Email: How about doing it right?
In light of the seemingly increasing rate of data breaches and privacy violations in general, I've decided to take some steps further regarding my online presence.
Among other things, I decided to switch all my online accounts to custom domain email addresses, so I grabbed two domain names (with WhoisGuard enabled): one for use with stuff related to my real identity (think @firstlast.com), and the other for all else (think @randomword.com). Then, I changed the email address of each one of my existing online accounts, taking advantage of the catch-all feature. To make things short, it goes like this:
Accounts not related to my real identity:
tildes.net.187462@randomword.com-> tildes.netreddit.com.178334@randomword.com-> reddit.com- ...
Accounts related to my real identity:
amazon.com.113908@firstlast.com-> amazon.combankofamerica.com.175512@firstlast.com-> bankofamerica.com- ...
As you might have guessed, the 6 digits ending the local part of email addresses are meant to be randomly generated, in order to mitigate easy guesses by spammers due to catch-all (though I've also created a specific sieve filter to mark incoming emails with "unknown" recipient as spam).
Before you ask, I don't intend to start a discussion about threat modelling here. I just want—as anyone who is not a complete tech-illiterate—to have a reasonable weapon against spam caused by recurrent data breaches, so that if an email address is leaked, I can toss it and replace it with a new one without much effort.
Also, I value owning my email addresses, in the sense that if I decide to change email provider in the future, I won't have to change my addresses too as a consequence. For communicating with real humans (e.g., my doctor), I could use a non catch-all address like first@firstlast.com.
I wonder what do you think of this approach... Is it overkill? Do you see any major concern from a privacy or security standpoint? Are you doing something similar and are happy with it? I would very much like to hear your experiences with email, especially about the approach you settled with.
For what it's worth I found that making the email address unique per domain is overkill. I like the idea in principle, and to an extent I do have a trash gmail account I use for the services I distrust; but the convenience of having a stable, fixed email for all my common services outweighs what little benefit I would get from varying it.
And what benefit would that be anyway? If I didn't trust the provider in question, I would use my trash email. And if I do trust them but it ends up leaking, then… what, exactly? I block them? shrugs
My email address is easily found and I get ~1 spam email per day after it existing, and being public on the web for now 7 years or so. Hell I've stopped using any form of email obfuscation on my site.
So in short, I have three emails: A trash one, a personal one to my name, and a work one to my company. The distinction between the last two get muddy when it comes to my consulting business but that's more of a "me being disorganized" problem; the approach is sound.
In my view, the most evident benefit would be that if an email address is leaked—which is not that uncommon, by the way—you are not doomed to receive spam forever. You simply block emails sent to the leaked address through a filter, and create a new one for that website (if you still need it).
For throwaway accounts, I tend to use services like 10minutemail. In that case, I don't even care if someone manages to steal the temporary address to gain access to the throwaway account.
It's also pretty useful to spot companies illegally selling your data (e.g. the e-mail being leaked, but also other possible, more sensitive info, like names and such). Makes for easy reports.
But an email leaking doesn't actually matter. My email has been out in public for years and very few have added me to spam lists. In fact most spam I receive is alphabetical searches forwarded from another Gmail account.
I think the only bit that I can see as useful is the security aspect, people can't just necessarily guess your email if you don't have a predictable one.
I wouldn't say it doesn't matter in general, because in my experience once an email is out there, it's only a matter of time before it gets spam consistently. Maybe you have been lucky so far? Or maybe I have been unlucky.
Does it really matter if it gets spam though? Spam filtering is essentially a solved problem. Only thing we don't catch with high confidence is targeted phishing, and that would likely be from people who know your real email.
Back in the days we used to have this mentality exactly because spam filtering was hard. One of the futurama movies plays on that even.
I think it's a good point, however I can't ignore the possibility that your opinion might be biased, depending on which email provider you're using.
We can all agree that Google has a superb spam filter, in part because it has big money put into it (let's not mention the use of personal data for improving spam detection). But what about other, possibly smaller or privacy conscious email providers? I don't think we should take spam filtering effectiveness for granted.
Well at the end of the day you do what you want :)
And yeah, email is hard, that's pretty well known. IMO in 2021 it's reasonable to expect of any email provider (privacy-conscious or not) to have a solid spam filter. This has actually gotten far easier over the years even for smaller players, with the introduction of better spam detection algorithms, public ML models, and most of all a great increase in a variety of security protocols relating to email sending/receiving.
