I love the idea of doing this. Just like I do the idea of using Apple's "hide my email" feature. But in reality you're completely locking yourself into that provider. What if I want to change provider or the provider decides to sunset this feature. My logins are now split up so much it'll be a full time job getting them set back to my primary email address. It's a trade-off I guess because you can't solve it any other way from what I know of!
For people who want to do this and care about retaining ownership, would be probably wise to run their own email servers and using different patterns of catch all addresses.
Buy a super cheap domain that you park all of these new email addresses at, like 7467j.com. Then, if you ever need to switch providers, take the entire domain with you.
> I think a lot of people have been spoiled by gmail's longevity.
> I personally prefer trusting something with more longevity than fastmail
Fastmail launched 5 years before Gmail, in 1999. It's also a paid product with a sustainable business model. It's hard to get more longevity than that.
Good point, i'll keep that in mind. It seems then, this feature is best for throwaway type accounts, where one could just create another new accoint if they want to migrate.
Hi, one of the 1Password engineers who worked on this. Glad to hear that you like the idea!
One of the really nice parts of building this out with Fastmail is that you can create Masked Emails for your own domain. So, if you ever decide that Fastmail isn’t right for you, then you still receive all of those emails when you set up a wildcard alias with your new email provider.
Similarly, if you ever decide that 1Password isn’t right for you, that doesn’t stop you from receiving your emails. And the email addresses should still be part of your 1Password export.
True! I've been doing wildcard.company.name@mydomain.com for a few years now with Fastmail. This makes it one step easier to generate that email address, as well as one-click blocking any alias that starts receiving spam.
I ended up at https://$mydomain.1password.com/integrations/directory and I can only see Fastmail as an option. Clicking there it asks me to Connect with Fastmail rather than that I can provide my own domain. I already have a wildcard domain setup so I'd like to use it as @davzie mentioned.
You need to OAuth to Fastmail (the service) to hook it up, then as was mentioned above, you can go into the settings in your Fastmail account to choose which domain your Masked Email addresses are created in:
Settings -> Domains -> Team Settings -> Masked email domain
It will default to fastmail.com, but easy to change it.
Oh, I completely misunderstood then, I thought I could do this with just 1Password. I already have email setup myself and don't need Fastmail, so then it seems I cannot use this feature. I'll just continue myself to randomly generate my addresses then...
Well, as I understand it you'd have to do this manually. As in, pick a random alias for the site, use that as you email address there and enter the same one in 1password (or any other credential store).
The full "it just works" integration seems to only work between 1password and fastmail directly.
Those +plus aliases still make it easy for people find your actual email address.
We go one step further and generate a random email address for each new service you sign up with. It'll look something like "hot.potatoes4827@mydomain.com".
You can create a new masked email anywhere you have the 1Password browser extension, including our brand new iOS Safari extension.
This is nice in terms of hiding your actual address. However, it makes migrating away harder because now instead of setting a simple rule to strip the + for forwarding, you need to individually map each address.
So what is it that you want? Either you want a masked email or you want an easy way to migrate away. You could still setup trashcan+randomdigits@yourdomain.com manually. Or you could setup a catchall rule for your new provider.
Unfortunately, way too many internet services don't allow the plus sign in an email address. It's weird, but it's true.
There are varying level of masking. I would consider an email myusername+random@domain.com as a masked address. Of course it is trivially unmasked. But assuming I am willing to accept that, it does offer a different tradeoff with respect to convenience. It's true though that is fairly trivial to manually add +random
Even worse I've had front end systems accept account creation with this address format, but their backend system fails when using some integrated service. The result is 3 months after setting up the account something breaks when I try some other functionality and I have had to contact their help desk and ultimately we stumble through and realize the problem may be my email address.
`sed s/[+].*@//` over the email list will get rid of enough "plus" email addresses. Better use a custom delimiter if you're relying on the + character for anything.
How hard is that though? Export all email addresses from 1Password (trivial), extract generated emails (trivial), and add forwarding rules for each one in your mail server (trivial to easy depending on your setup).
Maybe not easy for non-savvy users, but neither is a custom domain or even knowing about the + trick.
I have an extra domain attached to fastmail which I only use for junk. If you know the domain where my main email lives, you can pretty much guess a couple of aliases which will work. I want my junk mail completely separate from my useful mail
> Yes, but if you goal is to hide your identity, this really wouldn't work
It still could.
> Everything is still tagged to your identity, i.e. @mydomain.com.
If your domain is tied to your identity, then yes. But to be extra clear, this should have said "Everything is still tagged to your domain" as not everyone has their domain tied to their identity. I for example have my domain setup njal.la with zero personal details attached to the domain itself, either publicly or at njal.la.
