }, "R1"]
returns:
["MaskedEmail/set", { "created" : { "k1" : { "id" : "masked-123456", "email" : "flighty.emu5803@mydomain.example", "createdAt" : "2021-09-28T14:19:19Z" } } }, "R1"]
Very simple to work with.
I knew fastmail was building JMAP but I didn't think to look at JMAP when I was trying to find fastmail's API that can be used to integrate this in other services. This is really nice compared to the SOAP/XML monstrosity I stumbled upon, heh.
edit because of downvote: I'm referencing the new data control laws (it is even beyond surveillance at this point), which makes it impossible to anyone who cares to use any autralia based products. I should have made that more clear.
Fastmail wasn't end-to-end encrypted to begin with, so laws requiring backdoors have no relevance to Fastmail. And every civilized country has some legal method to compel information from companies relating to significant criminal activity.
[0] https://www.iflscience.com/policy/australias-new-police-powe... [1]