A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

MULTIPLE EMAIL ADDRESSES

There are many reasons to have multiple email addresses. I suppose the most basic is simply not putting all your eggs in one basket.

Far too many systems use an email address as their unique identifier, so when one system gets hacked, and the passwords are leaked, bad guys are halfway to getting into your other accounts, a process known as "password stuffing." Having multiple email addresses is a great defense from this.

It also adds to your privacy as it makes you harder to track as you move around the Internet.

And, it helps detect who shared your email address with their "business partners" (spammers). For example, if I were to get emails for new credit cards sent to michael+jcpenny@gmail.com, then I know that JC Penny shared my email address.

The ultimate Defensive Computing goal is to use a different email address with every service that requires one. This points up another benefit - the easy identification of scam emails. For example, if you get an email from your power company warning that the power will be cut off if you don't pay immediately, and it was sent to the email address you use with Walmart, rather than the email address you use with the power company, then the scam is obvious.

Multiple email addresses can be funneled into a single inbox, so on an ongoing basis, having many email addresses is not a hassle. But, it does need to be setup and there are a few different approaches and many companies to choose from.

DIFFERENT APPROACHES

If you have only one email address, then, as a first step, consider a new email address with a new inbox for things you don't care about. This new inbox could simply be ignored or just checked on occasion. The danger here is that something important might get missed if you fail to check the new junk inbox for too long.

A second step towards multiple email addresses is to use an email forwarding service.

These services, from many different companies, provide public email addresses that are automatically forwarded. You can forward them to an existing email account so there is only one inbox to deal with. Or, you can use this as a fresh start and forward them to a new email account/inbox, one that you keep private. Or, you can start out forwarding to an existing email inbox and then later change the forwarding rules to a new account/inbox that you don't give out to anyone.

The Firefox Relay service introduces a new term, a mask. This refers to an automatically forwarded email address in the mozmail.com domain. It is merely a new term for an existing approach.

Where automatic forwarding gets complicated is when you want to reply. Not all services that forward emails will let you reply using the forwarded email address.

Another approach for having multiple email addresses is an alias. Aliases provide multiple names for a single email account/inbox. With aliases, tom@somedomain.com and dick@somedomain.com and harry@somedomain.com all refer the exact same account/inbox. The up side of an alias is that forwarding is not needed. Email providers differ in whether they offer aliases at all, and, in how many they offer.

Gmail offers a feature that is very similar to an alias. You can add a plus sign at the end of your Gmail userid to make a unique email addresses. If my email was michael@gmail.com, then I could, for example, be michael+amazon@gmail.com and michael+jcpenny@gmail.com and michael+walmart@gmail.com. All of these different email addresses end up in the same inbox. But, no anonymity.

YOUR OWN DOMAIN(s)

To me, the best method for creating dozens or hundred of email addresses, involves having your own domain, which costs roughly $15 - $20/year US. This is what I do.

Domains are registered by hundreds of different companies called Registrars. Cloudflare offers domain registration as does pretty much every website hosting company. Google used to do this, but they got out of the business. I like PairDomains.com. Owning a domain does not require you to create a website. You can use a domain just for email.

One thing to be aware of when registering a domain is privacy. A domain registered for a business has nothing to hide in terms of contact information, but when registering a domain for personal use, you need to insure that your home address and phone number are not made public by the registrar. The term for this is often "Whois Privacy". If you want to be public, then register a domain with your name in it. Personally, I own the michaelhorowitz.com domain. If you prefer privacy, then register a domain that does not identify you at all. I have one of those too.

With your own domain, email service can come from three places

  1. The registrar
  2. If you have a website, from the website hosting company
  3. A company, such as Fastmail, Proton Mail, Tuta or Mailbox.org that specializes in email

A big upside to owning your own domain is that you are not tied to any one email provider. If you get email from a registrar, you can switch registrars. Likewise, if you use a website hosting company or a dedicated email provider, you can switch if you don't like the service or want a feature they do not offer. You can also switch between these categories. That is, you can switch, for example, from a registrar to a website hosting company. When you do change providers, you will be the only one to know or care. No one who sends you email will be impacted.

Email forwarding is a relatively cheap service to provide, hosting email is more expensive. Companies that host inboxes always set a maximum storage space size. Some companies that offer email forwarding may have a daily limit.

As an example, for $8 month, Pair offers a website and 500 email inboxes with a storage limit of 30 gigabytes, shared by the website and email (as of March 2024). Their email service supports customizable Junk and Spam filtering, forwarding, auto-responders, webmail and more. That is, some email addresses at Pair can represent a real inbox, while others are forwarded and still others go nowhere (that is, incoming messages can be automatically deleted).

There are a couple ways to get a nearly unlimited number of email addresses.

One is create them one at a time. When you need to create a new account at Spacely Space Sprockets, you first login to your email provider and create a new email address just for Mr. Spacely. This may be an alias, a forwarding rule or (unlikely) an actual inbox.

The other approach is catch-all email forwarding. This forwards every email address at your domain and frees you from having to create the individual email addresses manually. That said, this should not rule out the use of forwarding. That is, I should be able to forward spacelysprockets@michaelhorowitz.com to one place, but still have any non-defined email addresses at my domain forwarded somewhere else. One downside to a catch-all is that spammers can guess at email addresses and every guess will be forwarded.