A comment you made in the past or make in the future could reveal something; simply changing the text to "njal dot la" would prevent a google search of the domain from finding this.
That's the way to go. I set up a rule where everything going to *@a.mydomain.com goes into a folder which I largely ignore. Every website gets a unique prefix, e.g. ycombinator@a.domain.com.
The advantage of Masked Emails is that third parties won't even know about mydomain.com. The disadvantage is that you need 1Password to recall which email address you used with a particular website.
Definitely! You can decide within Fastmail’s settings[0] which domain you want to use for masked emails. It can be fastmail.com, one of their fun domains like afcrichmond.uk, or one of your own. I've even seen some 1Password coworkers buy a brand new domain purely for their masked emails, so you can generate a “good.castle3827@youdontneedtoknowme.com” while still using “me@mydomain.ca” for your actual personal email.
I've had this thought for a product multiple times. I run my own mail server, and for years I've created a random email for every service. Main reason was to figure out who is selling my email addresses.
The main thing that always held me up was, how do you plan to avoid getting blacklisted at the domain level if people start abusing the ability to create random emails? A few services I use even disallow Gmail addresses.
I can't fully speak for the Fastmail folks, but I know that there are a few upper limits for how many masked email addresses that one account can create. We tried to set them unreasonably high to allow for all manner of legitimate use while still preventing bad actors. They're also monitoring usage and tuning that limit. Plus, you can always email support and ask for a increase for your specific account, if you ever bump up against it.
I've had services refuse my fastmail.fm email address, with the reason that they don't allow "disposable" email accounts. But they accepted my gmail.com address....
Not that this was their criteria (they seldom if ever think it through to this level), but gmail requires phone number after a certain point. And they only allow 4 accounts per phone number.
Sell private domains as an "enterprise" feature, and have different sets of IP blocks warmed and ready to go for when they eventually get blacklisted. But selling it as a service involves a higher level of effort due to that exposure. Configuring a private domain for just yourself to solve the problem just for you doesn't have the same risk exposure.
mailinator's been around providing this (as a recieve only) service for decades by this point.
Doesn’t that rather defeat the point though? I can set up a wildcard for fastmail and use any account name I want to sign up to services without any intervention from 1password.
Edit: saw someone point out this only works for one user per domain.
Yeah I also do this: I own my domain and I use a catch-all setup at my email provider so <anything>@jpreston.xyz goes to my inbox.
I suppose the advantage with a non-custom domain is you leak no info about yourself, the masked email is 'just another Fastmail email address'. But doing it for a custom domain feels like it defeats the point, isn't it just like catch-all at that point?
The value is in knowing who leaked your email address, and being able to take action based on that. If you use a unique address for every service then you can know for certain random Internet store got hacked, or sold their database. In either case, you kill the credit card you used (privacy.com) for that store before it gets used elsewhere, saving you additional time and money on having to deal with your banks.
I've been a happy Fastmail customer for years prior to working on this feature. I've used a wildcard with my Fastmail account, created a new email address for each service I sign up with, and stored that email address in 1Password. All by hand. It's a tiny hassle, but one that I think is worth it.
The Masked Email integration makes that entire process automatic. It's even easier than before. It's enough to convince a few Fastmail-using friends to start doing it.
For "hide my email"-like feature you can use a domain with a catch-all address and either use somehash@yourdomain.tld or just servicename@yourdomain.tld for every login.
At the cost of manual effort or setting up a script (for registrars/mail providers with decent APIs), you can just use normal email aliases at a domain you own. That's what I do, most sites I register at get some sort of "sitetld_account@mydomain.com" alias. That's pretty portable, lots and lots of email providers (including standard "included with registration" ones at registrars like gandi.net) support essentially unlimited aliases (not like even tens of thousands of them represent any significant resource usage, they all ultimately feed to a single email account with said account's limits on storage and sending). I own the domain so I can point it wherever, and I can just copy/paste the entire list of aliases around.
Again that is more manual effort, though I don't consider it much effort given that I'm only signing up for a limited number of sites per year. And I suppose a little extra friction in one respect isn't even that bad a thing, makes me think a bit about whether I do actually want to sign up there. Ideally I'd like to see more efforts about making such things standardized across providers so that even regular people can get the benefits from near any registrar or email provider at all with whatever tooling they like. I guess that's probably either infeasible, or if it happens it'll be out of a rise of competing centralized masking providers raising the issue high enough in the general consciousness that demand drives it. If there are any existing open efforts around that I'd be delighted to know about them though!
