A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

MULTIPLE EMAIL ADDRESSES

There are many reasons to have multiple email addresses. I suppose the most basic is simply not putting all your eggs in one basket.

Far too many systems use an email address as their unique identifier, so when one system gets hacked, and the passwords are leaked, bad guys are halfway to getting into your other accounts, a process known as "password stuffing." Having multiple email addresses is a great defense from this.

It also adds to your privacy as it makes you harder to track as you move around the Internet.

The ultimate Defensive Computing goal is to use a different email address with every service that requires one. This points up another benefit - the easy identification of scam emails. For example, if you get an email from your power company warning that the power will be cut off if you don't pay immediately, and it was sent to the email address you use with Walmart, rather than the email address you use with the power company, then the scam is obvious.

Multiple email addresses can be funneled into a single inbox, so on an ongoing basis, having many email addresses is not a hassle. But, it does need to be setup and there are a few different approaches and many companies to choose from.

DIFFERENT APPROACHES

If you have only one email address, then, as a first step, consider a new email address with a new inbox for things you don't care about. This new inbox could simply be ignored or just checked on occasion. The danger here is that something important might get missed if you fail to check the new junk inbox for too long.

A second step towards multiple email addresses is to use an email forwarding service.

These services, from many different companies, provide public email addresses that are automatically forwarded. You can forward them to an existing email account so there is only one inbox to deal with. Or, you can use this as a fresh start and forward them to a new email account/inbox, one that you keep private. Or, you can start out forwarding to an existing email inbox and then later change the forwarding rules to a new account/inbox that you don't give out to anyone.

The Firefox Relay service introduces a new term, a mask. This refers to an automatically forwarded email address in the mozmail.com domain. It is merely a new term for an existing approach.

Where automatic forwarding gets complicated is when you want to reply. Not all services that forward emails will let you reply using the forwarded email address.

Another approach for having multiple email addresses is an alias. Aliases provide multiple names for a single email account/inbox. With aliases, tom@somedomain.com and dick@somedomain.com and harry@somedomain.com all refer the exact same account/inbox. The up side of an alias is that forwarding is not needed. Email providers differ in whether they offer aliases at all, and, in how many they offer.

Gmail offers a feature that is very similar to an alias. You can add a plus sign at the end of your Gmail userid to make a unique email addresses. If my email was michael@gmail.com, then I could, for example, be michael+amazon@gmail.com and michael+jcpenny@gmail.com and michael+walmart@gmail.com. All of these different email addresses end up in the same inbox.

To me, the best method for creating dozens or hundred of email addresses, involves having your own domain, which costs roughly $15/year. This is what I do. Not only is the number of new email addresses unlimited, but you are also not tied to any one email provider. When you own your own domain, you can always move your email service to another company. Many companies that register domains (called Registrars), offer email forwarding as a free add-on service. Some also offer email service itself, that is, they will host your inbox. But this is never a requirement, you can pay ProtonMail, or Tutanota, or Mailbox.org or any of hundreds of companies to host the email service for your domain.

If you want to be public, then register a domain with your name in it. Personally, I own the michaelhorowitz.com domain. If you prefer privacy, then register a domain that does not identify you at all. I have one of those too. Owning a domain does not require you to create a website. You can use a domain just for email. And, you are not locked into one specific Registrar, you can move the domain registration to any of hundreds of registrars.

With your own domain, there is an easy and a hard way to create dozens (or hundreds) of email addresses. The easy way is called catch-all email forwarding and it means that any email address at the domain that does not have a specific rule gets forwarded. The downside to this is that spammers can guess at email addresses and every guess will be forwarded. The harder approach is to create a new email address forwarding rule every time you need it. The upside to the hard method is that specific email addresses can be forwarded to a different email address.

PROVIDERS

Gmail offers email forwarding as a free service. If you are, for example, michael@mikey.com and you coach a soccer team but don't want the soccer moms to have your real email address, you could create michaelsoccer@gmail.com and forward it michael@mikey.com. This does not scale well, however.

As noted above, Gmail lets you add a plus sign at the end of your Gmail userid to make a unique email addresses. Basically, this is an alias. Sounds great, but, some (too many, in my experience) websites consider an email address with a plus sign to be invalid. And, this offers no privacy as it does not hide the actual email address.

The Gmail "plus sign trick" illustrates another benefit to having multiple email addresses: it helps you detect who shared your email address with their "business partners" (spammers). For example, if I were to get emails for new credit cards sent to michael+jcpenny@gmail.com, then I know that JC Penny shared my email address. It also shows why the "plus sign trick" is not a good option, as anyone sharing an email address can easily strip off the plus sign and what follows it.

As of August 2022, DuckDuckGo is testing a free email protection service, which offers much more than just forwarding. See Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All!. Users get an email address of their choosing in the duck.com domain. Quoting "DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly – without switching email providers or apps ... Link Tracking Protection that helps prevent tracking in email links, Smarter Encryption that helps with unencrypted email links, and the ability to reply directly from your Duck Addresses." The service works using the DuckDuckGo Browser on iOS and Android, DuckDuckGo for Mac (in beta as of Aug 2022), and requires installing a DuckDuckGo extension with desktop Firefox, Chrome, Edge and Brave. I signed up in August 2022 and found that they do not verify that you own the email address they forward to. Also, there is no password to use the service. If they detect an email address on a web page, while using their browser, the browser offers to create a random something@duck.com email address for you, to hide your actual/main/public duck.com address.

