Email forwarding services
Hello everyone.
The other day, Firefox Monitor warned me that my personal e-mail was found on a data leak from Gravatar (belongs to Automattic; WordPress's parent company). Funnily, I don't have any account (and never had) with them, but nevertheless, I tried to log in, and it failed. I tried to recover my password, and it said "no e-mail found". Maybe a false positive from Firefox's side?
Anyway, that situation got me thinking that I should never use my personal email except on super important websites. For example, with Christmas gift buying, I've used my personal e-mail on multiple online websites (I usually try to avoid Amazon) and I shouldn't have done that.
Of course, Firefox recommended their own service Firefox Relay, which it does look interesting. Afterwards, I've searched on HackerNews to see what other people recommended.
These were the recommendations (apart from FF Relay):
A few questions:
- Do you use any of these three services?
- How happy are you with the service that you use?
- Is there something better?
I actually like Firefox's implementation because it is actually quite cheap (€12 per year), it is an easier way to support Firefox's development (instead of donation to the Mozilla Corporation) and I trust Firefox more on the security side of things. Nevertheless, the other two services seem more feature complete and I actually do not like that FF Relay "forces" you to use a domain like "alias@mozmail.com" or a custom domain like "alias@mydomain.mozmail.com". My goal would actually be "alias@mydomain.com" for my own contact with other people. On website registrations, @mozmail.com is okay, I guess.
I already have my own domain that I've bought from Namecheap and I think instead of associating an e-mail to my domain, I actually would prefer to use one of these services. The reason is that my website/e-mail domain could be reused if I stop paying. Some websites and/or people could have this e-mail and someone could impersonate me. With an e-mail forwarding service, I can easily and quickly delete/disable/change the alias. I'm not sure if I'm putting too much expectation on a forwarding service, but, I would like to know what do you think. 🙂
In addition to both services I mentioned, I also used Firefox Relay during its beta phase (I migrated my addresses to iCloud+ a week before the service was out of beta). I wouldn't recommend Firefox Relay at all. It's even more barebones than iCloud+ and frankly, I do not trust Mozilla to keep the service up.
If you don't already have an iCloud+ subscription, I'd wholeheartedly recommend AnonAddy. Even if you don't use many of its features, it's a product created to do one thing and those tend to be more reliable and worth supporting.
Alternatively, If you're using 1Password, it recently started to offer a masked email service integrated with Fastmail. (Both of these services are excellent.) If you're not using either of these services, migrating to them might be more hassle than its worth, but if you are, well, you're in luck.
I'll second the recommendation for Apple's Hide My Email if you're already in that ecosystem. It's actually super convenient for sites/apps that support registering/logging in with your apple account because it'll prompt you to use a spoofed email address during the process. All the convenience of SSO, but it keeps your email anonymous.
(sorry for the late reply, life gets in the way sometimes)
Oh man, that is funny indeed :)
I don't have any Apple devices (except for my wife, so no iCloud account from my part), but I understand the move since you are already paying for the Apple service. Nevertheless, I could buy an iPhone in the future, but even if I don't have the iCloud subscription, would you still be using AnonAddy or buying iClould+ subscription is worth just for the Hide My Email service?
I also don't have Fastmail or 1Password. I actually have Tutanota (and I've discovered how to use my custom domain with Tutanota!) and Bitwarden.
Hey -- no worries. I hope all is well.
If you're using iPhone, I think iCloud+ subscription is almost mandatory because iCloud's free tier gives you a ridiculously small cloud storage of 5 gigabytes. So if you switch to an iPhone, you'll almost certainly upgrade to iCloud+. If all you need is a randomized email address with no additional features like being able to reply with it or having custom domains for it, just go with iCloud+ even if you don't have an iPhone just yet. You can manage your emails from iCloud's web interface for the time being and when you get your iPhone, you can control things there. On top of that you'll get a 50 gigabytes of storage, which isn't too bad.
I wouldn't go with iCloud+ unless you're certain you'll get an iPhone in the future though. iCloud+ and its features come to fruition when you're using it with an iDevice. Apple design their services with their hardware in mind, so if you don't have the hardware, you'll have an inferior experience. If you're not certain about switching to an iPhone (or even an iPad where you can make better use of iCloud+), I'd use AnonAddy.
Yeah, I'm not sure when I'll get an iPhone (my hopes would be when they support USB-C and/or have no notch) so maybe for now, AnonAddy is a better option.
