One caveat I’ve run into while doing this is that while sites always have a “forgot your password” flow, they rarely have a way to handle “forgot your email address”. Make sure to keep track of the email used on each site in your password manager!
You can always try all of your aliases (assuming you know them), but if they were extra vicious, they could collect them for spamming. I guess it could also get you banned on some services.
Can’t speak for other email alias solution but for ours (SimpleLogin), we avoid forgetting what aliases are used where by either:
“prefixing” the alias with the name of the website, for ex I would use groupon....@... as alias on Groupon.
or using SimpleLogin Chrome/Firefox extension: the information (alias, website) is saved so the extension would suggest you the same alias the next time you visit this website.
I’ve never looked back and it lets you trivially identify (and filter) spam sources. Also you can use tagging for your normal mail steering rules (eg. bob+mailinglistname@)
Except you can’t reply from a + address from gmail. I’ve been unable to talk to support for some services because I wasn’t replying from the email address on file.
Besides, spammers know how to strip it away by now. With a full address, they have to guess.
For the issue of stripping it away I just reject email addressed to the untagged address. I also have a totally separate untagged address solely for personal use.
I like that alternative form though, as I’ve struggled with services/sites that don’t support + addresses (like Microsoft last I checked), having to resort to aliases.
To help with remembering alias and able to generate quickly an alias on-the-fly, SimpleLogin (my startup) also creates a similar feature called directory: basically you reserve a directory, let’s say my-dir, then you can create alias quickly by using my-dir/anything_here@my_domain.com. It works similarly to the + trick but we find that easier to remember as this is similar to how directory/file works. We also plan to support + trick for users who prefer Gmail style.
The + is more than just a trick, as specified in rfc5233:
Subaddressing is the practice of augmenting the local-part of an [RFC2822] address with some ‘detail’ information in order to give some extra meaning to that address. One common way of encoding ‘detail’ information into the local-part is to add a ‘separator character sequence’, such as “+”, to form a boundary between the ‘user’ (original local-part) and ‘detail’ sub-parts of the address, much like the “@” character forms the boundary between the local-part and domain.
It makes it much more easier for the website to extract your actual email address.
I was thinking about doing this last week when I moved from AWS WorkMail to Fastmail, thanks to the fact that Fastmail lets you not only receive emails at aliases, but also send them as such (which some sites might need for authentication purposes when contacting support, etc.).
I’d like to hear the downsides of this approach, if any.
I’ve done this for over a decade, and at Fastmail for the last few years. In my experience the downsides are:
This doesn’t work so well for mailing lists. It’s best to use your real address for mailing lists.
Gravatars are obnoxious — there’s no such thing as a catch-all Gravatar. Of course, Gravatar is problematic from a privacy perspective anyway, but many sites don’t allow you to configure an avatar any other way.
Otherwise it works great when you use Fastmail’s (okayish) web UI to respond — it automatically selects the correct identity.
Fastmail also lets you configure a catchall address, which allows you to make up addresses on the fly. (Of course, then you can also get spam at addresses that someone else made up… That said, it has worked well for me.)
While you’re making decent points, I’m starting to feel your submissions are primarily an advertising campaign for your startup. :/ Tone it down a bit, maybe?
I do this with wildcard email forwarding provided by my domain name registrar. Since it gets shunted into Gmail (I know, I know, Gmail is a privacy nightmare) it’s also easy to label and filter incoming email by “tags” I put into the registration email address, like “medical,” “billing,” etc.
After I decided to self-host my emails, I started doing that.
It is a pain to manage, as your email address then becomes a second password that you must keep track of. You have to be extremely organized so you don’t forget what your email address was in case you forget the password and want to recover it.
I’ve found myself in the situation where I am 100% sure of the password, and I had to try the email 3-4 times before I get it right (does it includes the “-” in the name? Is it the company name only ? …). It can also gets complicated for administrative papers when you have to spell out your email address to someone (I had someone tell me “I want YOUR email address, not ours”, because I gave them an alias with the company name in it, and they found it suspicious).
