A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

MULTIPLE EMAIL ADDRESSES

There are many reasons to have multiple email addresses. I suppose the most basic is simply not putting all your eggs in one basket.

Far too many systems use an email address as their unique identifier, so when one system gets hacked, and the passwords are leaked, bad guys are halfway to getting into your other accounts, a process known as "password stuffing." Having multiple email addresses is a great defense from this.

It also adds to your privacy as it makes you harder to track as you move around the Internet.

The ultimate Defensive Computing goal is to use a different email address with every service that requires one. This points up another benefit - the easy identification of scam emails. For example, if you get an email from your power company warning that the power will be cut off if you don't pay immediately, and it was sent to the email address you use with Walmart, rather than the email address you use with the power company, then the scam is obvious.

Multiple email addresses can be funneled into a single inbox, so on an ongoing basis, having many email addresses is not a hassle. But, it does need to be setup and there are a few different approaches and many companies to choose from.

DIFFERENT APPROACHES

If you have only one email address, then, as a first step, consider a new email address with a new inbox for things you don't care about. This new inbox could simply be ignored or just checked on occasion. The danger here is that something important might get missed if you fail to check the new junk inbox for too long.

A second step towards multiple email addresses is to use an email forwarding service.

These services, from many different companies, provide public email addresses that are automatically forwarded. You can forward them to an existing email account so there is only one inbox to deal with. Or, you can use this as a fresh start and forward them to a new email account/inbox, one that you keep private. Or, you can start out forwarding to an existing email inbox and then later change the forwarding rules to a new account/inbox that you don't give out to anyone.

The Firefox Relay service introduces a new term, a mask. This refers to an automatically forwarded email address in the mozmail.com domain. It is merely a new term for an existing approach.

Where automatic forwarding gets complicated is when you want to reply. Not all services that forward emails will let you reply using the forwarded email address.

Another approach for having multiple email addresses is an alias. Aliases provide multiple names for a single email account/inbox. With aliases, tom@somedomain.com and dick@somedomain.com and harry@somedomain.com all refer the exact same account/inbox. The up side of an alias is that forwarding is not needed. Email providers differ in whether they offer aliases at all, and, in how many they offer.

Gmail offers a feature that is very similar to an alias. You can add a plus sign at the end of your Gmail userid to make a unique email addresses. If my email was michael@gmail.com, then I could, for example, be michael+amazon@gmail.com and michael+jcpenny@gmail.com and michael+walmart@gmail.com. All of these different email addresses end up in the same inbox.

YOUR OWN DOMAIN(s)

To me, the best method for creating dozens or hundred of email addresses, involves having your own domain, which costs roughly $15/year. This is what I do. Domains are registered by hundreds of different companies called Registrars. Google offers domain registration as does Cloudflare. I like PairDomains.com.

Owning a domain does not require you to create a website. You can use a domain just for email.

With your own domain, the number of new email addresses is unlimited. And, you are not tied to any one email provider. You can move your email service to another company. Many Registrars offer email forwarding as a free add-on service. Some also offer email service itself, that is, they will host your inbox(es). But this is never a requirement, you can pay ProtonMail, Fastmail, Tutanota, Mailbox.org or any of hundreds of companies to host the email service for your domain. In addition, you are not locked into one specific Registrar, you can move the domain registration to any of hundreds of registrars.

If you want to be public, then register a domain with your name in it. Personally, I own the michaelhorowitz.com domain. If you prefer privacy, then register a domain that does not identify you at all. I have one of those too.

With your own domain, there is an easy and a hard way to create dozens (or hundreds) of email addresses. The easy way is called catch-all email forwarding and it means that any email address at the domain that does not have a specific rule gets forwarded. The downside to this is that spammers can guess at email addresses and every guess will be forwarded. The harder approach is to create a new email address forwarding rule every time you need it. The upside to the hard method is that specific email addresses can be forwarded to a different email address.

PROVIDERS

GMAIL

FASTMAIL

APPLE

Proton Mail Plus offers 10 email addresses/aliases. Proton Unlimited offers 15. There is a huge difference between an email address with its own inbox and an alias, so it is not clear which they actually offer. That said, for those using Proton Mail with their own domain (i.e. mikeys-stuff.com) they do offer a catch-all with both of their paid plans. This means that anything addressed to your domain will get delivered. In effect, this gives you unlimited aliases. In my experience however, their tech support is poor.

