Listening to Security Now Episode 961 (https://twit.tv/shows/security-now/episodes/961) highlighted a trend where sites like FoxNews.com require email sharing and agreeing to terms of service before content can be viewed. Delving into Fox News' Privacy Policy, it's clear the extent of data collection and sharing is vast, including personal and activity data, with provisions for third-party sharing for advertising. Such practices raise serious privacy concerns, especially given the extensive user profiling and data monetization involved. This approach could set a worrying precedent for content access, prioritizing data collection over user privacy (https://www.foxnews.com/privacy-policy#fi).
I don't care about Fox News specifically, but I hope this trend requiring sharing an email address to view ad-supported content doesn't become more popular. An example of this on Fox News is this article, which requires an email address to view: https://www.foxnews.com/world/navalnys-body-reportedly-found.... Technical users can limit tracking by using email relays, but this is a big ask for non-technical users.
I have multiple email addresses based on use and how much I trust the entity collecting:
- My main personal address is the most protected and only give it out to friends, bank, family, etc.
- I have another address that I give out to Amazon, ebay, couple other trusted merchants and websites.
- Next lay down, one I use for merchants I don't particularly trust like AliExpress. In addition, I only use the credit card that lets me generate a number, set max spending limit, and expiration.
- Finally I have a couple that I use for general websites that I figure either could get hacked or I don't trust at all.
While not 100% accurate, I can tell who has sold or "lost" my info based on the spam I receive. My main personal has some spam but I think it stems from contacts that had their accounts compromised and their contact list was snarfed. Overall the less I assume I can trust the other entity the more spam that account has.
It is funny how accurate the tracking is though. I can search for something on my gaming pc and then a week later I see related ads on Youtube and sometimes even Tubi. My Amazon account uses a different email address than what I used to search on my gaming pc. While my gaming pc has accessed both gmail accounts, they weren't even logged in at the same time. I suppose they rely on IP address + IP metadata and collected advertising metadata to correlate accounts.
An easier way to spin up emails for every account:
For some email providers, if you add a "+" modifier to your email address, anything after the + will be ignored and still routed to your main email address. But email systems will still treat them as unique email addresses. (So abc123+Netflix@gmail.com and abc123+nytimes@gmail.com would both be delivered to abc123@gmail.com.
This limits their ability to link your accounts against each other. And you can see if someone shares your data when you start getting hits on your Netflix email address.
It seems like some backend code could easily strip the “+” and everything after it before saving an email to a database. Not sure how viable this is but I’ve also never tried it.
Firstly, we can see that they're using the email exactly as provided (for sending, at least), else filters on the mail we receive wouldn't work.
Secondly, the + trick works because it's valid in email addresses under RFC 5321 and RFC 5322 - the fact that Gmail (and others?) direct all addresses of the format 'foo+bar@gmail.com' to the mailbox of 'foo@gmail.com' is a quirk, not a given. Anyone wanting to trim '+bar' would have to know it's safe to do so for particular providers, and I doubt anyone wants to maintain that list and do extra backend work just in case they want to share on the sly.
How many legitimate emails have a + in them and don't use such an alias system? I'm sure they exist, but are probably even less frequent than the amount of people using this alias system, thus it's more profitable to strip it out.
If you are just trying to datamine for random email addresses, you can do that with a random string generator. If you want a list of Netflix customers accounts, you probably want the same exact email they signed up with.
Besides, you can always make a Gmail rule to junk any emails coming in without a modifier.
Profitable, whether for the company itself or for some oxygen waster to get some metric ("engagement"?) that justifies their salary/promotion.
I'm not saying they will strip out the + from the primary email address used for login/etc - that would be dangerous for many reasons and could deny access to users.
But they are absolutely likely to strip it out for obnoxious behavior which is only valuable at scale and individual failures don't matter - such as ad targeting, email spam, etc. In this case, it doesn't matter if you fail to spam the 0.001% of users with + as part of their actual username if it means you manage to spam the 2% that use + as an alias separator.
My career is to build and maintain marketing email systems. So just from my professional advice, it's still a legitimate hack.
I'm not saying there is not someone out there trying these shenanigans, but in 95%+ of situations you are still going to catch people sharing your data with a + modifier.
I've been using the foo+bar@mydomain trick for over 20 years. I have given this form of email address to well over 1,000 companies and I get exceptionally little spam to foo@mydomain.
