Multiple Email Addresses - Defensive Computing

MULTIPLE EMAIL ADDRESSES

There are many reasons to have multiple email addresses. I suppose the most basic is simply not putting all your eggs in one basket.

Far too many systems use an email address as their unique identifier, so when one system gets hacked, and the passwords are leaked, bad guys are halfway to getting into your other accounts, a process known as "password stuffing." Having multiple email addresses is a great defense from this.

It also adds to your privacy as it makes you harder to track as you move around the Internet.

And, it helps detect who shared your email address with their "business partners" (spammers). For example, if I were to get emails for new credit cards sent to michael+jcpenny@gmail.com, then I know that JC Penny shared my email address.

The ultimate Defensive Computing goal is to use a different email address with every service that requires one. This points up another benefit - the easy identification of scam emails. For example, if you get an email from your power company warning that the power will be cut off if you don't pay immediately, and it was sent to the email address you use with Walmart, rather than the email address you use with the power company, then the scam is obvious.

Multiple email addresses can be funneled into a single inbox, so on an ongoing basis, having many email addresses is not a hassle. But, it does need to be setup and there are a few different approaches and many companies to choose from.

DIFFERENT APPROACHES

If you have only one email address, then, as a first step, consider a new email address with a new inbox for things you don't care about. This new inbox could simply be ignored or just checked on occasion. The danger here is that something important might get missed if you fail to check the new junk inbox for too long.

A second step towards multiple email addresses is to use an email forwarding service.

These services, from many different companies, provide public email addresses that are automatically forwarded. You can forward them to an existing email account so there is only one inbox to deal with. Or, you can use this as a fresh start and forward them to a new email account/inbox, one that you keep private. Or, you can start out forwarding to an existing email inbox and then later change the forwarding rules to a new account/inbox that you don't give out to anyone.

The Firefox Relay service introduces a new term, a mask. This refers to an automatically forwarded email address in the mozmail.com domain. It is merely a new term for an existing approach.

Where automatic forwarding gets complicated is when you want to reply. Not all services that forward emails will let you reply using the forwarded email address.

Another approach for having multiple email addresses is an alias. Aliases provide multiple names for a single email account/inbox. With aliases, tom@somedomain.com and dick@somedomain.com and harry@somedomain.com all refer the exact same account/inbox. The up side of an alias is that forwarding is not needed. Email providers differ in whether they offer aliases at all, and, in how many they offer.

Gmail offers a feature that is very similar to an alias. You can add a plus sign at the end of your Gmail userid to make a unique email addresses. If my email was michael@gmail.com, then I could, for example, be michael+amazon@gmail.com and michael+jcpenny@gmail.com and michael+walmart@gmail.com. All of these different email addresses end up in the same inbox. But, no anonymity.

YOUR OWN DOMAIN(s)

To me, the best method for creating dozens or hundred of email addresses, involves having your own domain, which costs roughly $15 - $20/year US. This is what I do.

Domains are registered by hundreds of different companies called Registrars. Cloudflare offers domain registration as does pretty much every website hosting company. Google used to do this, but they got out of the business. I like PairDomains.com. Owning a domain does not require you to create a website. You can use a domain just for email.

One thing to be aware of when registering a domain is privacy. A domain registered for a business has nothing to hide in terms of contact information, but when registering a domain for personal use, you need to insure that your home address and phone number are not made public by the registrar. The term for this is often "Whois Privacy". If you want to be public, then register a domain with your name in it. Personally, I own the michaelhorowitz.com domain. If you prefer privacy, then register a domain that does not identify you at all. I have one of those too.

With your own domain, email service can come from three places

The registrar
If you have a website, from the website hosting company
A company, such as Fastmail, Proton Mail, Tuta or Mailbox.org that specializes in email

A big upside to owning your own domain is that you are not tied to any one email provider. If you get email from a registrar, you can switch registrars. Likewise, if you use a website hosting company or a dedicated email provider, you can switch if you don't like the service or want a feature they do not offer. You can also switch between these categories. That is, you can switch, for example, from a registrar to a website hosting company. When you do change providers, you will be the only one to know or care. No one who sends you email will be impacted.

Email forwarding is a relatively cheap service to provide, hosting email is more expensive. Companies that host inboxes always set a maximum storage space size. Some companies that offer email forwarding may have a daily limit.

As an example, for $8 month, Pair offers a website and 500 email inboxes with a storage limit of 30 gigabytes, shared by the website and email (as of March 2024). Their email service supports customizable Junk and Spam filtering, forwarding, auto-responders, webmail and more. That is, some email addresses at Pair can represent a real inbox, while others are forwarded and still others go nowhere (that is, incoming messages can be automatically deleted).