As of August 2022, DuckDuckGo is testing a free email protection service, which offers much more than just forwarding. See Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All!. Users get an email address of their choosing in the duck.com domain. Quoting "DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly – without switching email providers or apps ... Link Tracking Protection that helps prevent tracking in email links, Smarter Encryption that helps with unencrypted email links, and the ability to reply directly from your Duck Addresses." The service works using the DuckDuckGo Browser on iOS and Android, DuckDuckGo for Mac (in beta as of Aug 2022), and requires installing a DuckDuckGo extension with desktop Firefox, Chrome, Edge and Brave. If they detect an email address on a web page, while using their browser, the browser offers to create a random something@duck.com email address for you, to hide your actual/main/public duck.com address.
August 2022: I signed up and found that they do not verify that you own the email address they forward to. Also, there is no password to use the service.
November 2023: The service is still in beta and there has been no update to their original announcement (link is above).

Firefox Relay is an email forwarding service that was introduced in November 2021. Annoyingly, Mozilla uses the term "mask" when referring to the public email address. Email accounts use the mozmail.com domain. For free, users get five auto-forwarded email addresses, paid users ($1/month as of July 2022) get unlimited forwarding. Free accounts get an email like 5r4yvruwd@mozmail.com and it is up to you to remember that this is (for example) for your Walmart account . Paid users get a custom sub-domain. That is, a paid user named Michael Smith can have a public email address such as walmart@michaelsmith.mozmail.com. This seems better than the Apple system in that paid users can choose their own alias. Mozilla does not do SPAM filtering but they have partnered with Amazon SES which does. It seems this can not be disabled. The Relay extension is not needed. The TO address of received emails is the private Firefox account email, not the public auto-forwarded mozmail.com email address. You know it was auto forwarded because the message starts with: This message was forwarded from xxxxx@mozmail.com by Firefox Relay. Attachments can be up to 10MB.

According to this June 2023 article, You probably don’t own your email address. Skiff wants to change that by Jared Newman, Skiff lets to add your domain to their free service for free. Using your own domain with Apple email requires an iCloud+ subscription starting at $1 per month. Gmail requires a Workspace for Business subscription at $6 per month. Skiff supports an unlimited number of email aliases, but the article does not go into the details. The free Skiff service offers 10 GB of storage and one domain. The first step up is $4 per month to get 15 GB of storage.

In September 2021, Cloudflare announced their new Email Routing offering. You register a domain with them and they can forward an unlimited number of email addresses to anywhere. The same service is offered by almost every website hosting company and domain registrar. Their sales pitch is that it is easy to create new forwarding rules. eh. As of July 2022, it is still in beta testing.

Customers of mailbox.org can use their disposable email address feature. There is no free version of mailbox.org but there is a 30 day free trial.

Ten Minute Mail offers a random email address that is good for only 10 minutes (but you can get another 10 minutes just by clicking a button). You are assigned the email address as soon as you visit the website home page. Received emails also show up on the website home page. You need do nothing, other than give out the email address. The service uses multiple rotating domain names. It is a free service with no ads and donations are accepted. See a screen shot.

temp-mail.org offers temporary disposable email addresses. The email addresses are generated as soon as you load the website, there is no need to provide any personal information. The service is free. The temporary email address exists until you either manually delete it or until you close the browser window. Received messages display on the website. You can not send email with the service.

SimpleLogin is confusing. They seem to be an email forwarding service but they also provide a real inbox, so exactly what they do is not clear to me at all. They offer 10 aliases for free, but just what an "alias" is, is also not clear. My guess is that it is a forwarded email address but at which domain they do not say. If an alias is a forwarded email address then what is the inbox for? The initial sign-up is confusing too. You can reply from the email address(s) they give you. There is a free service. For $30/year (last checked Sept 2022) you get unlimited forwarding and aliases, unlimited mailboxes, and your own domain name. They generate nonsense email addresses and support two factor authentication.

AnonAddy also offers email forwarding. You get a username with them and your email address is something like jcpenny@michaelh.anonaddy.com

READING

The Security Pros and Cons of Using Email Aliases by Brian Krebs (August 2022). This is a very poor article by someone who does not understand the topic very well. The article prompted a discussion of the topic by people who do understand the issues well on Episode 105 of the 2.5 Admins podcast (August 2022).

This article, How to Avoid Spam - Using Disposable Contact Information by David Nield (May 2020) discusses four email forwarding services: Sign in with Apple (for Apple customers only), 10 Minute Mail, Guerrilla Mail and Burner Mail.

In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address.

AND . . .

Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com or at Firefox Monitor.

If you opt for using your own personal domain, then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool. This also lets you download every breach involving your domain as this screen shot demonstrates.

 This page: 8 views per day (over 474 days)   Total views: 3,793   Created: August 16, 2022
This Page
Last Updated

November 4, 2023
Site Page
Views TOTAL

 737,606
Site Page
Views TODAY

  200
Previous
Website View

2.2 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
Website Average Daily Page Views: November 2023: 687   See the website change log
Copyright 2019 - 2023