94 comments

[ 4.1 ms ] story [ 169 ms ] thread
What does “AD friendly” mean?
Searching for '"AD friendly" email' brings up another temporary email service that this appears to be a clone of (https://huo.fo/), and this hackernews post with you asking what it means.

Active Directory comes to mind, but I'm not really sure what that would entail.

It's more likely that whatever open source solution they are using to run this, allows you to configure ad insertion easily.
You only need to see an advertisement in your email once when using a certain registered service, and the advertisement will not appear in your email afterwards
Okay you should probably make that clearer and at the very least write “Ad” not “AD”.
Thank you for your correction, English is not my native language, I will correct it as soon as possible
What will happen on the domain gets flagged by every provider and banned from use
At many places freedom tld's are already shitlisted.
What’s a freedom TLD?
>What’s a freedom TLD?

It was probably a typo/autocorrect of "freenom" :

https://www.freenom.com/en/freeandpaiddomains.html

The significance is that the ".ml" tld is on that list and this thread's domain is "email.ml". Some entities block any tld registered with freenom.

The problem with such services is, the moment they rear their heads just above the obscure line to even an iota of popularity, they get blocked, blacklisted and what not.

For those who own their own domain for emails, there are multiple ways of doing it - aliases, temporary IDs, filters, etc. Or use such services' backbone/infrastructure that can route the emails but you own the domain.

  `20240523@example.com` is valid for today.
> The problem with such services is, the moment they rear their heads just above the obscure line to even an iota of popularity, they get blocked, blacklisted and what not.

I never ran into that problem with https://temp-mail.org. They cycle domains constantly.

>I never ran into that problem with https://temp-mail.org. They cycle domains constantly.

You didn't run into that problem with temp-mail.org because you happen to use them on websites that don't bother blocking disposable email addresses -- or -- they do try to block them but use simplistic domain name checks.

But cycling domain names isn't enough to fool the more sophisticated disposable/throwaway email address detectors (especially the paid services) because they use extra heuristics of checking DNS MX records ip addresses.

E.g. temp-mail.org assigned the following random addresses "bob531@mcatag.com" and "alice8224@javnoi.com". Both of those domains are easily detected as throwaway emails because they both share the same MX ip 24.199.65.21 :

- https://verifymail.io/domain/mcatag.com

- https://verifymail.io/domain/javnoi.com

On the other hand, the "@mcatag.com", "@javnoi.com", etc used by temp-mail.org is good enough to get past the websites that copy&paste the code from these StackOverflow answers that just use simplistic string matching : https://stackoverflow.com/questions/10976706/how-to-block-di...

It all depends on how much effort and cost the websites want to put into blocking disposable email addresses.

If they use Cloudflare's Email Routing, the MX IP is more difficult to detect
(comment deleted)
https://temp-mail.org/ Is one of the harder ones to block. The use unique domains with unique Mx records and cycle through ip addresses. All seem to be on digital ocean though
It seems to me that fewer and fewer websites actually bother to block these domains.

Even if you go through all that extra trouble to maintain a list of banned domains, the user can still just whip out a Hide-My-Email address ending in @icloud.com.

They could end in @privaterelay.appleid.com which is... easy to block.
Only those emails generated by Sign In With Apple AFAIK
I don't think sites have problem with alias emails like iCloud Hide My Email. The issue is when they are used for creating spam accounts.
Do any HN commenters here know of any maintained lists of throwaway email domains?
In my experience this seems to be true. For a while it seemed throw away emails were pointless to try and they would all be blocked. But over the past couple years I’ve had a lot of success using mailinator, which is probably one of the better known services which has been around for a long time.
Yup. I just added this domain to our disposable list for one of the worlds largest social media apps.
To those who wonder which social media app Ronnie is talking about, that's Snapchat
The temp email services which support custom domains help. For example, Mailsac.com. But it has pivoted to more focus as a dev and qa platform.
I guess using a .ml domain is okay for something that explicitly needs to work temporarily, but since the freenom scandal I wouldn't trust such domains.
Any generic use of a ccTLD gives me the ick. It’s one thing to use one for your low-impact personal site, quite another to use one for your email address.
.ml has started requiring payment to register. If you have concerns, I can use email.beer
That domain seems to be squatted by the same guy that made the email.ml site.

Edit: didn't realize that was you.