> This limits their ability to link your accounts against each other
This sounds extremely naive to me. Why would it limit their ability when this feature of gmail has been publicly known forever? All they need to do is ignore everything after the plus when cross-referencing accounts.
I maintain email systems for a living and it's a completely legitimate hack.
Capital 'S' spammers don't care because they hit wide swaths of email addresses by generating random strings. They don't waste money buying data.
On the other hand, when someone is buying your data from Equifax, there might be some real bright actors out there, but the majority of firms engaging in this kind of behavior are not as technologically robust as you would think. So you will still catch people sharing your email address regularly.
Besides, if you have + modifiers in your email, they don't know what sort of shenanigans you might actually be doing with it. For all they know, it's a DLL with a re-router or it junks all non-modified emails.
I tried this. Tried this with my domain as well. Spammers have figured this out. They start spamming random emails on my domain and since there's catch all I do receive them. Randomly generated emails from dedicated services (duck.com, HME etc) work better. I can just disable them and don't have to worry about other random emails. Handling all this on my own domain is going to cost me a lot in both money and time and that'd be a lot of headache as well. Also, almost every body worth their spice and sugar knows of that "+ thingie" on gmail.com. Just saying.
That's a feature not a bug. Now your in-email client spam filter has a much easier time tagging spam because the same exact spam message sent to three different addresses. It works great for me. I love catch-all.
Are we talking about data being shared across services or spammers? Spammers play by different rules because they can just generate infinite email addresses on the fly and not have to worry about storing them unless they get a hit. I would consider that a different vector than your legitimate email address being shared.
In my experience, a private email domain is a neon sign for spammers. I would never recommend a private domain for privacy or anti-spam reasons.
It's increasingly difficult to change account's email and phone number, some services require selfie or scan of identity document. The fingerprint consisting of email and phone number is slowly becoming digital DNA.
I recently changed my email at a significant number of sites, as Gmail started to require phone numbers and was going to delete my accounts if I didn’t add one to some alternate addresses I had.
I didn’t run into the issue you mentioned, but I ran into the issue of Sony (for the PSN) telling me they wouldn’t delete a duplicate PSN account I had (conflicting with their support docs), after I waited 40 minutes to speak to someone. When I tried to bring up the support docs they ended the conversation.
I had a similar issue with Rockstar, where I ended up in captcha hell, having to solve 30 puzzles in a row for each login attempt or and again to get into areas of the site to change things. The site would not function. I got fed up to the point of wanting to delete my account. I don’t use it anyway. I did whatever the site said to do, and it said it could take up to 30 day(?). That was probably 3 months ago and I haven’t heard anything.
These two things make me uncomfortable deleting one of my Gmail accounts, so it’s still hanging out there.
Moving to another country is a nightmare because you cannot bring your phone number.
I am currently paying for a US phone number I don't meaningfully use, because it's not clear that all of my important account-holding organizations reliably support a two-factor/login confirmation strategy that isn't "US phone number".
Firefox Relay is a handy assistant to at least stymie email tracking and is neatly integrated with the browser. The free tier gets you a few masked emails that forward to your actual inbox. You can't reply through the masked email without paying, but that might not be necessary for all.
It feels like retaining some semblance of privacy is a losing battle. Data clean rooms are industry standard now and many companies happily share their bounties with others for profit. That appears to be the future along with consolidating businesses based on data-driven insights for demographics. How are these kinds of practices still legal? When does data collection and sharing become such a glaring issue that constitutional rights can be invoked in a landmark lawsuit? Or can we expect anti-trust suits to limit companies hoarding vast repositories of data?
It feels naive to ask these questions, but they're fundamental to societal health and progress, democracy, and arguably the planet.
In the EU they are not, and as someone who has been using a custom email address for almost every service for the last 15 years or so, I have noticed that this almost doesn't happen anymore.
The only cases where an email address receives spam anymore is after breaches, or very old addresses that have been sold more than 10 years ago.
I tried this, but the thing I didn't like about it was that it ties you into Fastmail. I like using a custom domain so it's relatively easy to change your email provider, but masked emails are in the format xxx.xxx@fastmail.com so you'd need to revisit all of those accounts if you want to change your email provider to someone else. I'm currently trying using a catch-all with servicename@mydomain.com, and will be interested to see how much extra spam comes in through the catch-all.
I get that. If (and when) I change email providers it'll be a pain. My gripe with a custom domain is that it'd uniquely identify me. I prefer to hide behind fastmail.