I really would like to have Firefox Relay as a way to support Mozilla's development team(s) (and not with donations that the corporate decides how to allocate the funds), but it really seems a more barebone experience, even though with Premium you get unlimited aliases. Then, your e-mails go unencrypted to AWS servers, which I also do not like so much.
But thanks a lot of all the tips and knowledge. I wish you a wonderful Christmas and happy new year ;)
I'm glad to be of some help. Merry Christmas and a happy new year to you too!
Last year or so I started using wildcard email addresses. Grab a cheap .com. I use Zoho, which is cheap. I went with a .party that I registered for a decade, but not all sites like a .party.
stuff you already know
Basically, you have tildes@whatever.com -- if the site has a breach, you blacklist tildes@whatever.com and update it to tildes2@whatever.com and so on.Since starting this system I've yet to receive any spam, which is a miracle.
There's always the concern of you not renewing a domain, but for me, I'm more concerned about a third-party service going down. If Zoho goes under, there are plenty of other email hosts I can easily migrate to.
DuckDuckGo’s Email Protection service recently entered beta. Can sign up for the private beta on their mobile app. They let you generate infinite private addresses for free. They also automatically strip trackers (Mail Chimp, Send Grid, etc). I’m a big fan of it, especially not needing an account to use it.
If you want to avoid a 3rd party solution, buy a domain. The registrar should support email forwarding. Namecheap has it for free if I remember correctly.
(sorry for the late reply, life gets in the way sometimes)
That is really interesting, thanks! I use their search, but not any of the other services/add-on/app. I'm just a little "annoyed" that you need an app for that, or?
I was looking into AnonAddy, and I can just log in into the website from the browser to generate a new random e-mail, but of course, they have my private e-mail on their servers (which of course it could be a small liability). If DDG doesn't need an account, how do they "know" your primary e-mail account? How do you manage the settings: duck e-mail is compromised and you require a new duck e-mail, create 2FA, etc? Because you have a duck email and then you have the ability to generate random e-mail addresses.
You need the app to sign up for the beta. Once you’re accepted, you get a notification from the app. They ask for the email you’d like everything forwarded to, and what you want your duck address to be.
Then you’ll get an email from DuckDuckGo. It contains a link that’ll activate the email service in their browser extension. I’ve used the same email for multiple browsers.
After that you can generate private addresses using either their app or browser extension. Every email forwarded will have a message saying “we removed X tracker(s).” Clicking that takes you to a summary of the trackers blocked. It’s also where private addresses can be deactivated.
If I remember correctly I saw someone somewhere mention that DuckDuckGo plans to make a page or something where you can manage all your private addresses, your forwarding address, and more. Hopefully this all makes sense.
Thanks a lot for the quick overview. I'll keep my eyes open when this feature is improved/expanded. Have a nice Christmas and happy new year :)
There's always sneakemail. They have been around for a long time. In addition to random email addresses, they also offer keywords, which you can use to hand out a new email address on the fly, without even needing a computer. You can also create outgoing random emails, to send an email to some entity who you'd prefer not see your real email. It costs $3 a month.
Something that's served me well for a few years now is just adding
+labelto a normal email address. For example, if your real primary email isalcappuccino@yourdomain.com, then you would providealcappuccino+servicename@yourdomain.comwhen making an account on servicename.com . Almost all email infrastructure on the Internet (servers, relays, whatever) accept that, and it ends up in your normalalcappuccino@yourdomain.cominbox, except theTo:field is clearly showingalcappuccino+servicename@. That way, you can filter however you wish.A small asterisk: A tiny few things online won't accept emails with
+in them. But I've found that that's very rare. In my case, I make a full-blown email alias at my email provider in such situations. This takes a bit more effort, but it happens rarely enough that I don't mind.I used to do that too, to help identify and manage sources of SPAM, but I stopped after it made account recovery far more difficult in a few cases. Of course, that was before I used a password manager, and the difficulties mostly arose from me forgetting exactly which email alias I used to register, so YMMV.
Yeah, that's why I started trying to match the
+whateveras closely as possible to either the site name or site domain. Searching one's own email can sometimes reveal what+whateverwas used.I use Fastmail's built-in Masked Email feature. Previously I've been using a custom .com domain with catch-all, but ended up regretting having to pay for yet another domain, since I'm already paying for a personal domain with my name/surname (which I use for communicating with actual humans). I know I'm losing address portability, but all things considered I'm happy with my decision[1].
So far, I'm happy. I wish Fastmail's Masked Email feature was more prominent in their app, because I use that frequently. Instead, they buried it inside settings. A browser extension prompting me to use masked addresses would be awesome, but as of now nothing like that exists.
