303 comments

[ 98.2 ms ] story [ 5393 ms ] thread
I try to disguise it a little to avoid the awkwardness, and also put the recipient into the subdomain instead of sender name. For example for grubhub I'd do:

me@grb.mydomain.com

No need to remember anything because it's all in a password manager. I've found this worthwhile, already blocked a couple spammers.

You could also go with something fully random, you still get the same benefit. It's easy to look in your email history and see what you originally used the email address for. Password manager obviously required though.

That’s exactly how I’ve been doing it for more than a decade. (Without the subdomain part but with the disguising.) I feel it’s been worth it so far.
Using custom subdomains for each account is a great idea. Once you start getting spam on this subdomain, you just need to remove the DNS entry and the spammer's attempts to deliver spam will be unsuccessful (versus if you use different local part names, you have to filter / reject the mails explicitly).
Nice! I tried this a few years ago, and while this worked nicely for inbound email, deliverability outbound was really bad, even with DKIM etc. set. Normal mails from <my domain> were fine.

I guess "amazon.<my domain>" got quite the phishing score at the time, so good call using grb instead of grub. :D

Yeah deliverability is a good point. I'm usually only using this trick for services where I wouldn't be sending outbound email luckily. Normal emails come from mydomain.com.
Note some services won't even recognize a subdomain email address as valid.
Really? Wouldn't that catch people with `.co.uk` or similar localized domains?
They use a regex such as /[a-z]+(\.[a-z]{2,3}){1,2}/

There’s a lot of bad email validation regexes floating around on the internet. If it’s an older service it may have been written before gTLDs.

I have an address that ends in .fyi and continue to encounter systems that refuse to accept it as a valid domain. It's really frustrating but at least I have a .com that I can enter into those and just forward it.
Yup, I've been rejected from a couple things, but it works for the vast majority
What do you use to manage all the subdomains?
reminds me a bit of the family member who owns firstname@lastname.com and can't get random non technical people to believe that their email address domain really is lastname.com

"but don't you mean at gmail.co..."

no

I've been using firstname@lastname.com for ages and this doesn't happen to me. Usually it's "huh that's neat", but I also have a very unique last name
Mine is first@fullname.com. Most just accept it (all when I visit California, maybe that's your experience?), but I do get queried about it from time to time in my home country
I have had the same experience with first@last.me. My last name is also pretty unique.
I used mail@firstname.lastname.name and sometimes even like the op "service"@firstname.lastname.name for some time. This lead into all kinds of trouble, social and technical. Social as in people did not understand why I "owned" "service"@..., why I did not have something like firstname.lastname@t-online.de/web.de/gmx.de/googlemail.de, that a third level domain is even possible, or they did not recognize .name.

Technical trouble was almost the same: Systems did not recognise the new at the time .name or Systems had trouble with third level domains. Somstimes I could sign up, but something in the backend broke and I never received mails.

(comment deleted)
I do this and my biggest regret is that I cannot easily check haveibeenpwned.com to find out if any of the accounts have been breached.
You can authenticate whole domains and see whenever anyone at your domain is listed.
I have a variation that I use for online sign-ups only. I have to explicitly declare the alias before using it. So it’s relatively easy to check which ones I have used in the past (and the name tells me which site I used it for) and I can easily “revoke” by removing the alias. I can’t really use it when asked for an email address at a store, for example - but it doesn’t happen that often (going to real stores, I mean :) )
I've been using email aliases for over a decade and have never experienced the leading examples the author mentions. Although I already have email accounts setup for impromptu scenarios, setting up an email alias in one minute is easy enough.
I have several times. Generally I can just say "you can write anything before the @ and it still comes to me" and people understand it though. It doesn't need to become a big discussion about how email works and they've probably forgotten by the end of the interaction.

Maybe once or twice I've given my address to a new friend as newfriend@domain.com and it's lead to at least a small discussion about it.

I've been doing this for close to a decade and sometimes salespeople and customer service people will ask to confirm, but that takes 5 seconds and isn't awkward (in my opinion.)