Please stop using cloudflare validator. It's a piece of shit that repeatedly marks real users as fake, blocking them from using many sites
What would you recommend?
I'd personally recommend using something that doesn't block real people like there's no tomorrow.
(comment deleted)
Maybe hcaptcha, I've never run into captcha hell with it, unlike Cloudflare and recaptcha. If those two decide you're a bot, you're done, better go change that IP and reset cookies.
(comment deleted)
Yep. It marks residential IPs for no good reason and for god knows how long. Cloudflare is way up on the list of companies that have broken the internet. But, hey, free stuff, right?!
My blocked domain list is... checks production database... 18911 domains. I shall add another now
What is your business doing so that it requires you to maintain your own blocked domain list by hand?
If you need to block services like this, then you're probably part of the problem. These services only exists because companies insist on ask for email addresses for stuff that has no need for it, or which users don't trust to keep their email address safe and free of spam.
Blocking spam signups and preventing free trial abuse are two very legitimate purposes of blocking disposable emails.
I don't have any need for this website at the moment but I might need it in future so I bookmark it. The title of website does not have temporary email so my bookmark does not have that info. Now when I actually need this I can't find the bookmark! Can we please have a little bit context in the title of websites that aren't popular so that it's easy to search the website when needed.
Can't you add any title you want to your bookmark?
Just buy a random cheap domain and use cloudflare email routing.
This misses the point entirely. Most of the time when I need a temporary email address I just want to see some content that's hidden behind a sign up form. Going through the effort of buying a domain, configuring it, etc is the last thing I want to do in that situation. I want a site that will give me an address for 2 minutes so I can complete the sign up process and then go on with my day.
I don't think the suggestion was to set up your own throw-away email domain every time you need a throw-away email. Set it up once, then use it as needed. This is what I do. Sure I had to 'go through the effort' initially, but its not that much effort and I use the domain for other testing and temporary purposes as well.
In that case, how is this any different from e.g. signing up with a new account on Gmail/Outlook/etc? Why do you need to buy the domain and jump through all the other hoops?
>In that case, how is this any different from e.g. signing up with a new account on Gmail/Outlook/etc?

Some people like to create dozens (or hundreds) of disposable emails because they just need it for a single purpose (e.g. downloading a pdf whitepaper that's hidden behind an email sign-up). The email address is truly ephemeral and they don't want to create a whole new Gmail/Outlook inbox just for that. There's also UI/UX friction in Gmail/Outlook workflow of multiple screens to create a new inbox instead of being a convenient one-click like the disposable email services.

Also, Google and Microsoft puts a limit on the max # of new email accounts. They don't explicitly publish the max number but it depends on various heuristics such as your residential ip address, country, etc. E.g. some users only got up to 4 gmail accounts tied to a phone number. Others got 10 before being cut off. There are rate limits so one can probably get more accounts if creating them is spread out over multiple days.

Using one-click disposable email services or using your own domain to create unlimited email aliases lets one go beyond the limits of free Gmail/Outlook accounts.

Yeah this whole concept I agree with and it's actually what I brought up earlier in the comment tree. However what I still don't get is why you would choose the domain setup over one of very many free services where you get an address with a single click.
Gmail requires verification with a phone number, so assume all of your gmail accounts are linked
I think the idea was to do this once and use the mail everywhere you need it, not to do the setup every time you need a throwaway email.
Most people in this thread probably have the money and technical skills to buy a domain and set everything up, but it misses the point: this is supposed to be "infrastructure" that everyone can use without any hassle (and likely for free), rather than private to an individual.

Of course, like others have pointed out, shared "temp email" services are more likely to be blocked.

It doesn't respect ~/.signature in text-only emails: The tearline and everything under it is just put on one continuous line (together with the body text proper).
What is ~/.signature?
It's the “signature” (free text, but people use it for information, address, phone number, disclaimers and what not). It appears under the “tearline”, that consists of two dashes and a space (“-- ”).

On unix OSes it lives as the file ~/.signature, and many email clients will insert the contents of that file under the tearline in outgoing emails. E.g.: https://www.gnu.org/software/emacs/manual/html_node/emacs/Ma...

But how is a website supposted to get access to user's files in his homedir?
It's not. Sender's email client will/can insert their ~/.signature file at the end of each outgoing email. When such an email is read in email.ml, the signature is mangled in the way I originally described.
Ah, that's why I was confused: I did not understand why would a website has anything to do with files on a POSIXish machine. Thanks.
(comment deleted)
I feel that that's not what email is for. Any communication method needs a return address, otherwise spam and abuse.

Email has two very distinct purposes, not 1, not 3.

1- federated pseudonymous identity protocol for internet(ip/http).

2- medium-length business time insensitive communication.

That's it.

This sounds like a free experimental product aimed at improving 1, but most service providers will either have to block it or face abuse from users of your domain.