PROVIDERS

GMAIL

FASTMAIL

APPLE

PROTON MAIL

MICROSOFT OUTLOOK

OTHERS

As of August 2022, DuckDuckGo is testing a free email protection service, which offers much more than just forwarding. See Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All!. Users get an email address of their choosing in the duck.com domain. Quoting "DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly – without switching email providers or apps ... Link Tracking Protection that helps prevent tracking in email links, Smarter Encryption that helps with unencrypted email links, and the ability to reply directly from your Duck Addresses." The service works using the DuckDuckGo Browser on iOS and Android, DuckDuckGo for Mac (in beta as of Aug 2022), and requires installing a DuckDuckGo extension with desktop Firefox, Chrome, Edge and Brave. If they detect an email address on a web page, while using their browser, the browser offers to create a random something@duck.com email address for you, to hide your actual/main/public duck.com address.
August 2022: I signed up and found that they do not verify that you own the email address they forward to. Also, there is no password to use the service.
November 2023: The service is still in beta and there has been no update to their original announcement (link is above).

Firefox Relay is an email forwarding service that was introduced in November 2021. Annoyingly, Mozilla uses the term "mask" when referring to the public email address. Email accounts use the mozmail.com domain. For free, users get five auto-forwarded email addresses, paid users ($1/month as of July 2022) get unlimited forwarding. Free accounts get an email like 5r4yvruwd@mozmail.com and it is up to you to remember that this is (for example) for your Walmart account . Paid users get a custom sub-domain. That is, a paid user named Michael Smith can have a public email address such as walmart@michaelsmith.mozmail.com. This seems better than the Apple system in that paid users can choose their own alias. Mozilla does not do SPAM filtering but they have partnered with Amazon SES which does. It seems this can not be disabled. The Relay extension is not needed. The TO address of received emails is the private Firefox account email, not the public auto-forwarded mozmail.com email address. You know it was auto forwarded because the message starts with: This message was forwarded from xxxxx@mozmail.com by Firefox Relay. Attachments can be up to 10MB.

In September 2021, Cloudflare announced their new Email Routing offering. You register a domain with them and they can forward an unlimited number of email addresses to anywhere. The same service is offered by almost every website hosting company and domain registrar. Their sales pitch is that it is easy to create new forwarding rules. eh. As of July 2022, it is still in beta testing.

Customers of mailbox.org can use their disposable email address feature. There is no free version of mailbox.org but there is a 30 day free trial.

Ten Minute Mail offers a random email address that is good for only 10 minutes (but you can get another 10 minutes just by clicking a button). You are assigned the email address as soon as you visit the website home page. Received emails also show up on the website home page. You need do nothing, other than give out the email address. The service uses multiple rotating domain names. It is a free service with no ads and donations are accepted. See a screen shot.

temp-mail.org offers temporary disposable email addresses. The email addresses are generated as soon as you load the website, there is no need to provide any personal information. The service is free. The temporary email address exists until you either manually delete it or until you close the browser window. Received messages display on the website. You can not send email with the service.

SimpleLogin is confusing. They seem to be an email forwarding service but they also provide a real inbox, so exactly what they do is not clear to me at all. They offer 10 aliases for free, but just what an "alias" is, is also not clear. My guess is that it is a forwarded email address but at which domain they do not say. If an alias is a forwarded email address then what is the inbox for? The initial sign-up is confusing too. You can reply from the email address(s) they give you. There is a free service. For $30/year (last checked Sept 2022) you get unlimited forwarding and aliases, unlimited mailboxes, and your own domain name. They generate nonsense email addresses and support two factor authentication.

A company that used to be called AnonAddy and is now (April 2024) called addy.io offers email forwarding. They have a free plan and multiple paid plans. With each plan your options are different. They invent terminology for different types of aliases, so good luck figuring out their assorted offerings.

The website PrivacyGuides.org recommends addy.io and SimpleLogin. That said, I disagree with some of their analysis of email forwarding. As of April 2024.

Dec. 1, 2022: 12 Free Email Services (Without Phone Verification) by W.S. Toh

- - - - - - - - - - - - -
UPDATE: March 25, 2024. Skiff no longer exists.
According to this June 2023 article, You probably don’t own your email address. Skiff wants to change that by Jared Newman, Skiff lets to add your domain to their free service for free. Using your own domain with Apple email requires an iCloud+ subscription starting at $1 per month. Gmail requires a Workspace for Business subscription at $6 per month. Skiff supports an unlimited number of email aliases, but the article does not go into the details. The free Skiff service offers 10 GB of storage and one domain. The first step up is $4 per month to get 15 GB of storage.

READING

April 19, 2024: Email Aliasing, Explained by Brady Noah at Freedom.tech. Not only do email aliases keep you protected from phishing, spam, and other dangers, they make your life easier too. A generally good article but with a big omission. An important criteria for choosing a provider/scheme is whether you can reply to emails using the alias address. The article suggests some providers but does not say if they allow aliased replies.

The Security Pros and Cons of Using Email Aliases by Brian Krebs (August 2022). This is a very poor article by someone who does not understand the topic very well. The article prompted a discussion of the topic by people who do understand the issues well on Episode 105 of the 2.5 Admins podcast (August 2022).

This article, How to Avoid Spam - Using Disposable Contact Information by David Nield (May 2020) discusses four email forwarding services: Sign in with Apple (for Apple customers only), 10 Minute Mail, Guerrilla Mail and Burner Mail.

In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address.

AND . . .

Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com or at Firefox Monitor.

If you opt for using your own personal domain, then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool. This also lets you download every breach involving your domain as this screen shot demonstrates.

 This page: 8 views per day (over 653 days)   Total views: 5,519   Created: August 16, 2022
This Page
Last Updated

May 30, 2024
Site Page
Views TOTAL

 910,894
Site Page
Views TODAY

  787
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2024