After some time, I decided to go with more generic addresses like “shop@”, and now it blurs the line even more and I’m completely lost.
As I didn’t record the aliases I created, and decided to simply forward any single address to my user, I am today unable to know how much aliases I created, and which ones were used.
Requiring to create the alias manually before you can use it is painful though…
Hopefully, I still have all my archives so I can still scrap all the To: fields to get them back.
So yeah, we should have one email per website, but it requires a lot of discipline.
This is indeed the only option I have. Unfortunately not all email applications give you this kind of granularity for searching (eg, my phone stock app).
You still need some discipline though, as for this to be true, you must keep at least 1 email with the alias in the to: field (I save all the confirmation links email for this exact purpose).
I use a separate domain with a catch-all redirect on my mail server. That way I know anything coming to that domain is from something I registered. I can just use the site name @mydomain.
I would suggest using an email alias solution instead. Self hosting emails is feasible but requires a lot of time and doesn’t come with other niceties an email alias solution could provide like browser extension, alias management UI, etc. Our solution (SimpleLogin) is relatively easy to self host so you can deploy it on your server to manage your alias. The self-hosting instructions are based on Docker so should be compatible with most of servers.
I decided to self-host my emails so I am in charge of handling my emails, and not a company. Having the ability to use one address per website was only a consequence to this move.
I am however not dedicated enough to this practice to justify using an external solution just for this. grepping my To: fields is enough for my needs given that I use a catchall alias.
Your solution might not be for me, but this is definitely good that you provide this solution for people that might need that for use with email services they do not control.
I tried this once, years ago. I found it unmanageable, and eventually had to stop due to the maintenance overhead. Also, since it implies self-hosting your email, it introduces additional attack surface such as what’s described in the essay How I Lost My $50,000 Twitter Username.
What I really wish is that there were a viable alternative to email and that sites had an incentive to adopt it. With many sites, the sole benefit to users is that email allows account recovery. It’s ridiculous to have to give out such a valuable identifier just for that.
The more I see the $50k twitter username story as a case against self-hosted email, the more I wonder what is it really a case against, and how applicable is it to an average case.
The whole thing still smells like the attacker is not telling the whole truth, and an accomplice inside either Paypal or Godaddy was required. Recovering your account as a lawful owner is hard enough.
Anyway, to the point, I’d like to hear new ideas for account recovery.
Sadly, it seems like requiring a phone number is becoming new normal, which is far worse than giving away your email!
That’s fair. It’s hard to really know the specifics. It’s clear that using self-hosted email for account recovery does add additional attack surface, and I mention it only as a caution; people can decide for themselves what it means for them.
I’m not really the best person to speculate about what would be better; my needs are far different from the typical user’s. I’d be happy to have to sign password-reset requests with an offline key, but that’s not an option any site should really take seriously, the education hurdles are too big.
I think email is going to stay at least for a while. In the meantime, it’s important that we apply the same protection to email address as to the password, at least this will make the hacker job 2x difficult.
Apple recognises this email problem and created this solution. However there are 2 downsides:
this only works on website that implements this “Sign in with Apple” button and
user has to trust Apple, although better than the other Big Tech in terms of privacy, has other businesses (Apple also has its own ads business) and is not open source.
Both good points. Since apple handles the forwarding, while this gives the user the ability to modify the forward target and/or disable it at any point, does mean that apple is a party to the content (eg. middleman) of the email.
I’ve been doing this for years and it’s wonderful. I’ve left banks and other services when it quickly became apparent who was selling my contact information to spammers. On the technical side, a solution like simplelogin might very well make this more accessible to non-technical folks. I started with the unique email per site process when I was self-hosting my email, where it was easiest to get just the way I wanted it. Once I moved to hosted providers I’ve had to be careful that they supported all my needs. Tuffmail, Neomailbox, and Fastmail have all proven reliable. Some services limit or charge for aliases, which rules out their use.
While the + tag trick works for simple cases, I don’t like it reveals your true email address to anyone familiar with the syntax. It’s too easy for someone to parse it and spam your main account. Fastmail’s alternative form using subdomains is more interesting.
