IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.
It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.
After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.
> IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.
I've been doing this years and I usually use the domain I'm signing up for as the address. Beware tho some people get really confused by how email works. I was requesting quotes for a home improvement project and I've had employees at these companies think I was either friends with the owner or that I hacked their email.
It gets super awkward when you have to read the email aloud. My optometrist spent five minutes trying to explain that they wanted my email when they tried to transfer a prescription from Warby Parker.
"My email/username for Warby Parker is 'warbyparker.com@...'"
I have a "in-person catch all" address which is a different variation of my name @ my domain than my main inbox. Even that is enough to trip up the occasional hotel counter staff or similar when my name is in the domain rather than gmail/yahoo.
There's no real need to use a name that actually matches the sender. Choose a random word; it's easy to identify later -- from the first mail to your inbox from that address.
You'll still be able to filter on it, or know if anyone sold your address for spam, or be able to abandon the address if you need to.
> it's easier to just buy a domain and route * to your inbox
There is the caveat of the domain getting into the wrong hands, if you look long enough down the road. What if you die, or simply can't afford to renew the domain well into the future? I know if I could look down from heaven after I die and saw someone re-registering my dropped domain, I would be furious!
Then there is the issue of even when you're alive, you could simply refuse to renew for whatever reason and the domain is suddenly someone else's.
MarkMonitor and Epik are the only companies that I know of that can safeguard against this. Epik has so called 'forever domains' and ensure the domain stays active well into the future.
I gave this some thought and decided it's actually worse with gmail. If google decides they don't like me, they can kill my email and I would lose access to pretty much everything.
But if my custom-domain email provider closes shop, I can at least take my domain with me.
You have a point though, I should just prepay for the next 10 years of my domain, and set myself a reminder to renew in 9 years :-)
Renewing a .com for the maximum 10 years in advance is a bit of a trap, because to transfer the domain to another registrar you have to buy at least one additional year... which you can't do if you're already at the 10 year limit. If your registrar pulls a GoDaddy and you want to move away you might find yourself having to wait up to a year.
There might be similar caveats with other TLDs but I only have experience with .com
They have a point though, when you rely on a domain you’ve gotta be cautious. If I buy your domain when you forget to renew it I can then do password resets against any accounts you used an email on that domain with.
It would be nice if web services offered an option to disable this misfeature per account, or better yet offer to upload the user's PGP key and encrypt all outgoing email with it, incl. the password reset email.
It is probably a non-issue but one downside is that if people realize that you are doing this they can just pick a new "user" and reach you even if you have blocked their original address.
It would be interesting to do something like this with signatures. You could generate new addresses "on the fly" by picking a prefix and signing it. Then you can use this email and it can't be modified in a way to generate a new valid email.
For example you could have walmart-oaiua83n@yourdomain.example and they couldn't just change it to goodcompany@example.com.
Agreed. I do this and even without any good spam filter, my spam is down to at most 2 a week. The reason behind this is that most companies that exchange data use email/phone number as a unique key.
(I use fastmail to host. This is the only reason I can't use Hey yet.)
I would do something like that but with a simple rule/cipher that can be computed mentally and is not completely obvious at first look. Like a shift cipher of the first two characters of the name:
How on earth is that anonymous? All of your emails are on the same domain, and nobody else is using that domain. As soon as I see an email @jamesboehmersdomain, I know that it belongs to jamesboehmer.
You're right, it's not 100% anonymous. But my name's not in the domain, and I use WhoisGuard with my registrar. It's reasonably effective, cheap, and a low effort way to deflect the bots and identify suspicious activity.
7786655's point was that the custom domain is not perfect anonymity because if someone knows who owns the domain, then they know the owner of every email. If someone discovers my pseudonymous gmail account, then the same problem exists. But perfect anonymity was never my goal.
I wouldn't tie my entire digital identity to whatever's cheapest if I could avoid it.
In my case I use my CC TLD. I'm in a generally stable nation that follows the rule of law and the administrator of the CC TLD has all sorts of processes in place that I have access to as far as regaining control of the domain if it's inappropriately transferred, making appeals, etc.
The extra $10 or so a year this costs is very much worth it to me as basically a form of insurance.
like Hamuko said, there are domains like .party, etc that are cheap. However, some sites won't take them. My main junk account is a wildcard .party domain. It'll work with mosts sites, but the odd one won't take them. I ended up registering a .com that goes to the same inbox to get around these.
Another issue is that unless one also gets a new IP address for the mail server, it might be possible to associate the real domain with this "anonymous" one.
My experience with email in general has been so exhausting. This year I finally set up a new email address at a custom domain (with * catchall), but what I've found is that I'm afraid to give it to anyone. Right now I'm using it to communicate with like 3 people and it feels so nice.