As others have said, if you're already in the Apple ecosystem you would probably be better off with iCloud+'s Hide My Email.
[1] By the way, you can use Masked Email with a domain of your choice, instead of the usual fastmail.com.
Very cool feature, maybe I could "ask" my mail provider (Tutanota) to have something like this in the future. Nevertheless, your post got me thinking, and I was able to find a way to create a custom alias with Tutanota since I already have the Pro account and I already had a domain name with Namecheap. Now, all works fine for the custom email, thank you :)
I use AnonAddy, and I'm quite happy with the service.
I have never noticed any mail delivery issues, and I appreciate the configurability (several recipients, custom domains) and the ability to respond via the aliases.
I'm paying for the pro tier.
I haven't really used any other services, but did use
+and.for adding labels for a while.That would still expose my "actual" email address, though.
And if one of the labelled addresses end up on a spam list it might be a hassle to actually get it blocked, depending on your email service provider and/or email clients.
In AnonAddy, it's just a matter of flipping a switch for the leaked alias address in the control panel, and it'll stop forwarding them to my actual email address.
My likely naïve take on this is that email forwarders create that much larger an attack surface. I can reasonably trust that it's very unlikely that Google or Microsoft or Yahoo will suffer an attack that will expose my data through means I didn't influence negatively (bad passwords, for example). DDG or Mozilla are smaller organizations, and if they're filtering all of my emails before they get to me, my email account is only as secure as they are.
You could use multiple email addresses, but the real trick is to make sure that if one account is compromised, no others are able to be accessed using those same credentials. In the event my account is compromised, I have 2FA on enough of my services that allow it that this provides extra protection. Even if Google is unlikely to be compromised like this, it only has to happen once for it to have happened.
Another consideration is that GMail, at least, and maybe others, allow the following: "username+subname@gmail.com." From there you can sign up with your Google username, append extra data (+subname) and effectively self-organize your emails by the service they came to. I assume you could also update existing services to be, say, username+spotify@gmail.com so that from today forward you'll know if any janky emails came to be sent because of something at Spotify.
I'm sorry it's not advice about which service to use, but frankly all I can see a service like this doing is spreading you out more.
Edit: I was wrong about email addresses being shared with Gravatar without needing an account with them. See my edit below.
I also got that email from Firefox Monitor; none too surprising -- Have I Been Pwned lists the breach as having over 100 million entries. Gravatar now has a FAQ-entry for the leak.
Wait what!? That can't be right...
If you don't have a Wordpress account (which is what Gravatar uses), all EA should be getting is the default image. I can't imagine that they automatically manage an account for you on a third-party site. Maybe you just forgot that you made a Gravatar or Wordpress account?
The normal process for using Gravatar is to send an MD5-hashed email address to them as URL parameter. If they have an avatar image for that address, they'll display it, otherwise you get the boring blue-white default image. There is no reason for Gravatar to store hashes it doesn't recognize.
To my knowledge I have never signed up for Gravatar or WordPress, but I suppose it's possible I might have made a WordPress account ages ago and simply forgotten that. However, when I try to do a password recovery in Gravatar/Wordpress, like OP, I get "Unable to reset password - I'm sorry, but we weren't able to find a user with that login information." So ¯\_(ツ)_/¯
Edit: I just googled around, and it actually looks like it was required to sign up for Gravatar to set up a Battelog profile pic for BF3, which I most definitely played. See here. So it turns out I likely did sign up for Gravatar at some point 10+ years ago and simply forgot about it. My bad!!
Why it doesn't seem to recognize my email address now, when I ask to recover my password, I don't know though. I suppose I will have to get in contact with their support to find out.
Edit2: I just realized it's possible the reason it doesn't recognize my email address is because I used plus addressing when I registered. E.g. myname+randomstring@email.com. I used to do that quite a bit back then to help me deal with spam, but stopped because it bit me in the ass a few times when trying to recover accounts, exactly like what's happening here. :|
(sorry for the late reply, life gets in the way sometimes)
What, really? That is insane. Not sure if this breaches my GDPR rights. I never heard of Gravatar before (and never had a WordPress account), I have no idea which services are using it, so it is really hard to find the service and simply close the account.
While MD5 is considered broken by now, it is still difficult to reverse an MD5 hash into the plain email address, so I think this can probably not be considered personally identifying information under the GDPR, although, of course, IANAL.
Note that services that use Gravatar won't automatically open a Gravatar account for you -- they merely use the image you associated to your Gravatar account if you have one.