It has more benefits than knowing who leaked your email, it lets you easily filter your incoming email by who you gave the email to, and when your email is leaked it lets you shut off that email address. Of course you can also filter your email by the sender's domain, but that isn't as consistent, and doesn't help at all when your email address has been leaked.

It's true that you do have to set it up so that you can send email from the addresses to avoid not being able to reply by email, and you will want a password-manager or something to remember exactly what email you used, for convenience.

Personally I'm glad I've done this, it's made it much easier to organize my emails.

So basically, yes it's a bit of extra work, but simply worth it.

Life without it is worse than life with it.

Moreso, it's good to teach people that valid email address are in fact valid.

This part:

> Especially since all these companies ask for and verify your cell phone number

is true, though.

and

> The one outlier is political campaigns: they'll share your email till the end of time.

Because politicians exempted themselved from anti-spam laws, as they do with most laws.

> Because politicians exempted themselved from anti-spam laws, as they do with most laws.

This was the most puzzling thing to me. The politicians that I saw on TV as adamantly pro-privacy, anti-tracking, who made a lot of sense in everything they were saying -- you contribute a single dollar (because they want to show grassroots support for their pro-individuals campaign) and they IMMEDIATELY give your email and survey responses to everyone in their party, including to state-level campaigns in places across the country.

There was no indication on the donation form that any of my personal details would be used for anything except to show that they had a lot of grassroots supporters.

Not only that, but their emails are so clickbait-ey like "lazyjeff, you are the reason that [hated politician] is destroying democracy."

> Because politicians exempted themselved from anti-spam laws, as they do with most laws.

Tons of companies will share/sell/buy your email address. Politicians just stand out because they're shameless about spamming, but email addresses aren't always used for spamming. They can also be used to tie logins to names and accounts across services. They can be harvested for various information they contain. Even folks with just one email address often give away their name, the year they were born, their hobbies, etc. Using an email address like uber@notcheckmark.com and Hilton@notcheckmark.com also tells a story about you and what services you use. Every scrap of data that can be collected helps build a profile of your life and email addresses are a part of that, even when they aren't used to clog your inbox with garbage.

I'd recommend using less obvious names, but I still don't see a problem with creating unique addresses for various services that demand an email account. If nothing else it's a great way to compartmentalize the crap they'll send you (spam or not). If someone questions why you have COMPANYNAME@example.com that should really just be a 2 second conversation.

I couldn't agree more. I've been using a catch-all for probably 12 years now. Sure, sometimes you get a second look when you give an email that has the business's name in it, but who cares?

I get the benefit of blocking mail coming to me forever, doing fast sorts and searches, never have to worry if the company doesn't like a + in my email address.

I have a single address, donotspamme@mydomain.com that I use as a throwaway and then route it to a folder to review about once a week. It draws a chuckle from salespeople when they ask for it or see it pop up in their system.
I use 33mail.com (33m.co) for this which gives you a personal subdomain for free, or a private domain on the paid plan. I'm on the (super cheap) paid plan due to mail volume, but haven't found the need for using a personal domain.

I find it zero effort having a unique email address per site, and when combined with unique (algorithmic) password gives effectively a unique identity per site (cookie sharing aside, but there are solutions for that.)

As a result, I have been able to call out a couple of sites for data breaches, and continue to see npm spam in particular. Worst offender so far is Pipedream, an absolute embarrassment for their CEO who appears to have initiated the data scrape. I won't be surprised to see them sued out of existence, which is a shame, as I like the service in general.

Eh, I did it for a while and while I think the OP overstated the "awkwardness," I didn't find that the effort was worthwhile. I only caught one entity selling or otherwise divulging my address: the Atlanta Journal-Constitution newspaper, oddly enough.

Oh, and someone did hack some FAA database and mine it for addresses.

But that's all I netted in several years. Beyond my main address at my own domain, I keep a Gmail address for mailing lists and other low-grade traffic.

> you do have to set it up so that you can send email from the addresses

Fastmail's webmail allows you to specify the sending email address for a catch-all mailbox in the message composition page, so there is no additional setup there.