I do this with a generic-sounding domain (...mail.tld), and I purposefully don't have catch-all enabled for this domain. That way, when I disable a masked address I completely block the service I used it for from sending me emails.
To further reduce ties to Fastmail, I believe you can export a list of all your e-mail addresses used.
Currently I use Fastmail to host my own domain, and then for every new service I save the account in 1Password using service@service.mydomain.com
It's a bit extreme, but surprisingly little extra effort. That said, most of the accounts I create are throwaway.
For phone numbers I have an old, unused Google voice number I give out. It's a real number, but never checked, except for once every 90? days, to keep it active.
I'd love it if OnePassword integrated with something like https://randomuser.me to generate a new profile for every awful service that needs an account to work.
Yeah, I tried that for a while, and I have some Apple generated forwarders too.
In the end in places like a store that wants you to sign-up for X% off, or something it's easier to just to give them storename@domain.com and see what happens.
It's actually pretty low friction in terms of management.
As I said elsewhere in the comments here, I didn't like the xxx.xxx@fastmail.com format of masked emails because if you're using a custom domain and you have 200 logins using masked email addresses, then want to change your email service, you have go through those 200 services updating the email address for each one. I'm trying the same setup as you suggest above on the basis that Fastmail allows you to block specific email addresses in case you start getting lots of spam to a specific address through the catch-all.
Of course it does, nobody will take into account the special case of people who use subdomains or even just non-standard email address separators, unless they are a rather determined government agency and then all of a sudden almost no method works anymore for privacy.
I'm pretty sure even Google doesn't care about the dozens of people who use a different email address for different services.
This was my thinking here - yes, it has flaws in the approach, but it also gets me out of the main buckets that spammers will hit, and ad brokers will generally be selling.
It's a little friction, that maybe goes a long way. Pretty hard to actually evaluate though. Gives me the warm and fuzzies and I got to play around setting it up, so all good there.
I've thought through similar setups, but if the intent is to break cross-platform correlation to a user/device ID and related de-anonymization, I keep coming back to these questions:
- How do I know fastmail doesn't sell data? If every one-time domain is tied to a static fastmail account, and the fastmail account has my real info and sells it, then the obfuscation per-service is moot.
- Google certainly is selling data, and its hard to have an account with them that's totally clean and doesn't need an existing "anchored"/tracked piece of infra to set it up (existing phone number, etc). SO, the VOIP number from Google is once again linked up to my IRL data, and the obfuscation is again moot.
The best I can think of is the theory that a LLC's privacy protections will be stronger than an individual. If I wrap everything in a LLC (phone provider, AWS acc with services like Chime, etc), then the correlation surface areas looks like a random LLC using all these retail services and its delinked from my IRL, assuming AWS/Google don't protect a LLC's data from selling into adtech (and I speculate it might protect it actually).
I owned and ran my own email domain for a long time. Initially on my own hardware for fun, then a VPS, then GSuite, then Fastmail. That's over around 20 years.
So, it wasn't planned - it evolved. Somewhere in the Fastmail era I was reading their docs around wildcarding and thought I'd try it out.
My primary domain is my name though, so for extra privacy (anality) I bought another that has no link to me in the name.
There are still gaps in it. e.g. any merchant site still needs my physical address, and plenty need my cell number. But, generally, it's just an attempt to minimize a digital footprint and see what privacy I can get.
That and just why not? I self-host enough stuff, that I see this as another aspect of the same mentality - having a little more control.
It's not perfect security, it's not completely clean. Hopefully it's enough to get me out of the easy target bucket though.
Makes sense, seems like this setup still has the same issues I brought up, but good to know others are sorting through the same issue.
I spent a good while reading about adtech from the practitioner side (i.e. adtech devs) vs. from the privacy side, and it was illuminating. Basically, the fears of privacy advocates get laid out in plain "this is a great feature for user correlation" speak, without any of the feature-masking used when adtech discusses it in privacy terms with privacy-conscious audiences.
In short, my takeaway from that research was it only takes 1x merchant or infra provider which can correlate a "masked" domain/VOIP number/PO box with something IRL of yours to basically undo the whole privacy effort. Without ironclad knowledge the vendor doesn't sell data (which is hard to get), it's as good as safely assuming the data got sold (or the pixel in the webpage did it, and so on).
Tough to think through! I think LLC'ing ones life, if in the US, is the only way to truly do it or get a reasonably high guarantee. You'd get corporate privacy guarantees which are unfortunately stronger than individual privacy guarantees in the states.