And I wouldn't call google's spam detection so great, it has a lot of false positives unfortunately. But "protecting" a reasonably public email address from spam discovery is a quest for failure IMO: It ends the moment you slip up once, or the moment some troll on the internet wants to annoy you.
It seems okay, but I think for trash email, using throwaway addresses from an established email provider might be less conspicuous? For example, two separate gmail addresses aren't as obviously associated as two randomword.com addresses.
Maybe there is some email provider that lets you get multiple email addresses that aren't obviously connected, in a convenient way?
Personally, my email addresses are public (well, some of them) and I rely on gmail's spam filtering. It looks like I'm getting about 600 spam emails a month. (This is the spam that reaches gmail; on some addresses there is a first-level spam filter.)
I have often used suffixes to track how email addresses are getting copied around, but I don't expect it to fool anyone who actually looks at them.
I have the same problem with connected addresses. If a breach links my identity to one of my
@randomword.comaddresses, all the others get linked to my identity as well. I don't think that there is a way to avoid this without switching to a domain that is shared with others. (SimpleLogin and AnonAddy are both FLOSS solutions for this, with paid hosting available—a business model that I'm particularly fond of.) However, switching to a shared domain would make me dependent on a particular host, and I quite like that I am able to change mail hosts just by changing some DNS records.Perhaps a decent solution is to just make the
@randomword.comaddresses less conspicuous, e.g. by using a username generator for them.For throwaway addresses, I don't use custom domains at all (yes I should have been more clear on that), but rather rely on 10minutemail and the like. Unfortunately, the email provider I currently use doesn't offer disposable addresses. I hope it will someday.
I think services like AnonAddy or SimpleLogin fall into this category. I had considered them, but I didn't want to rely on—and trust—another third party service for my emails, also because they can read them.
I am happy this worked out well for you. Personally, I decided to go for a smaller yet ethical and privacy-respecting provider, so I'm not expecting their spam filter to be as effective as Google's.
Actually, both of those services allow you to encrypt forwarded messages that are sent to your main e-mail inbox. However, it is worth noting that encryption for forwarded messages (from your alias e-mail inbox to your main non-alias e-mail inbox) for SimpleLogin is a paid feature, whereas for AnonAddy, it is a free feature, if I am not mistaken. Both services do not encrypt forwarded messages by default for free plans.
Under AnonAddy FAQ: https://anonaddy.com/faq/
How do I add my own GPG/OpenPGP key for encryption?
Now, again like I said before, for SimpleLogin, if I'm not mistaken, encrypted forwarded e-mail messages are a paid feature: https://simplelogin.io/pricing/
Under the $30 per year or $3 per month pricing column:
Caveat: I do not know if SimpleLogin's encrypted forwarded messages feature is default in its paid features (just clicking a few buttons) or whether you have to do some extra work in importing the encryption keys.
Yes, I know, but messages are processed unencrypted by AnonAddy/SimpleLogin before being forwarded. I am not suggesting that there's a way to do otherwise—in fact, due to how email works, there is not (unless you happen to use GPG for all your communications, which is unlikely.
I've been doing almost exactly this for 15 years.
It increases security, but is overkill for spam.
Increased Security: I don't have any hard data here, but it presumably makes it harder to hack into accounts if you don't know the email address.
Overkill for Spam: You are going to want to give out a normal looking email address to your Aunt Petunia, who is going to send you an e-card with a cute cat picture, and now you will some spam that will drive you crazy figuring out where it came from. Or try telling the low paid guy over the phone that your email address is bankofamerica.com.175512@firstlast.com, but you are not an employee nor a hacker. If you want to control spam, and don't want to opt out, just have two email addresses. I have two email addresses. One for people, the other for sites I never wanted to hear from anyway. Sites that I care about get the @e.randomword.com email address. I guestimate 95% of the spam to my @e.randomword.com addresses comes from sites I signed up with, and it comes with an opt out. I only ever really noticed two hacks resulting in noticeable spam, bitcoin and worldvision back in early 2000s.
Pro tip 1: If you want to reduce spam, you may want to consider using a subdomain "@e.randomword.com" - I got spam at admin/sales/etc@randomword.com.
Pro tip 2: Also beware of "We were unable to deliver an email to you" errors. I have no idea how to avoid this. The financial institutions try to validate that your email address is valid, and if the email server says it is invalid then they stop sending you email to that address.