There are a couple ways to get a nearly unlimited number of email addresses.

One is create them one at a time. When you need to create a new account at Spacely Space Sprockets, you first login to your email provider and create a new email address just for Mr. Spacely. This may be an alias, a forwarding rule or (unlikely) an actual inbox.

The other approach is catch-all email forwarding. This forwards every email address at your domain and frees you from having to create the individual email addresses manually. That said, this should not rule out the use of forwarding. That is, I should be able to forward spacelysprockets@michaelhorowitz.com to one place, but still have any non-defined email addresses at my domain forwarded somewhere else. One downside to a catch-all is that spammers can guess at email addresses and every guess will be forwarded.

PROVIDERS

GMAIL

Gmail offers email forwarding as a free service. If you are, for example, michael@mikey.com and you coach a soccer team but don't want the soccer moms to have your real email address, you could create michaelsoccer@gmail.com and forward it michael@mikey.com. This does not scale well, however.
As noted above, Gmail lets you add a plus sign at the end of your Gmail userid to make a unique email addresses. A poor mans alias. But, it sounds better than it is. For one thing, some services (too many in my experience) reject email addresses containing a plus sign. Worse, I have heard of services that initially allow a plus sign, but then later, their back end systems choke on it. And, it does not provide the anonymity that an alias does.
November 15, 2024: Google may soon let you create email aliases in an effort to fight spam by Stephen Schenck for Android Authority. Their research has found indications of a new alias feature coming, maybe, to Gmail. Rather than giving everyone my michael@gmail.com email address (I wish) Google will create kdmqwkls3ssrWXor9sliK2H@gmail.com and I can give that out to the world. The ugly email address will end up in my michael@gmail.com inbox. The article says that it looks like Google is building this feature specifically to address apps that ask for your email address. So, it might not appear on the gmail.com website. The feature is slated to be called Shielded Email.

FASTMAIL

Fastmail does nothing but email, so its no surprise that they have many different options. Pricing starts at $30/year
My email addresses is an overview of their options.
Their Masked Email feature creates random email addresses at fastmail.com. Examples: some.thing1234@fastmail.com, red.sky4567@fastmail.com and elegant.frogs9999@fastmail.com. In effect, these are aliases. While this hides your actual email address, it does expose that you are a Fastmail customer. However, if you own your own domain, you can use masking with that too. The obvious problem with this is keeping track of these random names with a specific purpose. To that end, Fastmail has a comment field associated with each email address where you can document that some.thing1234@fastmail.com is for CNN newsletters.
Two other features are Plus addressing and subdomain addressing.
Plus addresses: mikey+amazon@fastmail.com, mikey+baseball@fastmail.com and mikey+newsletters@fastmail.com
Subdomain addresses: mikey@amazon.fastmail.com mikey@baseball.fastmail.com mikey@newsletters.fastmail.com
The term "alias" is no longer used by Fastmail. They previously used aliases for receiving mail and "sending identities" for sending mail. Now they just have "email addresses" that are able to both send and receive. See their article: How to set up aliases. FYI: you can have up to 600 aliases.
They also offer Catch-all/wildcard addresses where you can make up you own email addresses on the fly. It requires you to own your own domain. Using this, all email to any address at your domain ends up in a single mailbox.
See also their Account limits for current accounts and Legacy plan details.
FYI: Fastmail also offers file storage in their cloud, calendars, simple websites and cloud based note taking

APPLE

Aliases: iCloud Mail is a free service available to anyone with an AppleID. Apple allows up to three @icloud.com email aliases. You can send and receive mail from an alias both on iCloud.com and also on any device that has Mail turned on in iCloud settings.
What are email aliases in iCloud Mail? from Apple. No date.
Add and manage email aliases for iCloud Mail on iCloud.com from Apple. No date.
Apple also offers Sign in with your Apple ID which has a Hide My Email option.
See What is Sign in with Apple? from Apple (Jan 12, 2024) and
What is Hide My Email? from Apple (Nov 15, 2023)
Hide My Email is an email forwarding service. It does not require Sign in with Apple but it does require iOS 15 or later and an iCloud+ subscription which starts at $1/month in the US. It creates random email addresses, which is both good and bad. On the down side, you can not use mikeys-walmart@icloud.com for your Walmart account, you have to keep track of the fact that terrier-tanker-0g@icloud.com (for example) is for your Walmart account. Apple says they do not read your emails, but they do SPAM filtering, so they do read the messages. There is no option to turn off SPAM filtering. Another downside is that all forwarded emails can only go to one destination email address. Other approaches listed on this page provide more granularity. On the upside, the number of aliases is unlimited. As to whether you can respond from the alias, Apple says: "You can read and respond directly to emails sent to these addresses and your personal email address is kept private."