I've been thinking of running a setup like this specifically to rat out who's been selling my e-mail addresses, since the spam would be directed at the service@service.mydomain.com.
Did you find any interesting results from your setup? Some surprising services who sold your address?
And did you find you got much spam to non-existent addresses? I used to use a catch-all setup, and got a large amount of spam, but that must have been 25ish years ago.
Thanks. I find Fastmail a little worse than Google in terms of spam, but that could just be fluctuations in the amount of spam in general after changing service. (I'm noticing more spam in my work email recently, which uses Google Workspace, too).
Not GP but I have the same set up and have only had a couple times where I received unexpected emails to an inbox. One was from GitHub profile scraping, can't remember what the other one was.
One of the surprisingly useful areas is with deliveries. Emails from delivery companies (especially from abroad) often don't specify what it is they're delivering or who it's from. But with this set up I can easily check that with the email address they're sending to, to know who it's from
name+service@email.com is also a good way to find out. It’s standard and accepted by most sites and most email providers. I use it, didn’t find any proof of service selling my adress except some random Ali express vendor the one and only time I bought here an item I couldn’t find anywhere.
Good point. I'm not sure the bad guys take time to clean the base or even care. But for sure the edgy/grey area one would. Still, i'm more confident about this solution than relay emails from any service (even Firefox) that could potentially lock me out eventually.
Would one problem with your domain approach be that it’s less anonymous to mailers than if you used a relay services where many users with random email addresses shared the same relay domain?
(I'm using wrong terminology) It works because if there is no entry for *.domain.com the system will go one level up, to domain.com for the MX records.
It even works multi-level, like x.y.domain.com will use the MX records of domain.com (provided there are none for x & y).
This is worth mentioning as x.y.domain.com does not work if you have a *.domain.com SSL certificate.
It's pretty ridiculous to think we can win a cat-and-mouse game of surveillance mitigation as individuals against some of the world's largest corporations. Some web services/sites are even starting to create nuisance hurdles around VPNs they know about, if they don't just block them outright, China style. We need to make surveillance of this kind a crime to make it stop. We need privacy laws that are comprehensive and have teeth.
> It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.
Isn't this kinda normal now anyway? Like its a fact of life, not much you can do about it, why not hand out your email, its probably out there already anyway.
I’ve been using addy.io for quite some time now. I have a burner tld and every time I sign up for something new I input servicename@mytld.com. Addy forwards that email to the email I have chosen. Works doubly better if you don’t use gmail as your inbox.
75 comments
[ 3.8 ms ] story [ 145 ms ] threadI don't care about Fox News specifically, but I hope this trend requiring sharing an email address to view ad-supported content doesn't become more popular. An example of this on Fox News is this article, which requires an email address to view: https://www.foxnews.com/world/navalnys-body-reportedly-found.... Technical users can limit tracking by using email relays, but this is a big ask for non-technical users.
- My main personal address is the most protected and only give it out to friends, bank, family, etc.
- I have another address that I give out to Amazon, ebay, couple other trusted merchants and websites.
- Next lay down, one I use for merchants I don't particularly trust like AliExpress. In addition, I only use the credit card that lets me generate a number, set max spending limit, and expiration.
- Finally I have a couple that I use for general websites that I figure either could get hacked or I don't trust at all.
While not 100% accurate, I can tell who has sold or "lost" my info based on the spam I receive. My main personal has some spam but I think it stems from contacts that had their accounts compromised and their contact list was snarfed. Overall the less I assume I can trust the other entity the more spam that account has.
It is funny how accurate the tracking is though. I can search for something on my gaming pc and then a week later I see related ads on Youtube and sometimes even Tubi. My Amazon account uses a different email address than what I used to search on my gaming pc. While my gaming pc has accessed both gmail accounts, they weren't even logged in at the same time. I suppose they rely on IP address + IP metadata and collected advertising metadata to correlate accounts.
For some email providers, if you add a "+" modifier to your email address, anything after the + will be ignored and still routed to your main email address. But email systems will still treat them as unique email addresses. (So abc123+Netflix@gmail.com and abc123+nytimes@gmail.com would both be delivered to abc123@gmail.com.
This limits their ability to link your accounts against each other. And you can see if someone shares your data when you start getting hits on your Netflix email address.
Firstly, we can see that they're using the email exactly as provided (for sending, at least), else filters on the mail we receive wouldn't work.
