I used per-account email with alias services and password managers.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
> I used per-account email with alias services and password managers.
For people who want to do this, be sure to get it right. I run a SaaS with a free tier, and I see people register with "fancy+nospam+servicename@gmail.com" addresses. Many of those become undeliverable or are left unread forever because of filtering rules. So when my system sends a warning E-mail that the account will be deleted due to inactivity, it doesn't get read, which leads to suboptimal outcomes for everyone involved.
It was infuriating to me when normal_email+site_name@gmail.com stopped working for registration on some sites.
Fucked up my Costco registration, a variety of other things.
This sort of quasi-pseudonymity is required for basic security/privacy in 2025; It's the only way to get a handle on who's allowed to send you email, since we've never bothered to fix spoofing or impose a cost on spam. I've been trying to use it since Sneakemail was a free service back in the pre-Gmail days.
I just use <myname>+<service>@gmail.com
At the end of day day it’s all delivered to myname@gmail.com mailbox, but I can use filters based on part after “+”.
This is one of the reasons I switched to a different provider using a custom domain. I can make new addresses in any format I want. There's zero risk of a spammer stripping them down to a base address for the primary account. They also don't get rejected by broken validators.
What’s your plan for when you no longer own your custom domain (think bus factor)? Someone else register your domain and now has access to all your accounts.
Everyone has their own risk profiles, mine assumes I retain control over my domains and emails. I prepay for them several months in advance to make sure I don't lose ownership. any service provider worth their salt will have a human factor for customer support who can help you if any such issues show up.
Thank you for expanding. Sure you can prepay up to a certain extent. Eventually your domain will be available to others for purchase and therefore your accounts will become vulnerable. Maybe this isn’t an issue if in the worst situation you’re not around but if this could cause chaos for your friends and family I would suggest taking it into account.
Given that domain renewals can be purchased multiple years into the future, along with the fact that there are grace periods after expiration, it would take an awful lot of failure to lose a domain unintentionally. I've held my primary domain since 1997 multiple registrars and numerous hosting / colocation arrangements over the years. It sounds harder than it is if you haven't done it before.
yep, i use fastmail with a custom domain. i have a catch all email set up, so i just register any account on sitename.com as "sitename@mydomain" and it all gets sorted into a catch all folder. I can then run rules if i want it to go into a certain category like "bills" or just straight to the garbage.
Not sure about normalizing recipients' emails but some are definitely aware of it because I've seen spam that asked to "reply back to defi.n.it.ely.not.shady+email@gmail.com" or something.
I do this as well, but there are a number of service providers that just do not handle subaddressing at all. Like creating an account will result in never receiving a confirmation or verification code because the system failed to parse the address.
I've started using grouped aliases instead for a bunch of things.
The downside is that https://haveibeenpwned.com/ can only find "exact email" addressed, as in, you must search for myname@gmail.com, myname+service1@gmail.com, etc.
>As someone who deals in breach data this is a simple regex to strip out.
Sure it is, but at least you do get later, post leak, a slight chance find out where leak originated.
Data stealers seldom strip out that +extension part before the selling or otherwise dump it somewhere. And while it's passed on, you get to see address as you gave to that party that had leak. Reason seller don't strip of it is perhaps because they sell by number of unique addresses and while +extension usage is quite rare they make more money when they don't strip it off too.
Information where it leaked can be very useful information to pass leaker at least up till point they have announced they know about the compromise happened. I've done that since turn of century too many times I've lost count already and been quite many times the first to get them know that they had a problem there.
And sure I've received thank you emails that I gave them early head-up info about the issue.
Careful with this method. I was unable to purchase plane tickets from Southwest or even change my email address because they changed their parsing rules on me and silently dropped the plus. I found out most airlines don't have a ticket counter to buy a ticket the old fashioned way! But the premier help can issue tickets. Took me two months to have CS get someone to run a DML to remove my "bad" email address.
It's probably easier to tell them "I lost access to that email, I need to set up a new account". People do this all the time.
On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.
> On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.
I've lost track of the number of places that use the e-mail as an unchangeable identifier. Bonus points for my company liking to change domain names for sport, which just confuses support.
And even big tech companies, who should know better, do this. Like the big blue CDN that's in the middle of half the web's traffic. Who also, for some reason, can't be arsed to send e-mails reliably if you need to change your account.