If you own the domain, you can just point the MX records to Fastmail/whatever and register to all the different service with, say, service@mydomain.com or you@service.mydomain.com. No need to set up the addresses or aliases, you can just make them up as you go and deliver everything for mydomain to your inbox.
If you already have a custom email domain (which is a good idea for the usual portability reasons) _and_ you pick an email provider that supports 'catch-all mailboxes', you can make it entirely frictionless.
When I sign up for a new service, I register on the spot as e.g. amazon@mydomain.com, the mails they send are considered as a 'mistaken sender' and are sent to the catch-all mailbox (which is just my regular mailbox!)
As a compromise, I use a catchall email adress, so @«my HN handle, without numbers».me comes to my single mailbox. Then I use sieve filtering to sort the emails into folders based on the address they're sent to; if there's no special filing rule, it comes to my inbox. So, when I want to sign up for a new service, I can just pick an email (usually based on the domain name), no setup required (unless I want it to be filled into some particular folder).
The downside is that you (and spammers) can* send email to any random address and reach me, but in practice I have not found that to be a problem; I don't actually get spam at addresses which are not posted somewhere online. And it's in your best interest to contact me at a more specific email, because if I ever do get widespread spam, I'll swap the default rule to mark as spam, and only allow specific addresses. I recommend hn+«your handle»@«my domain».
On the off chance: I'm moving to NYC soon and am in the job market; feel free to shoot me an email if you're hiring at a company that's solving real problems for humans (not, say, selling ads).
Replying to this since it's the highest one at this point, but also a response to @piaste and @distances: I know about catch-all accounts, and more complex wildcard options that can exist. But to me those don't really quite hit all the use cases that site-specific ones do when it comes to spam and such, and I have seen emails get leaked from hacks or just plain "we share only with trusted 3rd parties!" buried somewhere. And I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic. On the other hand they are indeed zero friction, so a valid option depending on where in the stack one wants to handle things.
The single other significant issue I can think of which has come up actually is when one desires to actually use email for two-way communication with a site, not just receiving stuff. Sending from aliases isn't really practical, spoofing the from address even from the same domain has a high chance of trigger all sorts of spam protection for obvious reasons. I'm sure there is probably some way to handle it from one's own server but that has its own challenges. So sending mail ends up being from a different address as the account, which most places don't seem to care about but seems to hit automated edge cases and snag things up once in a while.
> I have seen emails get leaked from hacks or just plain "we share only with trusted 3rd parties!" buried somewhere.
This is why using a different email with each website is glorious! If example.com leaks my example.com@«my domain» address, I can enable stricter filters for that address.
> I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic.
This isn't game-over, either. As I noted, if this ever starts happening, I'll change my sieve filter so that any address without a filter rule gets sent to the trash, instead of my inbox. This does mean I lose the "zero friction" benefit, but adding a new address would still be just a single line in a text file. And it's much less lock-in than using the web interface of some given email provider to set up new aliases, since I can copy my filtering config over to any provider which supports sieve filters (and wildcard addresses).
That said, I don't think this will ever be a problem. Because "this looks like a catch-all account type email, try sending random stuff" is a pattern that makes you very easy to identify as a spammer. Given the possible address space, I don't see a scenario where the chance of hitting a real mailbox is worth the risk of blowing your cover and getting your mail server blocked.
I use Apple's Hide My Email to sign up on websites where I previously would have used a Temp-Mail-Service such as 10MinuteMail. These are websites I want to use anonymously (Hackernews for example). It's more convenient and they give you the option to reactivate disabled aliases later (useful if you need password reset). I don't think they made it to replace your primary email, although you could use it that way.
I already was doing something similar and have been for what…5 years I think? Anyway, I have an account with Fastmail and my own domain configured with their “catch all addressing” feature, such that anything before the @ doesn’t matter, it ALL goes to me and only me (I’m the sole user of said domain). So I can do things like apple@mydomain, microsoft@mydomain, playstation@mydomain and so on to both keep each address separate from the others and so if there’s a breach or other shady shit going down, I know at a glance who’s responsible and this have some idea of my exposure risk. Ideally though I’d like to be using UUIDs before the @ so specific targeting by guessing something like “I’ll bet his Venmo account is venmo@“ won’t be possible, I just haven’t started doing that yet.
Lately I’ve been combining this with cards via privacy.com to further limit my risk in the event of another data breach, and so far it’s working quite well, though I do have a long way to go to fully convert everything.