And it conveniently pre-fills the from address with the correct one if you reply to an email which came to an alias.
Edit: oh god, leaving this in place for posterity but I am completely misrepresenting fastmail here. It is protonmail that I recently tried and had these limitations. Apologies! How embarrassing. Also, I have no idea why the child comment correcting me would be so downvoted. It’s apparently correct.

Yes, but fastmail has a couple dealbreaker limitations when doing this: First, you can’t originate mail from that address; you can only respond. This makes it unusable for a lot of mailing list control messages and other systems where you are required to make inquiries from a registered email address. Second, you must explicitly set up each of the unique recipient addresses, which is a huge burden when you want to be able to generate them on the fly when signing up for web accounts (and when you already have hundreds in use because you’ve spent decades giving every company a unique address).

If they addressed these and I could have an unlimited number of suffixes directed to a single fastmail address, I’d sign up for a paid account in a heartbeat. Looks like a great service but those are fatal flaws IMO.

This doesn't match with my experience. I have a single catchall *@my-domain.com address that will receive anything sent to the domain (without setting up separate accounts ahead of time).

You can also send from any address, but I agree that the UI is a bit hidden. You first choose from the from-address dropdown "*@my-domain.com", and then a new textbox appears where you can type what address to send from. As another commenter pointed out, if you are replying to an email it will automatically fill in the custom from-address, but you can overrule it.

You can originate emails from anything - it just requires that you set it up as an alias (and you can set custom signature etc...)

You don't need to explicitly setup recipient addresses! I can have as many xxx@myname.mydomain.com addresses, where xxx is anything at all. myname@mydomain.com is my main email address.

Agree. This also creates additional challenges for data brokers when trying to tie together datasets about you.
I strongly disagree. I've also been using a catch-all domain for more than a decade and giving each sign-up it's own name@mydomain.com. I can remember one small issue. Otherwise it's never been a problem. The problem has been getting marked as spam for running my own mailserver. But it's all worth it in the end.
I agree with you. So many companies end up with absolutely terrible unsubscribe code that just flat out doesn't work[1]. With my own server I can just burn a particular email with one line in a file, or I can block their whole domain. I end up having to do this fairly regularly.

I can also choose the message to send in the smtp 5xx error line and so I like to call them names. I know a person never sees it but it makes me feel good knowing my server is cursing out the spammers' servers.

[1] I would venture that roughly 30% to 40% of email unsubscribe links aren't url encoded so that the `+` in the email goes in naked to the url, resulting in the server decoding it into a ` `. Sigh.

Yes, I also have insults in my client_checks file. I enjoy running my own mail server.
I've had some of the same experiences as the author. "Do you work for..." or "You must be a big fan..." And plenty of "How do you... "

A few sites actually check for and prevent you from putting their domain name in as email (probably something about having employees sign up... ?) so that's a bit annoying.

I think it's worth it. Among other things, if any one alias becomes tainted enough, I'll throw it on a burner account so those emails go into a black hole, instead of my spam folder. And I'm always using a password manager on a computer, rather than trying to remember email when I visit a retailer. (Often, these days, if I'm in person, I just make up some kind of abbreviation - instead of "Ollies@", "olbgo@" because I don't care too much and even if I forget where it came from, it's not a big deal.)

And there's a slight security benefit if one email + password leaks, though these days every password is unique too (was not always the case... ah the naivety of my internet youth.) I don't think email addresses get sold "a lot" but they sure do get breached a lot and end up in the hands of spammers. Cadillac@ actually got sold or breached quite quickly after I signed up for a free car brochure, about a decade ago.

With my current host (NameCheap) and Thunderbird, it's very easy to change my from address - it just works without any hassle.