I did, but the CS agent kept trying to change the email to a new one when I told them I had lost access, and the validation failed because it wanted to send an email to the old address about the email being updated and couldn't. They didn't have the right tools to fix it.
It doesn't have to be literally the service name. Can be any unique alphanumeric suffix you make up randomly. As long as you use a password manager you don't have to remember it.
Indeed, it needs to be more than just the company name if you want it to be useful later. If the email address used is company@example.com, any idiot could guess company. But receiving email to company_wkhx46@example.com is clearly gotta be from them, or they got hacked.
I tried to start doing this. The first site I tried to sign up to said it was an invalid email address.
I would say they could fuck all the way off, but there are legitimate reasons to not let people sign up with an alias (like one person signing up for multiple free trials)
There's other issues as well: occasionally a service will not allow using their service name in your email address. My usual response to this is to misspell it and use an address cursing them instead. (Since these accounts are usually one-off to register to view something, I really don't care if they delete my account in the future and I don't bother to save the password)
When I'm signing up for one service, I don't want to have to sign up for another service, no matter how easy it is. It's not a question of difficulty, it's a question of convenience.
That's why services like Firefox Relay exists. Just generates a new email address for you whose inbox gets relayed to your regular email, no fuss needed. I don't personally pay for it but I do use the heck out of the free email addresses they provided.
Indeed. But some are easier to change than others. I switched my e-mail provider, and it took all of five minutes to launch the copy of my data. Since I kept the same domain, everyone sending me e-mails didn't notice anything.
With Apple's approach, I'd have to go through each account and move it from something@icloud to something@new-domain.
However, for people who don't want to mess around with custom domain names and e-mail providers, apple's approach is very practical. You just need to tell it to "hide your email" when you register somewhere and you're good to go.
As someone who uses both, I much rather prefer aliases to hide-my-email for the more important stuff. For one, I can choose the email address "username", which I cannot with Apple's solution. Plus, what happens when I move on from Apple to something else?
But aliases can be easily mapped back to your normal email address, unlike Apple's which are opaque. I, too, am afraid of vendor lock-in though. Sadly, couldn't find a good alternative yet
There's no solution to lock-in because there must be some massively shared domain that the email address exists on for the anonymity of the service to properly work. However if you are simply looking for an alternative to Apple, Fastmail offers a masked email service too.
Not sure where you're coming from - my original email address is not being shown in headers, so those seem fairly opaque. Probably depends on your email provider?
I do this also. I started doing it with physical mail before email existed to sort out the junk mail, so first and last name always contained a reference to the company you were dealing with. Paul Allen back in the 80s said in a Seattle Times interview that it was how he handled it.
> I used per-account email with alias services and password managers.
20-something-ish years ago I setup qmail in my VPS and a .qmail-default file captures all my me-sitename@vps emails. If they send me junk I echo '#' > .qmail-sitename and that's the end of it.
Other things that get a mixture like someone annoying who harvested my ebay/paypal addresses or something, I'll sift out the good (stuff I need) via maildrop and everything else gets junked.
Honestly one of the best, but annoying, things I've done, well worth the time invested as I have a nice clean mailbox.
> I used per-account email [addresses] with alias services
I do too (anything@mysubdomain.example.com), but but online services collude with data brokers to share so much information [0] that I don't doubt that many of these "separate" profiles have been aggregated.
Unfortunately the services that supposedly offer to have your personal data removed from data brokers don't seem to support aliasing, so no straightforward way to either find out or have the data removed.
[0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1], for example:
Match and combine data from other data sources
419 partners can use this feature
Always Active
Identify devices based on information transmitted automatically
546 partners can use this feature
Always Active
Link different devices
358 partners can use this feature
Always Active
Deliver and present advertising and content
582 partners can use this special purpose
Always Active
They've changed their cookie consent provider (or rolled their own) since my comment. Probably just a happy coincidence, but well done Coursera in any case for fixing a pretty egregious breach of regulations.
The other good news in the meantime is that the EU (who originally mandated cookie consent) has finally woken up to the ridiculousness of leaving it up to the site, and will require browsers to enforce it instead.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
[1]: https://datatracker.ietf.org/doc/html/rfc5228
---
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.