As for longevity, Fastmail has been around since 1999 in some form or another, and even made themselves independent again after being acquired by another company through an employee buy-out. https://en.m.wikipedia.org/wiki/Fastmail
In addition, wildcard forwarding isn’t a perfect substitute because email spambots love sending to addresses like webmaster@mydomain.com or john.doe@mydomain.com. The number of permutations they try is varied enough that an explicit allowlist is a must.
I do what the GP said and I haven’t any problem with “guessed” addresses like that. I do have a problem with obvious spam from a GMail account (which is setup to forward to my domain), so, go figure.
Just use something like 'servicerelay-<randomdigits>@yourdomain.com' and setup spam filtering rules that lets pass everything received at 'servicerelay-*' and delete or reject everything else.
Adding my disagreement to the chorus— the number of permutations they try on my personal domain is not high enough to warrant an explicit allowlist. I actually don't even have a blocklist; I simply don't receive that much spam.
Most of it comes to two addresses which are public via git (one from commit logs, the other explicitly stored in a repo).
Have you encountered issues with signing up with certain services? I know a few run checks to see if the domain is a catch-all (eg. sending to `pwgen`@domain.example and checking for a bounce) and will block signup when that happens.
I can't find it now, but there was a mildly populae HN thread about a service that does "email validation" and part of it did catch-all detection, and there do seem to be other services that market this[0].
Yeah, you either have to use one of our (Fastmail's) domains, or your own domain in which case it's linked to you by the domain registration. Not much choice there!
For sure we recommend (and make it very easy) using your own domain. We want you to stay because we're providing you enough value to be worth staying, not due to lock-in.
For cell phones we’ve legislated that you can take your number with you.
Email can be portable, but I think it’s gotta be easier to come up with a portable email address than expecting everyone to buy a domain and set up the DNS records? Does a registrar of email only domains exist today?
I really like fastmail as a service and business. It's being subject to Australian data laws that gives me pause. That's significant competitive disadvantage for fastmail when marketing internationally to privacy-conscious users.[1]
Which countries do you recommend using a similar service from? (And what are those services called?) OpSec is hard and sometimes you really do need perfect and not "good enough", but, like PGP, there need to actually be viable alternatives available today that you can make a recommendation for, unless you're just concern trolling. (Five Eyes countries are right out, fwiw.)
Maybe! But here's the rub-- a US person has some legal protection against surveillance directly by the US, in the US, but (maybe?) none against Australia, for data processed in country or by Australians. Australia then (maybe?) has no safeguards against sharing their surveillance of US persons back to the US.
It's a legal and bureaucratic not technical puzzle. I wouldn't believe any comfort statement on the point either. This sequence isn't a bug, it's a feature of the Five Eyes configuration.
That's really nice, and exactly what I've been waiting for. I've been using a third party service for a while now, but it was a pain to have to manually create the email address first. Was tempted to switch to Apple, but that would lock me in to the Apple ecosystem completely. Being able to use two services that I use anyway is the perfect solution for me.
I do this with fastmail already. I have a domain that accepts email to *@domain.tld —- all the messages reach one inbox. All my online accounts have the form service-name@domain.tld
Makes it easy when I receive spam to see who sold my email address.
There’s also zero overhead to “create” a new one. It works for any address.
The trouble with *@domain.tld is that you get that many times as much spam. Unless your spam filter is 100% accurate, that increases the amount of spam that gets through.
I work through this by only accepting wildcards on a subdomain. I have a 'real' email address on the parent domain for actual human correspondence. Services and salespeople get the subdomain.
I am using name@random_site.mydomain because i encountered a few sites that rejected name+random_site@mydomain. reduces the "random name @ domain" spam, but still works good.
I do this too. My only issue I am having right now is I am "locked" to my current registrar because of how it is set up. Do you have a mail server you are using or just having your registrar do it? I am looking for alternate solutions that dont cost much.
Exact same for me. So far the only addresses (in probably around 200) that have been sold/leaked/spammed have been the one on my public site and Facebook, where it was public for a time.
I do this too, have for 15 years. It works really well. I run a well configured postfix mail server for inbound and outbound mail. Incoming mail gets delivered to my fastmail acct. I get very little SPAM, a few messages per week, but I have spent a lot of time over the years getting it that way.
I did this with even less setup. accountname+extratext@gmail.com has worked forever and you can do the same with a custom domain. I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.
I actually don't accept *@domain.tld even though I have a custom domain because I got too many fishing emails that weren't caught in spam. I didn't have the patience to deal with it. That might have changed over the decade+, though.