I use "contact@" for when somebody who isn't a friend wants my email address. I have a separate, private address for people who actually matter to me. Everything addressed to "contact@" immediately gets marked as read and saved to a separate folder so it doesn't clutter my inbox.
contact@ specifically is high up in things that spammers try when they have no leads to go on though. ~50% of my spam in my catchall comes from contact@ admin@ and similar addresses.
True, but I can't be bothered to come up with anything more distinctive. And if my local gym wants to send me bullshit notifications and advertisements despite me being a longtime customer who pays for his membership annually, they can damn well go in the spam bucket alongside the cold emails from tech recruiters, Ukrainian mail-order brides, and Danielle Kennedy from Prime Equity Funding. I don't really give a shit. Email has achieved parity with snail mail: it's nice to get from friends, but otherwise an annoyance.
I've been doing that for a very long time and never had such an interaction. Definitely not to the level of "It's been a decade of trouble and totally not worth it".
"The truth is no one really sells your email – at least no legitimate companies. "

Of course, because legitimate companies used to sell your cookies, which basically are going the convey the same information about your profile.

Now in the cookieless era of CDP platforms and identity stitching, having different email addresses may be more useful.

This isn't a new thing. Data brokers have been building identity profiles for decades. Snarfing up email addresses is part of that process.
> The truth is no one really sells your email – at least no legitimate companies.

Yes, but legitimate companies leak data now and then. I get metric tons of spam to dropbox@, linkedin@, myspace@, moneybookers@, etc.

When I used wildcard support I got spam to :

linkedin@steve.org.uk

facebook@steve.org.uk

So I'd be tempted to think that my address had been leaked from there, but I also got other messages sent to addresses like:

admin@steve.org.uk

sales@steve.org.uk

support@steve.org.uk

In the end I figured that I was just dictionary-attack, and optimistic senders, and I could never be sure that a particular company had actually leaked an address.

These days I just give steve/at/steve.fi to everybody (I moved countries, hence the new TLD). I ported over all the aliases that had received email in the past five years and started rejecting unknown local-parts. That stopped badbots from mailing things that seemed like poorly-scraped message-ids "blah-blah-1234@steve.org.uk".

Those little interactions count as awkward? Jeez. Try having a weird last name and get back to me.
I use this method and experience a few of the same drawbacks, like remembering email + password per service - A password manager does make it doable. (Highly recommend KeepassXC[0])

However, contrary to OP I enjoy these somewhat awkward situations where someone doesn't quite understand my email address. I find it can naturally lead to a conversation about privacy and data protection and I'm happy to spread the awareness, if someone is interested.

[0]⋮ https://keepassxc.org/

I've had sales and customer service ask me about this a handful of times and I simply said: 'It's a unique email address so that you guys can't sell my details or get hacked and lose my email.'

The only interaction that stick in my mind regarding this when one of the sales people asked me how they might set up their own version of catch-all domain. That's about it.

Right? Every time someone remarks, that's a good thing.
Unique email @<your burner domain> per website, so you only have to remember one password for everything.

Handy for places where you need to sign-up but otherwise you don't care. I don't use this approach on "meaningful" accounts where I'd care about a breach.

I think this person's mistake was not having a memorable system for the username aspect.

(comment deleted)
> The only benefit is that I'm able to tell when companies are breached before wider disclosures because I start getting spam emails sent to thatcompany@.

My big problem is that this is worse than useless.

I started doing unique-address-emails back in probably 2002 or 2003 and did it for around a decade before giving up.

A couple of times per year I would start getting spam or similar on an email address and would know exactly what had been breached and I would try to notify the companies involved. I'd probably spend an hour or two finding emails for key contacts and send a few paragraph email explaining how I knew they were breached etc...

90% of the time I got absolutely no reply whatsoever.

5% of the time I got a pleasant reply and someone said they were already aware or they would look into it.

5% of the time I got confused emails from a non-technical person that didn't understand how their PHP shopping cart software which hadn't been updated in 2 years got hacked, and didn't know what PHP or Linux or anything else was because the neighbor's kid had installed the site one time 2 years ago and now was too busy in college and why are you bothering us about this we have orders to ship!

5% of the time I got incredulous replies from technical people who insisted that I was wrong. That email address must have leaked some other way!