PROTON MAIL

In March 2024, Proton Mail introduced a new way to get multiple email addresses. However, their documentation on this is miserable. For one thing, they say nothing about their older options for doing the same thing (below). This is their intro to the feature: Protect your identity with hide-my-email aliases in Proton Mail by Anant Vijay. The alias looks like this:
myword.theirword999@passinbox.com
The email address starts with a word or two that you create, then they add a period, a word they chose and a number they choose. The upside to this is that you can use BarnesNoble for your Barnes and Noble account so that the email address is self-documenting. The domain name seems to always be passinbox.com. Free accounts get 10 aliases. If you have an Unlimited account, you get unlimited aliases. If you have a Mail Plus account? Dunno, they don't say. Aliases can, of course, be turned off. To use this feature on their website, you have to have the right side vertical bar displayed and look for the Security Center icon there. And, you have to know that Aliases are part of the Security Center. In other words, this feature is well hidden by default.
Older approach: Proton Mail Plus offers 10 email addresses/aliases. Proton Unlimited offers 15. There is a huge difference between an email address with its own inbox and an alias, so it is not clear which they actually offer. Their miserable documentation is a pattern.
Catch-All: For those using Proton Mail with their own domain (i.e. mikeys-stuff.com) they offer a catch-all feature with both of their paid plans. This means that anything addressed to your domain will get delivered. There is no need to manually create an email address, anything and everything at your domain works. In effect, this gives you unlimited aliases. This is a common feature, it is not unique to Proton. The down side of a catch-all is blocking an email address. Some systems with a catch-all let you block specific email addresses. I do not know if Proton supports this.
Pricing: As of March 2024, Mail Plus is $4/month (15GB storage) and Proton Unlimited is $10/month (500GB storage). See the latest Pricing.
In my experience their tech support is poor.

MICROSOFT OUTLOOK

As of May 2024, a free Microsoft account allows you to create up to 10 aliases
Sign in with a Microsoft account at account.microsoft.com
"Your info" tab -> "Edit account info" (In the Account info section)
You now see all the currently defined aliases
Click "Add email" and enter the alias address you want to use
Click "Add alias"
I am no fan of Microsoft, so I avoid their software and services. This section was taken from this article: After I learned this easy email trick, the clutter vanished from my inbox by Ed Bott for ZDNet. May 20, 2024.

OTHERS

As of August 2022, DuckDuckGo is testing a free email protection service, which offers much more than just forwarding. See Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All!. Users get an email address of their choosing in the duck.com domain. Quoting "DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly – without switching email providers or apps ... Link Tracking Protection that helps prevent tracking in email links, Smarter Encryption that helps with unencrypted email links, and the ability to reply directly from your Duck Addresses." The service works using the DuckDuckGo Browser on iOS and Android, DuckDuckGo for Mac (in beta as of Aug 2022), and requires installing a DuckDuckGo extension with desktop Firefox, Chrome, Edge and Brave. If they detect an email address on a web page, while using their browser, the browser offers to create a random something@duck.com email address for you, to hide your actual/main/public duck.com address.
August 2022: I signed up and found that they do not verify that you own the email address they forward to. Also, there is no password to use the service.
November 2023: The service is still in beta and there has been no update to their original announcement (link is above).
February 2025: Found some documentation from DuckDuckGo. The main page is DuckDuckGo Email Protection. Two items were interesting to me: How do I reply from my Duck Addresses? and How do I compose a new email from my personal Duck Address?. To send a new message from your duck.com email address, it has to really be sent from the target email address. That is, if they forward incoming emails to michael@gmail.com, then I must SEND from the michael@gmail.com account. The magic/hack is in the TO address, which would be something like
jamesbond_at_mi5.gov_michael@duck.com
The email that James Bond recieves appears to come from michael@duck.com, not from michael@gmail.com.

Firefox Relay is an email forwarding service that was introduced in November 2021. Annoyingly, Mozilla uses the term "mask" when referring to the public email address. Email accounts use the mozmail.com domain. For free, users get five auto-forwarded email addresses, paid users ($1/month as of July 2022) get unlimited forwarding. Free accounts get an email like 5r4yvruwd@mozmail.com and it is up to you to remember that this is (for example) for your Walmart account . Paid users get a custom sub-domain. That is, a paid user named Michael Smith can have a public email address such as walmart@michaelsmith.mozmail.com. This seems better than the Apple system in that paid users can choose their own alias. Mozilla does not do SPAM filtering but they have partnered with Amazon SES which does. It seems this can not be disabled. The Relay extension is not needed. The TO address of received emails is the private Firefox account email, not the public auto-forwarded mozmail.com email address. You know it was auto forwarded because the message starts with: This message was forwarded from xxxxx@mozmail.com by Firefox Relay. Attachments can be up to 10MB.