Secondly, the + trick works because it's valid in email addresses under RFC 5321 and RFC 5322 - the fact that Gmail (and others?) direct all addresses of the format 'foo+bar@gmail.com' to the mailbox of 'foo@gmail.com' is a quirk, not a given. Anyone wanting to trim '+bar' would have to know it's safe to do so for particular providers, and I doubt anyone wants to maintain that list and do extra backend work just in case they want to share on the sly.
Gmail is also pretty popular, so it's not much work to just hardcode it there.
Also, most of the automated email systems are not as sophisticated as people think. Ours actually relies on + wildcards for internal testing.
If you are just trying to datamine for random email addresses, you can do that with a random string generator. If you want a list of Netflix customers accounts, you probably want the same exact email they signed up with.
Besides, you can always make a Gmail rule to junk any emails coming in without a modifier.
I'm not saying they will strip out the + from the primary email address used for login/etc - that would be dangerous for many reasons and could deny access to users.
But they are absolutely likely to strip it out for obnoxious behavior which is only valuable at scale and individual failures don't matter - such as ad targeting, email spam, etc. In this case, it doesn't matter if you fail to spam the 0.001% of users with + as part of their actual username if it means you manage to spam the 2% that use + as an alias separator.
I'm not saying there is not someone out there trying these shenanigans, but in 95%+ of situations you are still going to catch people sharing your data with a + modifier.
This sounds extremely naive to me. Why would it limit their ability when this feature of gmail has been publicly known forever? All they need to do is ignore everything after the plus when cross-referencing accounts.
Capital 'S' spammers don't care because they hit wide swaths of email addresses by generating random strings. They don't waste money buying data.
On the other hand, when someone is buying your data from Equifax, there might be some real bright actors out there, but the majority of firms engaging in this kind of behavior are not as technologically robust as you would think. So you will still catch people sharing your email address regularly.
Besides, if you have + modifiers in your email, they don't know what sort of shenanigans you might actually be doing with it. For all they know, it's a DLL with a re-router or it junks all non-modified emails.
In my experience, a private email domain is a neon sign for spammers. I would never recommend a private domain for privacy or anti-spam reasons.
I do get a lot of spam sent to [someone else's email] where my own email address was BCC'd.
I didn’t run into the issue you mentioned, but I ran into the issue of Sony (for the PSN) telling me they wouldn’t delete a duplicate PSN account I had (conflicting with their support docs), after I waited 40 minutes to speak to someone. When I tried to bring up the support docs they ended the conversation.
I had a similar issue with Rockstar, where I ended up in captcha hell, having to solve 30 puzzles in a row for each login attempt or and again to get into areas of the site to change things. The site would not function. I got fed up to the point of wanting to delete my account. I don’t use it anyway. I did whatever the site said to do, and it said it could take up to 30 day(?). That was probably 3 months ago and I haven’t heard anything.
These two things make me uncomfortable deleting one of my Gmail accounts, so it’s still hanging out there.
I am currently paying for a US phone number I don't meaningfully use, because it's not clear that all of my important account-holding organizations reliably support a two-factor/login confirmation strategy that isn't "US phone number".
It feels like retaining some semblance of privacy is a losing battle. Data clean rooms are industry standard now and many companies happily share their bounties with others for profit. That appears to be the future along with consolidating businesses based on data-driven insights for demographics. How are these kinds of practices still legal? When does data collection and sharing become such a glaring issue that constitutional rights can be invoked in a landmark lawsuit? Or can we expect anti-trust suits to limit companies hoarding vast repositories of data?
It feels naive to ask these questions, but they're fundamental to societal health and progress, democracy, and arguably the planet.
https://relay.firefox.com/
In the EU they are not, and as someone who has been using a custom email address for almost every service for the last 15 years or so, I have noticed that this almost doesn't happen anymore.
The only cases where an email address receives spam anymore is after breaches, or very old addresses that have been sold more than 10 years ago.
https://www.fastmail.help/hc/en-us/articles/4406536368911-Ma...
I do this with a generic-sounding domain (...mail.tld), and I purposefully don't have catch-all enabled for this domain. That way, when I disable a masked address I completely block the service I used it for from sending me emails.
To further reduce ties to Fastmail, I believe you can export a list of all your e-mail addresses used.
It's a bit extreme, but surprisingly little extra effort. That said, most of the accounts I create are throwaway.