Then there was the last time I ever sent one of these emails. I guess I had found and emailed the owner of a company to email who had then added in his tech person. I explained why I had huge confidence something on their side was breached, but, couldn't explain to them what or how. They eventually got rather hostile about it, first accusing me of extorting them for the information (I never asked for money, but bounties weren't really even a thing back then like they are today). Eventually culminated in them adding in their lawyer with more threats and demands for my full name / address (presumably so they could actually sue me). I ignored them and fortunately the whole thing went away.

That was the last time I sent a report about one of my emails being compromised and shortly thereafter I stopped using tagged addresses entirely.

The benefit isn't that you can tell the company they were breached. The benefit is that you can tell yourself, friends, and the public.
Meh.

Some people might want to be the name-and-shame type, but, that's not me.

Your percentages don't quite add up…
There's an additional 5% chance that I did that intentionally to be funny. Does it add up now?
Sounds like you were the one who made it worse than useless ie. you gave yourself more work and then resented it.
I suppose. I mostly did it as a fun experiment and stopped when it ceased to be fun.

I don't resent it or regret it, I had a lot of fun writing the software which powered it.

As you found out, it is a waste of time to report the leak. But you can still get all the benefits of nuking that email.
Nuking the actual email was of limited benefit over time.

For whatever reason I started to get spam on my real non-aliased email address and at that point it was all bets off.

Shortly after I gave up on the tagged addresses I just moved to gmail.

I've had that happen but I just change the unaliased email, update the catch-all target and block the old unaliased email.
> I started to get spam on my real non-aliased email address and at that point it was all bets off.

Why is that? You can also nuke your non-aliased email address and just update your forwards.

Yeah but my non-aliased mail is adam@adam.gs

I have no idea how it happened but /shrug

I could change it, but, I don't really want to.

No one said you're supposed to contact anyone about the spam. If the problem could be solved on their end, this catch-all/tagging solution wouldn't need to exist in the first place. The assumption is that people can't be trusted with your email address, so you create a way that their incompetence/malice can't hurt you, and then you go about your business.

Imagine criticizing helmets because children keep falling off their bikes.

Btw 90+5+5+5=105%.

> No one said you're supposed to contact anyone about the spam.

Considering that, as far as I knew at the time, nobody was doing this at all, nobody told me any of what I was "supposed" to do. Even if they had told me what i was "supposed" to do, I generally am not good at following directions or doing what i'm supposed to do.

> Btw 90+5+5+5=105%.

Case in point.

(comment deleted)
One time I made up a new address to use for a SiriusXM signup, and that address got a spam email before the confirmation email. As you can expect, that was filed under "people insisted I was wrong".
Embarrassment (really?), minor as it could be, seems like a really low bar for failure here.
I had to stop using plus-addressing (me+brand@gmail.com) because of broken email address parsers/validators. If I was on the phone with a support agent, I would give them my plus-address and their system would reject it and they'd ask for another one. Stubbornly, I'd refuse to budge and insist that is my email address that they need to use. It got to the point where I'd either have to forfeit my healthcare/tax/flight/<whatever> account or give up on the plus-address. And if they asked about it, I'd explain honestly that it's because I don't trust them.

It did reveal some interesting data leaks sometimes including on npm [1], but the hassle wasn't worth it.

I now rely solely on spam controls again.

[1]: https://twitter.com/mholt6/status/1315743799335763968

GMail has supported the "+" alias since the service was announced, one would think there'd be no excuse to not support it everywhere at this point. My consipiracy-theory hypothesis is that many companies "know" that any address with a + in it is an alias and actively filter it out. Because they don't want an alias, they want your _real_ address.

I run my own mail server and use a "." as the alias character. Haven't seen a system reject a single one of these.

Because gmail allows periods, and many people think the period is required since that's how they signed up for it. Therefore many people consider a period an important part of an email address.
Supported since forever by Cyrus IMAP for routing into subfolders.

For some unknown reason at Pitt people were taught to finish write their email as username+@pitt.edu ca. 1995. While it supported that as the inbox, most people were unaware that you could put +foo and have it go to the folder foo if one existed. But the address without the plus also worked.