In September 2021, Cloudflare announced their new Email Routing offering. You register a domain with them and they can forward an unlimited number of email addresses to anywhere. The same service is offered by almost every website hosting company and domain registrar. Their sales pitch is that it is easy to create new forwarding rules. eh. As of July 2022, it is still in beta testing.

Customers of mailbox.org can use their disposable email address feature. There is no free version of mailbox.org but there is a 30 day free trial.

Ten Minute Mail offers a random email address that is good for only 10 minutes (but you can get another 10 minutes just by clicking a button). You are assigned the email address as soon as you visit the website home page. Received emails also show up on the website home page. You need do nothing, other than give out the email address. The service uses multiple rotating domain names. It is a free service with no ads and donations are accepted. See a screen shot.

temp-mail.org offers temporary disposable email addresses. The email addresses are generated as soon as you load the website, there is no need to provide any personal information. The service is free. The temporary email address exists until you either manually delete it or until you close the browser window. Received messages display on the website. You can not send email with the service.

SimpleLogin is confusing. They seem to be an email forwarding service but they also provide a real inbox, so exactly what they do is not clear to me at all. They offer 10 aliases for free, but just what an "alias" is, is also not clear. My guess is that it is a forwarded email address but at which domain they do not say. If an alias is a forwarded email address then what is the inbox for? The initial sign-up is confusing too. You can reply from the email address(s) they give you. There is a free service. For $30/year (last checked Sept 2022) you get unlimited forwarding and aliases, unlimited mailboxes, and your own domain name. They generate nonsense email addresses and support two factor authentication.

A company that used to be called AnonAddy and is now (April 2024) called addy.io offers email forwarding. They have a free plan and multiple paid plans. With each plan your options are different. They invent terminology for different types of aliases, so good luck figuring out their assorted offerings.

The website PrivacyGuides.org recommends addy.io and SimpleLogin. That said, I disagree with some of their analysis of email forwarding. As of April 2024.

Dec. 1, 2022: 12 Free Email Services (Without Phone Verification) by W.S. Toh

AdGuard Mail was introduced in December 2024. The service was free at the time, nothing was said about future pricing. It comes in two flavors. The Alias flavor forwards emails to one or more recipients. The Temporary flavor is an AdGuard inbox (no forwarding). The service has less features than competing products: only one temporary email address can exist at a time. All emails use one domain. You have to create an account to use the system. You can not respond from an Alias/forwarded email address. Comments on this article AdGuard Mail: email alias and temp email service from the makers of the adblocker by Martin Brinkmann (Dec 20, 2024) say that AdGuard is a Russian company.

- - - - - - - - - - - - -
UPDATE: March 25, 2024. Skiff no longer exists.
According to this June 2023 article, You probably don’t own your email address. Skiff wants to change that by Jared Newman, Skiff lets to add your domain to their free service for free. Using your own domain with Apple email requires an iCloud+ subscription starting at $1 per month. Gmail requires a Workspace for Business subscription at $6 per month. Skiff supports an unlimited number of email aliases, but the article does not go into the details. The free Skiff service offers 10 GB of storage and one domain. The first step up is $4 per month to get 15 GB of storage.

READING

April 19, 2024: Email Aliasing, Explained by Brady Noah at Freedom.tech. Not only do email aliases keep you protected from phishing, spam, and other dangers, they make your life easier too. A generally good article but with a big omission. An important criteria for choosing a provider/scheme is whether you can reply to emails using the alias address. The article suggests some providers but does not say if they allow aliased replies.

The Security Pros and Cons of Using Email Aliases by Brian Krebs (August 2022). This is a very poor article by someone who does not understand the topic very well. The article prompted a discussion of the topic by people who do understand the issues well on Episode 105 of the 2.5 Admins podcast (August 2022).

This article, How to Avoid Spam - Using Disposable Contact Information by David Nield (May 2020) discusses four email forwarding services: Sign in with Apple (for Apple customers only), 10 Minute Mail, Guerrilla Mail and Burner Mail.

In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address.

AND . . .

Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com or at Firefox Monitor.

If you opt for using your own personal domain, then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool. This also lets you download every breach involving your domain as this screen shot demonstrates.