Pro tip 3: Facebook and Linkedin are sneaky. I only ever told them one email address, but they figured out some of my other email addresses. Even worse, at one point they let you sign on with any email address.
Can you go into more detail about this? I'm curious about what happened and how they might be doing this.
I think facebook & linkedin figured out my emails from their phone app. Back in early 2010 I was old but foolish and installed the facebook app on an iPhone. The phone app had unconstrained access to my contact list, which included a contact for me. That probably got them my phone number, my work email address and my personal email address. Worse, it gave facebook the phone numbers and email addresses of everyone I know. Facebook uses this info to create shadow profiles. I deleted the apps a few years later but the damage was done.
What surprised me is LinkedIn allowed authentication via any email address.
Thanks for the extra detail.
^ This makes little sense to me. By what rules do they assume different email addresses are the same person?
Now that I think it through, I probably did something that confirmed the email was mine.
Wow, I consider you an email veteran. But, are you saying that you've moved on from this approach?
Good points. To some extent, I had already thought about such possible situations, but thanks for bringing real-world experience here. In addition to those, I would say trying to convince the same low paid guy that the email address you are sending from, despite being different from the alias registered in their website, still belongs to you. This is because you can't send from a catch-all address unless you configure it as sending address at your email provider (which, despite the occasional annoyance, could be done).
For the moment, I think I will keep doing without a subdomain. However, if spam will ever increase to an alarming level, I will reconsider your suggestion.
This is something I read elsewhere and I hope it's not that common. What did you do in such situations? Were you forced to use the average gmail?
This is a bit disturbing. For what it's worth, I ditched Facebook a long time ago.
I use this approach to increase security and because it is a habit, and even overly complex habits are sticky. Each important account gets its own email address, which hardens my security. It's harder to hack my accounts if you don't know the email address associated with it. It makes resetting passwords almost impossible, and if an email looks suspicious I can easily see if it was sent to the right email address. So I am much less likely to click into a socially engineered link that tries to trick me into typing in my username and password. This is important to me, as I don't rely on completely random passwords for each account. It has a downside, not all emails get through, and financial institutions insist on physically mailing me stuff because they are extra careful about checking the email address is valid.
This is basically what I do, but just slightly less sophisticated. I don't think it's overkill at all, and makes a lot of sense. Except, for websites I feel like I can trust (like there are no obvious conflicts of interest and I think the people running it are competent, such as this one) I usually am fine with using my normal email address.
Thank you for sharing your view. After much annoyance in seeing my main email being leaked to public databases—though I admit I come from a situation where I basically used the same email address everywhere without much thinking—I have the tendency to not trust even relatively "big" websites, because they might be acquired and/or become irrelevant in the future, increasing the risk of suffering from data breaches.
In the end I think that no website, regardless of how big it is, is immune from this kind of risks.
This is pretty similar to what I do. My personal email address that I give out to humans is
first@firstlast.me, and I use burnermail.io for everything else. They all forward to a second account (burners@firstlast.me). Aside from one single company inexplicably refusing to allow me to set my email address to anything with the domain@tryninja.io, this has worked out perfectly for me. Usually I will just unsubscribe from spammy or unwanted companies, but if someone refuses to respect my email settings (or sells my email address to someone else, which is easy to detect when all of the addresses say the company name) I can just disable the email address and never worry about it again.My inbox is very manageable; I get maybe one or two emails a day, and I actually want to read almost every email I get. I’m a big fan, definitely never going back!
Tank your for sharing. Did you ever consider using a custom domain with catch-all instead of burnermail? If yes, why did you decide to go with burnermail instead? I am not trying to criticize your approach, I'm just curious about the motivations, because I too found myself considering a similar service.
The biggest win for me is that burnermail lets me send emails from my generated emails as well as receive them, which makes them significantly more useful. It’s also a little easier to burn them (just a button) than it would be to set up an auto-trash rule if I used a catch all email.
Burnermail also has a nice little browser extension that generates new addresses for me when I need them, which is neat :)
Being able to send is certainly a plus compared to catch-all, and I think it's something I could miss.
What I'm concerned about is the chance of burnermail domains being blocked by websites. I think these services are more prone to be abused and thus blacklisted. But I have no direct experience to support my claim.
Also, with burnermail you lose the ability to transfer email addresses to another provider, if you ever need to.