In September 2021, Cloudflare announced their new Email Routing offering. You register a domain with them and they can forward an unlimited number of email addresses to anywhere. The same service is offered by almost every website hosting company and domain registrar. Their sales pitch is that it is easy to create new forwarding rules. eh. As of July 2022, it is still in beta testing.

Aliases: iCloud Mail is a free service available to anyone with an AppleID. It allows up to three active email aliases. At Fastmail, cheaper accounts offer a few aliases, more expensive accounts offer more. Mailbox.org offers 25 aliases.

Apple also offers Sign in with Apple which has a Hide My Email option. See What is Sign in with Apple? from Apple (Sept. 2020) and What is Hide My Email? from Apple (Jan. 2022). Hide My Email is an email forwarding service. It does not require Sign in with Apple but it does require iOS 15 or later and an iCloud+ subscription which starts at $1/month in the US. It creates random email addresses, which is both good and bad. On the down side, you can not use walmart@icloud.com for your Walmart account, you have to keep track of the link between terrier-tanker-0g@icould.com (for example) and your Walmart email. Apple says they do not read your emails, but they do SPAM filtering, so they do read the messages. It is not clear if you can turn off the SPAM filtering. Another downside is that all forwarded emails can only go to one destination email address. On the upside, the number of aliases is unlimited. However, it is not clear if, when you reply to an email sent to an alias, if the from address will be the alias or the main account or if you get to choose.

Customers of Fastmail can use their Masked Email feature to generate what are, in effect, aliases. Masked email addresses are two random words and a number, such as elegant.frog9999@fastmail.com. Low end accounts are limited to the fastmail.com domain, higher end accounts can use a custom domain name. You can create a short description for each Masked address to remember what it is for/from. You can not send a new message from a Masked Email address but when you reply, to a message sent to one, Fastmail hides your real account name and uses the masked address as the FROM address.

Proton Mail Plus offers 10 email addresses/aliases. Proton Unlimited offers 15. There is a huge difference between an email address with its own inbox and an alias, so it is not clear which they actually offer. That said, for those using Proton Mail with their own domain (i.e. mikeys-stuff.com) they do offer a catch-all with both of their paid plans. This means that anything addressed to your domain will get delivered. In effect, this gives you unlimited aliases.

Firefox Relay is an email forwarding service that was introduced in November 2021. Annoyingly, Mozilla uses the term "mask" when referring to the public email address. Email accounts use the mozmail.com domain. For free, users get five auto-forwarded email addresses, paid users ($1/month as of July 2022) get unlimited forwarding. Free accounts get an email like 5r4yvruwd@mozmail.com and it is up to you to remember that this is (for example) for your Walmart account . Paid users get a custom sub-domain. That is, a paid user named Michael Smith can have a public email address such as walmart@michaelsmith.mozmail.com. This seems better than the Apple system in that paid users can choose their own alias. Mozilla does not do SPAM filtering but they have partnered with Amazon SES which does. It seems this can not be disabled. The Relay extension is not needed. The TO address of received emails is the private Firefox account email, not the public auto-forwarded mozmail.com email address. You know it was auto forwarded because the message starts with: This message was forwarded from xxxxx@mozmail.com by Firefox Relay. Attachments can be up to 10MB.

Customers of mailbox.org can use their disposable email address feature. There is no free version of mailbox.org but there is a 30 day free trial.

Ten Minute Mail offers a random email address that is good for only 10 minutes (but you can get another 10 minutes just by clicking a button). You are assigned the email address as soon as you visit the website home page. Received emails also show up on the website home page. You need do nothing, other than give out the email address. The service uses multiple rotating domain names. It is a free service with no ads and donations are accepted. See a screen shot.

temp-mail.org offers temporary disposable email addresses. The email addresses are generated as soon as you load the website, there is no need to provide any personal information. The service is free. The temporary email address exists until you either manually delete it or until you close the browser window. Received messages display on the website. You can not send email with the service.

SimpleLogin is confusing. They seem to be an email forwarding service but they also provide a real inbox, so exactly what they do is not clear to me at all. They offer 10 aliases for free, but just what an "alias" is, is also not clear. My guess is that it is a forwarded email address but at which domain they do not say. If an alias is a forwarded email address then what is the inbox for? The initial sign-up is confusing too. You can reply from the email address(s) they give you. There is a free service. For $30/year (last checked Sept 2022) you get unlimited forwarding and aliases, unlimited mailboxes, and your own domain name. They generate nonsense email addresses and support two factor authentication.

AnonAddy also offers email forwarding. You get a username with them and your email address is something like jcpenny@michaelh.anonaddy.com

READING

The Security Pros and Cons of Using Email Aliases by Brian Krebs (August 2022). This is a very poor article by someone who does not understand the topic very well. The article prompted a discussion of the topic by people who do understand the issues well on Episode 105 of the 2.5 Admins podcast (August 2022).

This article, How to Avoid Spam - Using Disposable Contact Information by David Nield (May 2020) discusses four email forwarding services: Sign in with Apple (for Apple customers only), 10 Minute Mail, Guerrilla Mail and Burner Mail.

In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address.

AND . . .

Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com or at Firefox Monitor.

If you opt for using your own personal domain, then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool. This also lets you download every breach involving your domain as this screen shot demonstrates.

 This page: 18 views per day (over 42 days)   Total views: 744   Created: August 16, 2022
This Page
Last Updated

September 6, 2022
Total Site
Page Views

 420,711
Site Page
Views Today

  14
Previous
Website View

57 seconds ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2022