> unless you keep meticulous records, there's no way to figure out the exact email you used very easily
I haven't found this to be a problem. Usually it's in my password manager. Otherwise they've sent me an email, which I can quickly search my inbox for.
> I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.
Does one need to keep records? I just do service@domain.tld, for example: ycombinator@example.net.
I started receiving a lot of sexually-explicit spam addressed to recruiting@mydomain.tld, so now I know that one of the recruiters to which I gave this email address had their inbox/contact-list compromised.
Where I got bit was email was used as login. I was trying to log in but couldn't remember the specific email I had used even though I generally had a fairly specific schema.
A lot of services already worked out the + trick. Not many know about this feature of gmail yet: You can also put a dot anywhere inside your username. eg.
Be aware that using the “+” is giving you the illusion of privacy and control. A privacy research has shown, back in 2020, that companies like Oracle’s Bluekai (a massive ‘data broker’) has functions to normalize email with + in them to help with ad targeting and matching.
Other vendors and companies like FB are surely doing this too, as companies send FB emails for matching / ad targeting.
I guess it's good to know, but I never had any illusions of using it for privacy. It was mostly to see when I get added to a mailing list, where it might have come from. Another reason I abandoned it so quickly is, if someone sold my email address and put me on a new list, what can I do about it?
At least for me, the main advantage is that I can instantly block or delete a "masked" email address. With a catch all, you'll still be receiving mails.
Long time Fastmail and 1Pass user here. While I agree that it would be best to not be locked in to particular providers, these are two of the providers who have a lot of my trust and to whom I’m paid up years in advance (at least in Fastmails case). Very excited to use this feature.
Thanks for the vote of confidence! If you have a custom domain at fastmail you can avoid any lock-in by using it for your masked addresses. Settings -> Domains -> Team Settings -> Masked email domain.
With that it's entirely portable. You can point your mx records at any other provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort.
This feature is an integration with Fastmail's masked addresses. You don't need to use their domain, but you do need to use them as your email provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort
Law enforcement or fastmail admins reading my personal email isn’t something I want, but isn’t so distasteful as for it to really be in my threat model such that I’m willing to go the lengths required to get an email provider that doesn’t have this ability, such as proton mail. I care about security and privacy and recommend fastmail, but I could see someone whose end all be all criterion of interest being privacy not wanting to use fastmail. But, this isn’t 99.999% of the population.
Already in the past I've been (ab)using Fastmail's email alias feature for this kind of purpose. Though it was a bit inconvenient as the UI always said that it takes 15 minutes for the new alias to become fully active. Great to see they now have simplified this!
When I get spam to a particular alias, I blacklist it to my spam folder. Naturally this might get a little difficult if a spam bot ever figures this out where I'd need to move to a whitelist rather than blacklist process. But it's worked flawlessly for years so far.
At least with my method I don't need to create the alias in advance.
There was a Show HN project last year that did something similar. I'd be keen to try that out before this one. Unfortunately, I can't seem to find the link.
But with Fastmail you can already do it using $RANDOM_STRING@$LOCAL_PART.fastmail.com and whichever password manager you use (you just have to do it in a more manual way, which in the long run can be a PITA, I understand)
One of the big selling points of this idea, and why we wanted to partner with 1Password for it, is that it has to be easy! Sure creating a new password for every site is a good idea, but the 1P plugin makes it so easy that it's simpler to use the really secure password it generates than to come up with something yourself.
And this "generate a Masked Email right there in the form where you're using it" pattern means that the friction is so low that it's a viable choice - it's EASIER to do the safe thing, and that's the real game changer.
Absolutely, making it easy it's a big selling point. As a happy FastMail customer, I would really like to see a similar thing with BitWarden which is my password manager of choice.
I really wish that fastmail wasn't based in australia..
edit because of downvote: I'm referencing the new data control laws (it is even beyond surveillance at this point), which makes it impossible to anyone who cares to use any autralia based products. I should have made that more clear.
The laws in question have no meaningful impact on Fastmail, and the amount of FUD concerning those laws is unreal.
Fastmail wasn't end-to-end encrypted to begin with, so laws requiring backdoors have no relevance to Fastmail. And every civilized country has some legal method to compel information from companies relating to significant criminal activity.
You're right, of course, but this simply switches the "reason not to use Fastmail" from "based in Australia" to "not e2e encrypted and can rat out your entire email history".
I don't see e2ee email happening anytime soon. The technology is just not very user friendly. And honestly, without e2ee, I don't put much trust into providers like Protonmail either because at some point the email is coming in as plain text and that's where one could always siphon it off.