I’m with you. It takes some discipline to keep things in order but this seems to be one of the least terrible approaches. I use a ring model for managing my email world:
I have an single email address that is for meatspace use only
I use per-site emails on my domain for services I want to read emails from
I consolidate behind burner addresses - {shop, bills, burner}@ - for emails I don’t care about seeing. These are shunted into archive folders I never look at but can grep if I truly cared. And if the noise gets too intense, I turn them off entirely
For things I trust the least, I have a pseudonymous domain that is completely disconnected from my online identity
Fastmail makes managing this almost seamless - I get one inbox with things I care about and some folders that automatically capture and hide the dross. The most overhead I get is logging in to blacklist a per-site email because they’ve become naughty.
While the + tag trick works for simple cases, I don’t like it reveals your true email address to anyone familiar with the syntax. It’s too easy for someone to parse it and spam your main account.
What I do is filter out any email sent to the bare/true address. i.e. for me to see an email (under normal circumstances), it must be sent a tagged email address.
I just do this with Fastmail; I have my own domains, and I use a separate email address for everything. However, I also use 1Password, and so it’s very little additional administrative burden.
I feel that it’s a bit redundant with the quality spam filters we have in place. Even with relatively limited protonmails spam filter I don’t feel like having to dig through much spam if any.
If you’re using Gmail or fastmail etc you probably don’t even notice spam unless you really go to shady parts of the web and ask for it.
I’ve been doing this for a few years and find it useful for two reasons: 1) it’s really easy to block spam by email address, when a site gets too liberal in its use, it’s easier just to send all email to the bit bucket rather than try to figure out their unsubscribe process that usually doesn’t work: 2) the curiosity of seeing who shares email addresses. Since I create unique addresses it’s more likely that someone sending to that address got it from the site.
The easiest way I’ve found to do this is to register a domain with a host that gives you an MX dns record. I’ve been registering a domain for 15 years or so and hosting with a cheap Linux cpanel host for $30/year. I have multiple sites so it’s not a direct cost, but I would think you could do this for $30-60/year depending on your dns name and host.
I have a default address set up [0] to forward all mail on the domain that doesn’t have a mailbox to an account I monitor. I don’t have to set up anything beforehand to use a “new” address. To make it easier to remember the account, I just use the site’s domain name at my domain (eg, if I register with cnn.com, I would use cnn@prepend.com).
I’ve been doing this so long, I would probably keep the domain and host even if I didn’t need web hosting any more.
The weakness is that if sites learned of my personal system they could exploit it for spam or misdirection purposes, but that seems like a pretty rare probability since I’m just a scrub.
I’ve thought about making this a product because it’s so easy to use, but explaining the concept of abstraction and pointers and redirects has been hard for me to do to non-technical people who think mailboxes are physical things.
I would suggest using an email alias solution that can handles the forwarding and custom domain management for you to 1)reduce cost and 2)have other features like alias management interface, browser extension, etc. 3) someone to monitor and fix issues if something wrong happens.
I would obviously recommend mine (SimpleLogin) but a lot of other email alias solutions work too. If you prefer you could also deploy SimpleLogin on your own server. The deployment is actually relatively easy as it’s based mostly on Docker.
Thanks for the suggestion. Simple login looks neat, but is more effort than my current approach since I don’t need to preregister anything. I just use the address. This is really handy as when I’m at Home Depot and they ask for my email, there’s no way I could pull out my phone and set up an email but I can easily say “homedepot@prepend.com” and know that I’ll get the email two seconds later. (It’s also easy because the cashier can recognize the address and type it in)
If I didn’t have this functionality as a by product of my hosting setup, I’d be more likely to try it. I can only run PHP and CGI apps given my hosting, but since you run in a docker container, I’ve added your stuff to my mental list of things to play around with on my home servers.
#1 is probably a big deal for most people. #2 isn’t important to me. I’ve never had a need for #3.
One of the big reasons I do this is for privacy, so #3 is kind of a downside as I don’t want to have a third party that if they get breached will reveal info I don’t want. The DNS thing is nice because there is no alias config anywhere.