I may use the * in the future for custom emails for groups of concerns (jobs@domain or applications@domain, hn@domain, banking@domain), but I'm worried it will just add to the heaping mental overhead I already experience when working with email (what was my address I use for this again...?, etc). I can't help the feeling that it's just a matter of time before it starts to look like my original email account where even unsubscribing from things seems like a labor of Sisyphus, but this time with the added noise of it going to an email naming system I've lost control of.
I do the catchall thing too, but Migadu has an API for creating aliases... I think it'd be pretty cool to create a little script to generate random aliases and keep track of them.
Sending email from your own domain is anything but easy. You need SPF, DKIM and DMARC at minimum. Are you going to host your own mail server? No one will accept your emails. Will you use sendgrid or postmark or SES? Enjoy having your emails (especially in the beginning) randomly end up in spam folders or worse completely quarantined (no bounce, nothing in spam folder) for various large institutions using MS Forefront.
Owning your own domain name for email and running your own email server are two completely different discussions. The first is recommended while the second is not.
This sure was the case before, and I'm likely in my own bubble when I say this. I think many spam filters are nowadays very good. SPF+DKIM+DMARC setup makes a huge difference. I have a small server that occasionally sends emails, and I never had a problem with emails ending up in spam.
The IP reputation matters a lot, followed by the content itself. I don't think email recipient servers downright mark all lesser known senders as spam.
I send only transactional emails (confirm email and so on, no newsletters, you can't say I'm spamming people - I suck at follow ups) and while Gmail and other free email providers work just fine, it's the institutions where you start with negative reputation it seems and have to work to earn the right to send email to users who asked for it
Using your own private domain does not give you the same level of anonymity. Your domain name becomes a globally unique identifier that companies (and once leaked, anyone) can use to fingerprint you activity online.
I do something like this too except the aliases are manually created. I went one step further and made an optional learning period for addresses so anything from a previously unseen sender address after x days is dropped. I also added an optional lifespan to the address so it is only valid for Y days.
I have a similar setup, but use it on a subdomain, e.g. *@sub.example.com
This makes it harder to just randomly spam <anything>@example.com because you need the subdomain, which is what spammers do - just randomly generate local parts that might exist. info, john, sales, etc.
I'm use a catchall-domain for 10 years or so, never got any botspam like that. Only think I got sometimes was spam to info@domain, and this can be easily ignored.
Do those bots really exist? I would think the TLD I use is just not interessting enough for them, but it's from a big country.
Yes, they did exist. I stopped using catchall because of them. It's not as common these days, looking at my postfix log. Though some large spammers were shut down a few years ago. I saw a sharp 60-70% drop in spam volume when that happened. So maybe someone who was doing this dictionary search gave up or was shutdown too in recent past.
I have this regularly. My catch all gets emails from a bot that tries common first names at my domain, but sometimes really weird ones as well, seemingly random such as a23ssaaaa@example.com
I like the way Fastmail handles this. Your normal email is user@domain.tld, and you can configure the service to also treat emails to <anything>@user.domain.tld as having been sent to you.
I have never seen bots try random addresses on a subdomain.
This is exactly how I use Fastmail. Every newsletter/new account has a dedicated email address that is an alias to my primary fastmail address, based on a custom combination.
That way, it’s super easy to know which service is actually either spamming me, or leaked my email address.
How do you configure this? I assume I need to create a catch-all alias for this to work. I added *@domain.tld but when I send an email to test@user.domain.tld, it bounces.
This is an interesting reminder... I've been using catch-all on @mydomain for at least 15 years, and I went through a phase where I'd get a lot of random strings @mydomain. I set up dummy honeypot@mydomain accounts and added a lot of crap as aliases so they'd get tucked away in a disabled account. (I also do that with any "valid" email addresses that start to get spam.) It was a pain in the butt, but it also stopped quite a while ago. With newer domains, I tend to see stupid common ones like "info", "postmaster", etc. getting spam, but haven't seen the random gibberish ones.
Do people not already get their primary inboxes flooded with spam anyway? I've found my email provider's spam filtering pretty good anyway, it hasn't been an issue.
The age of your email address is a big factor. Both my work and personal (custom domain) addresses have been active for over 20 years. I’d say 85-90 percent of what I get in my inbox is spam, despite Google and Microsoft “ML filters” in place.
Most of this is “tech salesperson” spam or corporate newsletter type stuff. But they bought my email address, and are sending unsolicited mail, so I report it all hoping to harm their reputation with Google and Microsoft.
This is a terrible solution. Updating aliases takes a few seconds, you can even shorten this time by creating a simple script adding the new alias and updating the aliases db.
What's bad about it? Been doing this for more than a year now and I've not encountered any problems. I've had catchall emails for every domain I own for 20 years or so and the worst I get is cold sales emails to info@ and sales@.
If I want to block an incoming address it's a few clicks away, I've just never needed to because spam filtering works pretty well. Perhaps that might change some day and I'll switch to a whitelist approach.
It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.
After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.