As much as this is a cool feature, the distoypian anti-privacy laws Australia [0] (where Fastmail is based) prevents me from ever using their service. I know it isn't their fault but it has to be said.
Literally 2 days ago was wanting something like this to use alongside a privacy.com card! This is great to have and since the addresses are fastmail addresses, they're unblockable unlike various throwaway address services that play a cat-and-mouse game.
I use fastmail's * alias against a custom domain, to achieve a similar thing. It forwards mail at any address to my normal email, then I just pick a name on signup, ie. hn@emaildomain.com.
I have registered a domain just for the purpose which doesn't have my name in it or host any websites or anything else which can be used to leak my identity with a whois privacy guard service.
It has the dual advantages of being guessable by me if something goes tits up with my self-hosted bitwarden, and I can eyeball who has leaked my email address on incoming spam.
I think we will find that majority of companies that do potentially block it would be companies we don't want to do anything with to begin with. My thinking is a lot of companies only want a single user to register once so they can track that user anyway they can.
For example, I opened up Agoda once in firefox private tab, and searched for 2 specific hotels to get an idea of pricing. As I had signed into Agoda, less than 5 minutes after searching both those hotels were listed on facebook with discounts. So with ad's and social media blocked, the only way they could link me was via email.
If everyone starts using fastmail to hide their email, then companies cannot do this targeted advertising and will block it.
FastMail does support custom domains for disposable email addresses.
They also have a pretty big library of email domains to choose from that I can create normal alias for, so I'd be surprised to not see those come as an option in the future.
I briefly got very excited about this since I'm a fastmail user, but apparently I need a 1Password account too? I don'nt understand why that would be, Fastmail is the email provider, they are the ones who can create random aliases. I don't use 1Password (they're terrible in my previous experiences with them and I prefer something that vaguely operates on principals I like), so why should I be forced to give them my data just to use a feature of my email provider? I'm sure there's something important I'm missing here.
That's great news! The post made it sound like you had to have a 1Password account, but now that it's showing up in my account it doesn't appear to be the case. Thanks!
213 comments
[ 2.9 ms ] story [ 255 ms ] threadFor people who want to do this and care about retaining ownership, would be probably wise to run their own email servers and using different patterns of catch all addresses.
I think a lot of people have been spoiled by gmail's longevity. Unless you're using your own domain it's a wash anyways right?
I think this is an acceptable trust. I personally prefer trusting something with more longevity than fastmail (apple hide my email).
> I personally prefer trusting something with more longevity than fastmail
Fastmail launched 5 years before Gmail, in 1999. It's also a paid product with a sustainable business model. It's hard to get more longevity than that.
> I personally prefer trusting something with more longevity than fastmail (apple hide my email).
Fastmail (launched 1999) is older than Gmail (launched 2004).
> New Masked Email addresses will be created @fastmail.com. You can change this in Settings → Domains
I agree with you, and I'm looking forward to be trying this out.
Wait till 2038 so you can say "aha! I told you so!"
or have peace of mind during the prime of my life for the next two decades
One of the really nice parts of building this out with Fastmail is that you can create Masked Emails for your own domain. So, if you ever decide that Fastmail isn’t right for you, then you still receive all of those emails when you set up a wildcard alias with your new email provider.
Similarly, if you ever decide that 1Password isn’t right for you, that doesn’t stop you from receiving your emails. And the email addresses should still be part of your 1Password export.
myaccount+alias@mydomain.com
automatically?
Disclosure - I work at 1Password, though I had only tangential involvement in this effort
Settings -> Domains -> Team Settings -> Masked email domain
It will default to fastmail.com, but easy to change it.
The full "it just works" integration seems to only work between 1password and fastmail directly.
We go one step further and generate a random email address for each new service you sign up with. It'll look something like "hot.potatoes4827@mydomain.com".
You can create a new masked email anywhere you have the 1Password browser extension, including our brand new iOS Safari extension.
Unfortunately, way too many internet services don't allow the plus sign in an email address. It's weird, but it's true.
How hard is that though? Export all email addresses from 1Password (trivial), extract generated emails (trivial), and add forwarding rules for each one in your mail server (trivial to easy depending on your setup).
Maybe not easy for non-savvy users, but neither is a custom domain or even knowing about the + trick.
It still could.
> Everything is still tagged to your identity, i.e. @mydomain.com.
If your domain is tied to your identity, then yes. But to be extra clear, this should have said "Everything is still tagged to your domain" as not everyone has their domain tied to their identity. I for example have my domain setup njal.la with zero personal details attached to the domain itself, either publicly or at njal.la.
Otherwise subaddressing with + works well with most mail hosts other than Microsoft Exchange / Office365 (which have had endless problems).