What OP doesn't know yet probably is that they will not be the ones under dos/spam,rather they will be used to DoS, spam, simulate traffic, scam, etc...

Edit: the ToS outlaws spam, so it is possible they will cooperate with spam blacklist providers like spamhaus ( not sure how). Not sure how businesses will block the domain for acct creation, probably as a whole, Ive seen websites use a whitelist approach like gmail, or outlook.

> I feel that that's not what email is for. Any communication method needs a return address, otherwise spam and abuse.

I don't agree. Email addresses are sometimes used for ephemeral tasks, like buying concert tickets and items in online stores. You need an email address, so they can send you the tickets or the receipt, but then you don't need this address anymore.

Actually that is not true:

Concerts could be rescheduled or cancelled, and emails would be the only easy to contact customers for arrangements like refunds.

Similar for online shopping, and in addition, emails could be used for notifying product recalls or class action resolution.

While these cases are relatively rare, it illustrates it is hard to know when an email is "done" -- it could be useful after a purchase itself, or even long after a transaction has finished.

Also, email accounts are linked to account/identity not to transaction/purchase.
That's a good counterargument, I agree.
They seem to be using cloudflare to verify the users are human. That's something in the way of protection against automated spam.
This comment seems to have far too much trust in Cloudflare. A more accurate statement is probably something like "They use Cloudflare to slightly increase the cost to spammers while only rejecting a small number of individual users."
Also cloudflare is on the other side of the trenches as well, one of their main services is protecting websites against bad actors, which love using these tools as weapons.

The whole deal reminds me of hobby file host projects.

As long as service providers demand that you give them a "valid" email address to create an account, and as long as a significant proportion of those providers sell those addresses to other spammers, services like this will continually be created. It feels like a bit of an arms race.
(comment deleted)
I recommend http://grr.la -- no login, just type in the local part of the mailbox and get access to email.
As mentioned elsewhere in this thread, this is increasingly getting blocked. This still remains my go-to service, however.
their domains seemed to be unusable in most sites i've tried. probably down to blacklisting due to long-standing domain names.

most probably the three offered by the one shared by OP will have a similar fate.

The github icon on the site directs to the author’s own page, and I couldn’t find any repository for the site, which makes me curious why do they even put the github link? Just for a follow?
Marketing & social media pervade everything now
Yeah, I was going to say it’s an awesome work but I looked around trying to find the repo.. and nothing was there. What’s the point of mentioning it runs on CF when you don’t provide the repo? This is just another SaaS
It looks like the footer is identical to the footer on the author's own personal website, so I guess they never cared to change it?
I find more convenient to generate the temporary emails right from the command line with something like this: https://github.com/sdushantha/tmpmail
(comment deleted)
Not only generate, but verifying your sign up with w3m also if needed.
I had high hopes for 1Password's integration with Fastmail and their masked email feature. Unfortunately I've seldom had it work properly and 1Password never prompts me to create a masked email when creating a new account for something.
Works great for me on Firefox MacOS.
My suspicion that the 1P extension is only as bright as the markup in the page, so <input type=text name=login> you get nothing, <input autocomplete=email type=email name=login> and the extension starts to behave well. Now a reasonable person could certainly wonder why the hell they don't offer "generate masked email" right next to their existing "generate password" but I have long since given up trying to understand the mysteries of 1P product management
> We do not share, sell, or disclose any personal information or email content to third parties, except as required by law or as necessary to protect our rights, property, or safety.

This policy claims to protect your privacy but allows them to share your data broadly, including with anyone they see fit to protect their own interests, effectively offering no real privacy guarantee.

They’re not going to protect your privacy to their detriment. They’re running a business, they’re not martyrs.
> They're not going to protect your privacy to their detriment. They’re running a business, they’re not martyrs.

Fine, then they shouldn't profess their faith.

- Home page, second line: Privacy friendly

- Second site page: Privacy

Claim: “At Email.ML, we value the privacy of our users and are committed to protecting their personal information.”

If what they mean is security, since they are not committed to protecting privacy, they should just say security. Security can be a fine selling point without the newspeak.

Translated claim in ‘oldspeak’:

“At Email.ML, we claim to value your privacy, but we will share your personal information whenever it suits our interests or legally required.”

Then they can't be said to value it.

And judging by the number of free one year identity theft protection plans I've racked up, they don't.

(comment deleted)
Nice. I use MailSlurp.com because it has API clients
Cool, but in terms of UI/UX, the 'Waiting for emails' banner animation is quite choppy and annoying because it isn't seamless and loops endlessly.