For phone numbers I have an old, unused Google voice number I give out. It's a real number, but never checked, except for once every 90? days, to keep it active.
I'd love it if OnePassword integrated with something like https://randomuser.me to generate a new profile for every awful service that needs an account to work.
https://1password.com/fastmail/
In the end in places like a store that wants you to sign-up for X% off, or something it's easier to just to give them storename@domain.com and see what happens.
It's actually pretty low friction in terms of management.
I have put in some blocks before where services don’t let you unsubscribe.
Fastmail masked emails + 1Password helps though.
I'm pretty sure even Google doesn't care about the dozens of people who use a different email address for different services.
It's a little friction, that maybe goes a long way. Pretty hard to actually evaluate though. Gives me the warm and fuzzies and I got to play around setting it up, so all good there.
I've thought through similar setups, but if the intent is to break cross-platform correlation to a user/device ID and related de-anonymization, I keep coming back to these questions:
- How do I know fastmail doesn't sell data? If every one-time domain is tied to a static fastmail account, and the fastmail account has my real info and sells it, then the obfuscation per-service is moot.
- Google certainly is selling data, and its hard to have an account with them that's totally clean and doesn't need an existing "anchored"/tracked piece of infra to set it up (existing phone number, etc). SO, the VOIP number from Google is once again linked up to my IRL data, and the obfuscation is again moot.
The best I can think of is the theory that a LLC's privacy protections will be stronger than an individual. If I wrap everything in a LLC (phone provider, AWS acc with services like Chime, etc), then the correlation surface areas looks like a random LLC using all these retail services and its delinked from my IRL, assuming AWS/Google don't protect a LLC's data from selling into adtech (and I speculate it might protect it actually).
So, it wasn't planned - it evolved. Somewhere in the Fastmail era I was reading their docs around wildcarding and thought I'd try it out.
My primary domain is my name though, so for extra privacy (anality) I bought another that has no link to me in the name.
There are still gaps in it. e.g. any merchant site still needs my physical address, and plenty need my cell number. But, generally, it's just an attempt to minimize a digital footprint and see what privacy I can get.
That and just why not? I self-host enough stuff, that I see this as another aspect of the same mentality - having a little more control.
It's not perfect security, it's not completely clean. Hopefully it's enough to get me out of the easy target bucket though.
I spent a good while reading about adtech from the practitioner side (i.e. adtech devs) vs. from the privacy side, and it was illuminating. Basically, the fears of privacy advocates get laid out in plain "this is a great feature for user correlation" speak, without any of the feature-masking used when adtech discusses it in privacy terms with privacy-conscious audiences.
In short, my takeaway from that research was it only takes 1x merchant or infra provider which can correlate a "masked" domain/VOIP number/PO box with something IRL of yours to basically undo the whole privacy effort. Without ironclad knowledge the vendor doesn't sell data (which is hard to get), it's as good as safely assuming the data got sold (or the pixel in the webpage did it, and so on).
Tough to think through! I think LLC'ing ones life, if in the US, is the only way to truly do it or get a reasonably high guarantee. You'd get corporate privacy guarantees which are unfortunately stronger than individual privacy guarantees in the states.
Did you find any interesting results from your setup? Some surprising services who sold your address?
Could also be that Fastmail has good filtering.
Could also be that random domains aren't that valuable to sell.
One of the surprisingly useful areas is with deliveries. Emails from delivery companies (especially from abroad) often don't specify what it is they're delivering or who it's from. But with this set up I can easily check that with the email address they're sending to, to know who it's from
I also use catch-all and no noticeable increase in spam.
It even works multi-level, like x.y.domain.com will use the MX records of domain.com (provided there are none for x & y).
This is worth mentioning as x.y.domain.com does not work if you have a *.domain.com SSL certificate.
It seems that fastmail only does *.domain.com and not *.*.domain.com: https://www.fastmail.help/hc/en-us/articles/360060591053-Plu...
Hope that helps
I thought since the spam floods of the early 2000s everyone knew not to put their real email to get that 5€ off coupon.
Of course tracking is a thing now too. But most people I know, even non techies are aware of that and very reluctant to give any information.
Isn't this kinda normal now anyway? Like its a fact of life, not much you can do about it, why not hand out your email, its probably out there already anyway.
(OTOH I change my email every 5 years or so)
https://github.com/fazalmajid/postmapweb
Also the Bitwarden password manager has an integration for SimpleLogin.