The advantage of Masked Emails is that third parties won't even know about mydomain.com. The disadvantage is that you need 1Password to recall which email address you used with a particular website.
[0]: https://www.fastmail.com/settings/domains
The main thing that always held me up was, how do you plan to avoid getting blacklisted at the domain level if people start abusing the ability to create random emails? A few services I use even disallow Gmail addresses.
I can't fully speak for the Fastmail folks, but I know that there are a few upper limits for how many masked email addresses that one account can create. We tried to set them unreasonably high to allow for all manner of legitimate use while still preventing bad actors. They're also monitoring usage and tuning that limit. Plus, you can always email support and ask for a increase for your specific account, if you ever bump up against it.
mailinator's been around providing this (as a recieve only) service for decades by this point.
Edit: saw someone point out this only works for one user per domain.
I suppose the advantage with a non-custom domain is you leak no info about yourself, the masked email is 'just another Fastmail email address'. But doing it for a custom domain feels like it defeats the point, isn't it just like catch-all at that point?
It’s what I do with a custom domain (though only have a handful of custom aliases currently).
Having this integrated in a first class way is a nice surprise and a really great feature imo.
It’ll make it easy to see who leaked your email and kill the alias while also not locking you into to fastmail forever as a provider.
The Masked Email integration makes that entire process automatic. It's even easier than before. It's enough to convince a few Fastmail-using friends to start doing it.
Again that is more manual effort, though I don't consider it much effort given that I'm only signing up for a limited number of sites per year. And I suppose a little extra friction in one respect isn't even that bad a thing, makes me think a bit about whether I do actually want to sign up there. Ideally I'd like to see more efforts about making such things standardized across providers so that even regular people can get the benefits from near any registrar or email provider at all with whatever tooling they like. I guess that's probably either infeasible, or if it happens it'll be out of a rise of competing centralized masking providers raising the issue high enough in the general consciousness that demand drives it. If there are any existing open efforts around that I'd be delighted to know about them though!
When I sign up for a new service, I register on the spot as e.g. amazon@mydomain.com, the mails they send are considered as a 'mistaken sender' and are sent to the catch-all mailbox (which is just my regular mailbox!)
The downside is that you (and spammers) can* send email to any random address and reach me, but in practice I have not found that to be a problem; I don't actually get spam at addresses which are not posted somewhere online. And it's in your best interest to contact me at a more specific email, because if I ever do get widespread spam, I'll swap the default rule to mark as spam, and only allow specific addresses. I recommend hn+«your handle»@«my domain».
On the off chance: I'm moving to NYC soon and am in the job market; feel free to shoot me an email if you're hiring at a company that's solving real problems for humans (not, say, selling ads).
The single other significant issue I can think of which has come up actually is when one desires to actually use email for two-way communication with a site, not just receiving stuff. Sending from aliases isn't really practical, spoofing the from address even from the same domain has a high chance of trigger all sorts of spam protection for obvious reasons. I'm sure there is probably some way to handle it from one's own server but that has its own challenges. So sending mail ends up being from a different address as the account, which most places don't seem to care about but seems to hit automated edge cases and snag things up once in a while.
This is why using a different email with each website is glorious! If example.com leaks my example.com@«my domain» address, I can enable stricter filters for that address.
> I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic.
This isn't game-over, either. As I noted, if this ever starts happening, I'll change my sieve filter so that any address without a filter rule gets sent to the trash, instead of my inbox. This does mean I lose the "zero friction" benefit, but adding a new address would still be just a single line in a text file. And it's much less lock-in than using the web interface of some given email provider to set up new aliases, since I can copy my filtering config over to any provider which supports sieve filters (and wildcard addresses).
That said, I don't think this will ever be a problem. Because "this looks like a catch-all account type email, try sending random stuff" is a pattern that makes you very easy to identify as a spammer. Given the possible address space, I don't see a scenario where the chance of hitting a real mailbox is worth the risk of blowing your cover and getting your mail server blocked.
Lately I’ve been combining this with cards via privacy.com to further limit my risk in the event of another data breach, and so far it’s working quite well, though I do have a long way to go to fully convert everything.
As for longevity, Fastmail has been around since 1999 in some form or another, and even made themselves independent again after being acquired by another company through an employee buy-out. https://en.m.wikipedia.org/wiki/Fastmail
Most of it comes to two addresses which are public via git (one from commit logs, the other explicitly stored in a repo).