There’s email addresses stored by third parties that are mostly unique. And there’s a mailbox with lots of email. My mail server doesn’t keep logs and I can search and filter pretty well with my email clients and services. Self-hosting simplelogin is important to me to prevent the third party risk.
One caveat I’ve run into while doing this is that while sites always have a “forgot your password” flow, they rarely have a way to handle “forgot your email address”. Make sure to keep track of the email used on each site in your password manager!
You can always try all of your aliases (assuming you know them), but if they were extra vicious, they could collect them for spamming. I guess it could also get you banned on some services.
Can’t speak for other email alias solution but for ours (SimpleLogin), we avoid forgetting what aliases are used where by either:
groupon....@...as alias on Groupon.(alias, website)is saved so the extension would suggest you the same alias the next time you visit this website.Alias’ing is really tedious, better to just use tagging (gmail and Fastmail amongst others support this):
bob+medium@example.com
Some sites struggle with ’+’s so fastmail support an alternative form transparently:
medium@bob.example.com
I’ve never looked back and it lets you trivially identify (and filter) spam sources. Also you can use tagging for your normal mail steering rules (eg. bob+mailinglistname@)
Except you can’t reply from a + address from gmail. I’ve been unable to talk to support for some services because I wasn’t replying from the email address on file.
Besides, spammers know how to strip it away by now. With a full address, they have to guess.
Fastmail’s method is a great compromise.
For the issue of stripping it away I just reject email addressed to the untagged address. I also have a totally separate untagged address solely for personal use.
I like that alternative form though, as I’ve struggled with services/sites that don’t support + addresses (like Microsoft last I checked), having to resort to aliases.
To help with remembering alias and able to generate quickly an alias on-the-fly, SimpleLogin (my startup) also creates a similar feature called
directory: basically you reserve a directory, let’s saymy-dir, then you can create alias quickly by usingmy-dir/anything_here@my_domain.com. It works similarly to the+trick but we find that easier to remember as this is similar to how directory/file works. We also plan to support+trick for users who prefer Gmail style.The
+is more than just a trick, as specified in rfc5233:It makes it much more easier for the website to extract your actual email address.
I was thinking about doing this last week when I moved from AWS WorkMail to Fastmail, thanks to the fact that Fastmail lets you not only receive emails at aliases, but also send them as such (which some sites might need for authentication purposes when contacting support, etc.).
I’d like to hear the downsides of this approach, if any.
I’ve done this for over a decade, and at Fastmail for the last few years. In my experience the downsides are:
Otherwise it works great when you use Fastmail’s (okayish) web UI to respond — it automatically selects the correct identity.
[Comment from banned user removed]
Fastmail also lets you configure a catchall address, which allows you to make up addresses on the fly. (Of course, then you can also get spam at addresses that someone else made up… That said, it has worked well for me.)
While you’re making decent points, I’m starting to feel your submissions are primarily an advertising campaign for your startup. :/ Tone it down a bit, maybe?
I do this with wildcard email forwarding provided by my domain name registrar. Since it gets shunted into Gmail (I know, I know, Gmail is a privacy nightmare) it’s also easy to label and filter incoming email by “tags” I put into the registration email address, like “medical,” “billing,” etc.
After I decided to self-host my emails, I started doing that.
It is a pain to manage, as your email address then becomes a second password that you must keep track of. You have to be extremely organized so you don’t forget what your email address was in case you forget the password and want to recover it. I’ve found myself in the situation where I am 100% sure of the password, and I had to try the email 3-4 times before I get it right (does it includes the “-” in the name? Is it the company name only ? …). It can also gets complicated for administrative papers when you have to spell out your email address to someone (I had someone tell me “I want YOUR email address, not ours”, because I gave them an alias with the company name in it, and they found it suspicious).
After some time, I decided to go with more generic addresses like “shop@”, and now it blurs the line even more and I’m completely lost.
As I didn’t record the aliases I created, and decided to simply forward any single address to my user, I am today unable to know how much aliases I created, and which ones were used. Requiring to create the alias manually before you can use it is painful though…
Hopefully, I still have all my archives so I can still scrap all the
To:fields to get them back.So yeah, we should have one email per website, but it requires a lot of discipline.