I've been doing something like this for the past couple years too, I have run into one hiccup. My webhost has to be very careful with what they relay to me, and will sometimes reject emails even before the spam filter if it thinks it might be spam, to avoid the risk of their domains being blacklisted. It seems mailchimp and their mass mail service (forgot it's name) is one of the domains they don't relay, so services that use them for mass mailings like patreon, won't work, or will be very intermittent.
I am not sure I've understood correctly: are you saying that with custom domain email sometimes you are unable to receive stuff from mailing lists, in particular from those powered by Mailchimp?
Mass mailing services, like services that send out stuff like email confirmations. With patreon specifically what would happen is they'd send an email to verify my account on a new device, but it would never show up because it was blocked by my registrar. I spoke with them and they said there was nothing they could do because they can't risk whitelisting mailchip because they risk getting their entire domain registrar blacklisted because of the amount of illegal activity and spam emails go out through services like mailchimp.
I just have two different emails. One for services and one for actual people. My contacts know my real email and how to get in touch with me (although no one emails me anymore).
Privacy-wise, I feel like using different emails is just fighting a losing battle. I'm assuming that most advertising profiles are smart enough to connect different accounts by more than just email (name, CC info, billing address, DOB, and many other pieces of info that would scare you to think about).
I agree with you on that. In fact, I don't expect to be entirely safe from properly-funded advertising companies. Of course anyone will be able to cross-link
tildes.net.187462@randomword.comandreddit.com.178334@randomword.com, especially once they're leaked. The difference now is that I am not using the same address everywhere, so I can block emails sent to specific addresses (those leaked).Why have different emails for reddit and tildes? They both still are clearly the same person (unique domain), so I don't see any privacy / security advantage. Is it for organization or spam reduction?
I guess it's mainly for spam reduction.
I am aware of the fact that anyone can link
tildes.net.187462@randomword.comandreddit.com.178334@randomword.comto the same person based on the unique, unusual domain name.However, by using a unique email per website I get the benefit that a data breach on one website won't impact my inbox very much, as I can simply reject emails sent to the leaked address through filtering.
I'm not sure about other email providers but ProtonMail allows the ability to use aliases, which I assume can be used for custom domains too. In theory, you could create an alias for every service you use and thus know which one sells your info. https://protonmail.com/support/knowledge-base/addresses-and-aliases/#protonmail-aliases
Yes, ProtonMail has this, but the number of aliases is very limited, like 5 addresses with a Plus account. As far as I know, it's in their plans to change this.
Maybe they'll provide unlimited aliases one day (top voted idea in their uservoice platform).
Sorry, I meant that you can create unlimited aliases using your primary email address. For example I could do "username+amazon@pm.me" or "username+facebook@pm.me" and assume this could be done with your domain name as well.
Oh, yeah. I heard that one problem with that is many websites don't allow plus addressing when signing up.
It's true that some websites unreasonably disallow pluses, but it's not such a high percentage that it dissuades me from using that technique. When necessary, I create full email aliases, in some cases.
I have a similar setup, and definitely give unique emails per third-party service. I also give humans one of several different emails, depending on my association with them (or, we could say, my persona with respect to them). It does help with spam, and I see that others have said it seems like overkill, but there are other considerations to our strategy:
(As you and others point out) If a service is hacked, then you're making it much less likely that another service can be compromised by applying the same password, or even slightly brute forcing a password with the same email. I personally don't have any random element to the per-domain emails, and it hasn't bitten me yet (for years now), but if it's an easy system for you to maintain and use, don't let me stop you.
Also (and this might be the most important benefit, in my eyes), one's multiple personas are not [automatically] linked by virtue of having the same email address registered across multiple services and sites. I'm also not necessarily linked as a "friend" of multiple people, if I gave them different email addresses. I also cannot rely on other humans not to recklessly submit my email address(es) to third party sites. For example: event invitation services, and social media apps ("allow access to your contacts to quickly find your friends!").
I am just at the beginning of this journey so time will tell. What I can already say is that since I enter each online account details into my password manager anyway, it requires little extra effort to just generate a random 6 digit string every time I create a new account.
What I'm more concerned about is that my password manager is very critical. Losing access to my password manager would mean losing access to all my accounts, because I couldn't use the email address (which I couldn't remember) to reset the password.
I didn't consider this possibility, especially the one regarding access to contacts. Despite being cause of concern, I believe I won't do anything about that, or else I would probably have to give a different email address to each person in real life as well, which seems awkward and... overkill.