0: https://www.email-validator.net/blog/validating-catch-all-em... (warning: annoying marketing page)
For sure we recommend (and make it very easy) using your own domain. We want you to stay because we're providing you enough value to be worth staying, not due to lock-in.
Email can be portable, but I think it’s gotta be easier to come up with a portable email address than expecting everyone to buy a domain and set up the DNS records? Does a registrar of email only domains exist today?
[1] https://en.m.wikipedia.org/wiki/Mass_surveillance_in_Austral...
It's a legal and bureaucratic not technical puzzle. I wouldn't believe any comfort statement on the point either. This sequence isn't a bug, it's a feature of the Five Eyes configuration.
Makes it easy when I receive spam to see who sold my email address.
There’s also zero overhead to “create” a new one. It works for any address.
I actually don't accept *@domain.tld even though I have a custom domain because I got too many fishing emails that weren't caught in spam. I didn't have the patience to deal with it. That might have changed over the decade+, though.
I haven't found this to be a problem. Usually it's in my password manager. Otherwise they've sent me an email, which I can quickly search my inbox for.
Does one need to keep records? I just do service@domain.tld, for example: ycombinator@example.net.
I started receiving a lot of sexually-explicit spam addressed to recruiting@mydomain.tld, so now I know that one of the recruiters to which I gave this email address had their inbox/contact-list compromised.
a.ccountname@gmail.com is the same as
ac.countname@gmail.com
acco.untname@gmail.com
and so on.
Other vendors and companies like FB are surely doing this too, as companies send FB emails for matching / ad targeting.
https://twitter.com/WolfieChristl/status/1288428611100454912
For example: jdoe+netflix@example.org would be the address used on a netflix account.
However I do appreciate the additional anonymity a randomized or hashed user part provides
You can use your own domain.
But only if you use Fastmail for that domain.
With that it's entirely portable. You can point your mx records at any other provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort
Disclosure - I run Fastmail, though also only had tangential involvement in this effort.
I can't recommend using an email system like this to anyone who cares about security or privacy.
Fastmail admins can themselves read your entire email history, as well as any law enforcement fishing expedition in US or AUS.
With this feature, I can stop using my gmail account for general junk.
https://www.fastmail.help/hc/en-us/articles/1500000277942-Ca...
When I get spam to a particular alias, I blacklist it to my spam folder. Naturally this might get a little difficult if a spam bot ever figures this out where I'd need to move to a whitelist rather than blacklist process. But it's worked flawlessly for years so far.
At least with my method I don't need to create the alias in advance.
And this "generate a Masked Email right there in the form where you're using it" pattern means that the friction is so low that it's a viable choice - it's EASIER to do the safe thing, and that's the real game changer.
Anyway, keep up the good work!
edit because of downvote: I'm referencing the new data control laws (it is even beyond surveillance at this point), which makes it impossible to anyone who cares to use any autralia based products. I should have made that more clear.
Fastmail wasn't end-to-end encrypted to begin with, so laws requiring backdoors have no relevance to Fastmail. And every civilized country has some legal method to compel information from companies relating to significant criminal activity.
I am not trying to tell you to use Fastmail, just that fear of doing so explicitly because of Australian law is silly. ;)
https://www.spreadprivacy.com/introducing-email-protection-b... (beta only)
https://simplelogin.io/
https://anonaddy.com/
I know there are plenty of others, but I use all the above and found them reliable and intuitive.
[0] https://www.iflscience.com/policy/australias-new-police-powe... [1]
For now I'm using Firefox Relay, but the 5-email limit (without a plan for more) is a showstopper.
I can't find anything in the 1Password interface to change a login for current accounts.
All the language makes it sound like it's only upon login/account creation.
I guess the fallback is just manually creating one in Fastmail, but it's a bummer if you can't just do it from one place in 1Password.
I have registered a domain just for the purpose which doesn't have my name in it or host any websites or anything else which can be used to leak my identity with a whois privacy guard service.
It has the dual advantages of being guessable by me if something goes tits up with my self-hosted bitwarden, and I can eyeball who has leaked my email address on incoming spam.
It seems Masked Email is useful primarily if you have 1Password account as a deeper integration to auto-fil email addresses during sign-up.
For example, I opened up Agoda once in firefox private tab, and searched for 2 specific hotels to get an idea of pricing. As I had signed into Agoda, less than 5 minutes after searching both those hotels were listed on facebook with discounts. So with ad's and social media blocked, the only way they could link me was via email.
If everyone starts using fastmail to hide their email, then companies cannot do this targeted advertising and will block it.
They also have a pretty big library of email domains to choose from that I can create normal alias for, so I'd be surprised to not see those come as an option in the future.