Isn’t it enough to do a search of your emails, and look at the “to:” field for the search hits?
This is indeed the only option I have. Unfortunately not all email applications give you this kind of granularity for searching (eg, my phone stock app).
You still need some discipline though, as for this to be true, you must keep at least 1 email with the alias in the to: field (I save all the confirmation links email for this exact purpose).
I use a separate domain with a catch-all redirect on my mail server. That way I know anything coming to that domain is from something I registered. I can just use the site name @mydomain.
I would suggest using an email alias solution instead. Self hosting emails is feasible but requires a lot of time and doesn’t come with other niceties an email alias solution could provide like browser extension, alias management UI, etc. Our solution (SimpleLogin) is relatively easy to self host so you can deploy it on your server to manage your alias. The self-hosting instructions are based on Docker so should be compatible with most of servers.
I decided to self-host my emails so I am in charge of handling my emails, and not a company. Having the ability to use one address per website was only a consequence to this move. I am however not dedicated enough to this practice to justify using an external solution just for this.
grepping my To: fields is enough for my needs given that I use a catchall alias.Your solution might not be for me, but this is definitely good that you provide this solution for people that might need that for use with email services they do not control.
I tried this once, years ago. I found it unmanageable, and eventually had to stop due to the maintenance overhead. Also, since it implies self-hosting your email, it introduces additional attack surface such as what’s described in the essay How I Lost My $50,000 Twitter Username.
What I really wish is that there were a viable alternative to email and that sites had an incentive to adopt it. With many sites, the sole benefit to users is that email allows account recovery. It’s ridiculous to have to give out such a valuable identifier just for that.
The more I see the $50k twitter username story as a case against self-hosted email, the more I wonder what is it really a case against, and how applicable is it to an average case. The whole thing still smells like the attacker is not telling the whole truth, and an accomplice inside either Paypal or Godaddy was required. Recovering your account as a lawful owner is hard enough.
Anyway, to the point, I’d like to hear new ideas for account recovery. Sadly, it seems like requiring a phone number is becoming new normal, which is far worse than giving away your email!
That’s fair. It’s hard to really know the specifics. It’s clear that using self-hosted email for account recovery does add additional attack surface, and I mention it only as a caution; people can decide for themselves what it means for them.
I’m not really the best person to speculate about what would be better; my needs are far different from the typical user’s. I’d be happy to have to sign password-reset requests with an offline key, but that’s not an option any site should really take seriously, the education hurdles are too big.
I think email is going to stay at least for a while. In the meantime, it’s important that we apply the same protection to email address as to the password, at least this will make the hacker job 2x difficult.
Isn’t this what sign-in with apple is doing?
ref: Hide My Email for Sign in with Apple
Apple recognises this email problem and created this solution. However there are 2 downsides:
Both good points. Since apple handles the forwarding, while this gives the user the ability to modify the forward target and/or disable it at any point, does mean that apple is a party to the content (eg. middleman) of the email.
I’ve been doing this for years and it’s wonderful. I’ve left banks and other services when it quickly became apparent who was selling my contact information to spammers. On the technical side, a solution like simplelogin might very well make this more accessible to non-technical folks. I started with the unique email per site process when I was self-hosting my email, where it was easiest to get just the way I wanted it. Once I moved to hosted providers I’ve had to be careful that they supported all my needs. Tuffmail, Neomailbox, and Fastmail have all proven reliable. Some services limit or charge for aliases, which rules out their use.
While the + tag trick works for simple cases, I don’t like it reveals your true email address to anyone familiar with the syntax. It’s too easy for someone to parse it and spam your main account. Fastmail’s alternative form using subdomains is more interesting.
I’m with you. It takes some discipline to keep things in order but this seems to be one of the least terrible approaches. I use a ring model for managing my email world:
Fastmail makes managing this almost seamless - I get one inbox with things I care about and some folders that automatically capture and hide the dross. The most overhead I get is logging in to blacklist a per-site email because they’ve become naughty.