I’ve also been doing this for more than a decade. Other than my spouse rolling her eyes when I give an email address over the phone, it hasn’t been hard and definitely has helped. I have put blocks on a few email addresses that were involved in data breaches and became spam spigots.
I got my wife to use a catch-all last year. She absolutely loves it.
I'm going to mirror most of the other commenters in saying - I've been doing this for nearly a decade and have basically never had an issue with it and have absolutely prevented some spam because of it. The "social awkwardness" problem of using "Company@example.com" can be solved by using "PineappleBanana@example.com" instead or random characters or my personal favorite throwaway "[Company]SentMeSpam@example.com". Yea, you might have to use a password manager to know which random string of nouns is tied to what account - but no more "social awkwardness" of using the company name in your email (can't say I've ever had that experience either...)

In fact the only issues I've ever had with a "non-standard" email address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of my domains is a .ru address and even before the modern-day issues surrounding Russia .ru addresses get blocked in many places. My fallback email is an email hosted by https://cock.li which being chan-adjacent also gets blocked so occasionally I simply have to accept that I am not wanted as a user because my email isn't good enough.

No need to use a password manager. Simply search email history for the very first usage of the email...
That only works if they have ever sent you an email.
I don't understand the part about awkwardness with customer service people. How often does that really come up? And, if it is predictable, just spend a minute and think of some satisfying reply and then use that whenever it does come up.

"Oh, hilton@notcheckmark.com? You must be a big fan."

"Yep, cause of the great customer service."

Done.

Regarding shooting yourself in the foot by using nonstandard naming - seems an easy solution is to just use the entire SLD. If registering in person, I guess that's a bit harder, but either way make sure you save the login in your password manager.

I also use custom addresses with the company name as the first part of the address and it does sometimes (not often) lead me to explain how email works to a customer support rep.
Just to provide a counterpoint, I've been doing the same thing for 6 years now and I haven't found the same issues to be a problem. Even as someone with pretty intense social anxiety, I haven't encountered any awkwardness, and don't find it particularly inconvenient to have to look up the correct email in my password manager.

The only actual issue I can remember encountering was a weird glitch with Crashplan that wouldn't let me register with crashplan@[myfullname].com, so I ended up using backups@ instead. Also, my full name is tedious to have to spell out, so I switched to using [firstname].cloud as my email domain instead.

In my case, while I haven't caught any notable email sharing/selling, I've still found unique per-service emails useful for filtering and organizing messages. Many orgs these days don't bother to use a consistent From email, so if I want to find everything from XYZ corp, it's easier to search for everything sent to xyz@name.cloud than everything from no-reply@xyz.com and orders@xyz.com and info@xyz.net and email-list-123@xyz.email and so on and so forth.

I've had people try to guess my login with Company ABC once they learned of my CompanyXYZ@mydomain.com address. Avoiding the reuse of email addresses helps here, the same way avoiding the reuse of passwords does.

For blackhats, with catchalls you can create multiple accounts on sites that try to prevent it by assuming everyone only has 1 email address.

For me the biggest drawback is migrating ALL those emails if your provider decides to end support for catchalls (like Dreamhost).

> For me the biggest drawback is migrating ALL those emails if your provider decides to end support for catchalls (like Dreamhost).

With Gmail for Business / GSuite / Workspace, I had gone through the trouble of adding aliases through the Gmail.com UI when I wanted a from address. And I had created a bunch of dead accounts with aliases to reduce spam.

But when I switched away from Workspace to NameCheap, I just set up my one account as a catch-all, and in Thunderbird, when I want to send from one of those aliases, I just type it in, and it works fine. (Gmail had a setting that if you got it wrong, it sent it as an alias, but also used your mail address as the actual from/reply-to, which I found annoying!)

I also stopped bothering setting up those "honeypot" accounts. I get more spam, but... it's almost all detected as spam and put in the spam folder, so I don't worry too much. A few weeks ago, I had a day where a couple dozen gibberish addresses came in, like 8aeef09lk@domain.com, but then it stopped again.

Of course, all that is to say, if my current host does end support, it would be a pain!