What I do is filter out any email sent to the bare/true address. i.e. for me to see an email (under normal circumstances), it must be sent a tagged email address.
That’s a really good idea and a super-easy way to negate most of the negatives of that method.
I just do this with Fastmail; I have my own domains, and I use a separate email address for everything. However, I also use 1Password, and so it’s very little additional administrative burden.
The comment in the article itself is actually better than the article itself…
I feel that it’s a bit redundant with the quality spam filters we have in place. Even with relatively limited protonmails spam filter I don’t feel like having to dig through much spam if any. If you’re using Gmail or fastmail etc you probably don’t even notice spam unless you really go to shady parts of the web and ask for it.
I use the “+” trick and I use imapfilter to just delete all mails received for the defined “+”-alias when I’m done.
I would like to send a hard bounce using SMTP instead, but imapfilter deals only with IMAP…
I’ve been doing this for a few years and find it useful for two reasons: 1) it’s really easy to block spam by email address, when a site gets too liberal in its use, it’s easier just to send all email to the bit bucket rather than try to figure out their unsubscribe process that usually doesn’t work: 2) the curiosity of seeing who shares email addresses. Since I create unique addresses it’s more likely that someone sending to that address got it from the site.
The easiest way I’ve found to do this is to register a domain with a host that gives you an MX dns record. I’ve been registering a domain for 15 years or so and hosting with a cheap Linux cpanel host for $30/year. I have multiple sites so it’s not a direct cost, but I would think you could do this for $30-60/year depending on your dns name and host.
I have a default address set up [0] to forward all mail on the domain that doesn’t have a mailbox to an account I monitor. I don’t have to set up anything beforehand to use a “new” address. To make it easier to remember the account, I just use the site’s domain name at my domain (eg, if I register with cnn.com, I would use cnn@prepend.com).
I’ve been doing this so long, I would probably keep the domain and host even if I didn’t need web hosting any more.
The weakness is that if sites learned of my personal system they could exploit it for spam or misdirection purposes, but that seems like a pretty rare probability since I’m just a scrub.
I’ve thought about making this a product because it’s so easy to use, but explaining the concept of abstraction and pointers and redirects has been hard for me to do to non-technical people who think mailboxes are physical things.
[0] https://www.namecheap.com/support/knowledgebase/article.aspx/912/31/how-to-create-a-catchall-email-address-in-cpanel
I would suggest using an email alias solution that can handles the forwarding and custom domain management for you to 1)reduce cost and 2)have other features like alias management interface, browser extension, etc. 3) someone to monitor and fix issues if something wrong happens.
I would obviously recommend mine (SimpleLogin) but a lot of other email alias solutions work too. If you prefer you could also deploy SimpleLogin on your own server. The deployment is actually relatively easy as it’s based mostly on Docker.
Thanks for the suggestion. Simple login looks neat, but is more effort than my current approach since I don’t need to preregister anything. I just use the address. This is really handy as when I’m at Home Depot and they ask for my email, there’s no way I could pull out my phone and set up an email but I can easily say “homedepot@prepend.com” and know that I’ll get the email two seconds later. (It’s also easy because the cashier can recognize the address and type it in)
If I didn’t have this functionality as a by product of my hosting setup, I’d be more likely to try it. I can only run PHP and CGI apps given my hosting, but since you run in a docker container, I’ve added your stuff to my mental list of things to play around with on my home servers.
#1 is probably a big deal for most people. #2 isn’t important to me. I’ve never had a need for #3.
One of the big reasons I do this is for privacy, so #3 is kind of a downside as I don’t want to have a third party that if they get breached will reveal info I don’t want. The DNS thing is nice because there is no alias config anywhere.
There’s email addresses stored by third parties that are mostly unique. And there’s a mailbox with lots of email. My mail server doesn’t keep logs and I can search and filter pretty well with my email clients and services. Self-hosting simplelogin is important to me to prevent the third party risk.
This feature is actually already available in SimpleLogin, it’s called “catch-all” or wildcard alias.
Please let me know if you see anything that can be improved in the self-hosting instructions!