This post goes over the benefits of using a different unique email address for each site/service that you sign up for. From preventing spam to protecting your identify online, the positives far outweigh the negatives.
Everyone reading this probably has some old email account they created when they started out online that is now completely inundated with spam.
Sound familiar?
I created my first email account with hotmail.com back in the days of MSN. I have long since stopped using this email for privacy reasons, but, even if I did want to continue using the account, the amount of spam it receives would make this unfeasible.
When you use the same email address for everything online, it becomes impossible to identify where spam emails originate from and how the spammers got hold of your information in the first place.
Your email address may have been sold by a deceitful service, or it could have been involved in a data breach for one of the websites you signed up to.
Tip: use haveibeenpwned.com to check if your email address is involved in any known data breaches.
Entering my first hotmail.com account on haveibeenpwnded returns "Pwned on 13 breached sites and found 2 pastes". That is some pretty scary stuff!
One of the pastes even had my old (and incredibly weak) password right there in plain text! This is how scammers know what your password is when they send you that email claiming they've "hacked your account" whilst demanding $750 in Bitcoin. Just ignore these emails and obviously make sure you are not still using the exposed password anywhere else!
If your email address is involved in multiple data breaches it can be very easy for hackers and bad actors to cross-reference your details and link your information together.
Even worse is if you use the same password all over the place too. A hacker could then try other services (e.g. PayPal) with that same email and password combination, allowing them to potentially gain access to your account.
Tip: use a password manager such as Bitwarden for your accounts, creating a long random unique password for each login.
If you are looking for a fresh start and would like to create a new email address and keep it free from spam you can use a service such as Tutanota, ProtonMail or Posteo.
If you'd like to see other options for password managers of email providers and loads of great privacy advice check out PrivacyTools.io.
Now let's have a look at how we can solve some of the problems above by instead using a different email address for each site.
One option that is easy to get started with is to use sub-addressing, where you simply add an extension or "tag" to your real email address.
For example: you could use something like johndoe+twitter@example.com for Twitter.
Note: this must be supported by your email provider or it will cause emails to bounce
Many email providers do support these kinds of addresses, and any email sent to the above address will still go to johndoe@example.com.
The main issue with these kinds of addresses is that to an observer it is very easy to identify the real email address.
A script can also be run that strips the extensions from email addresses that are created in the above format.
So if one of your sub-addresses is involved in a data breach, it would be easy to just remove the extension and start sending spam to johndoe@example.com. Now, you would no longer be able to identify where the spam originated or who sold your data.
Another potential downside is that some websites may (incorrectly) deem email addresses containing the "+" symbol as invalid, preventing you from using them.
The advantage of using email aliases instead is that they look exactly like a genuine email address and it is much harder (if not impossible) to try to reverse-engineer them to find out the real email address.
Now let’s explore the benefits of using email aliases that forward to your real email address.
The most obvious benefit is that using a different email alias for each service helps to protect your real email address from spam.
It does this by essentially "shielding" your real email address from the outside world and prying eyes. Since you only ever give out your email aliases, third-parties do not know your real email address.
This means if your email alias is sold off or involved in a data breach and suddenly starts receiving spam, you can easily turn off or remove the alias in question and the spam will come to a stop.
With addy.io, when an alias is deactivated (turned off), all emails sent to it will be silently discarded by the system. The spammer will not realise that the emails haven't reached you. This will also increment the "blocked email counter" for that alias.
When an alias is deleted, any further emails sent to it will bounce back to the sender with the error message:
"550 5.1.1 Recipient address rejected: Address does not exist".
Another trick that some spam emails do is including a fake "Unsubscribe" link at the bottom of the email that is in fact a trap. By clicking on the link, instead of being unsubscribed, you simply validate the fact that this is an active email account and notify the scammer. The links can also take you to malicious websites and phishing sites.
If you have any doubts on the validity of the "Unsubscribe" link you might be better off simply deactivating or deleting the alias.
Following on from the above point, if you have been giving out a different alias for each site, you can easily identify where spam is coming from by simply looking at the alias address.
If one of your aliases starts to receive spam e.g. twitter@example.com, you can identify that it was Twitter who either sold your private information or was involved in a data breach.
Of course, there is also the chance that someone randomly guessed the alias and sent spam to it. It can therefore be a good idea to add a few random characters to the local part of the email alias when creating it e.g. twitter9218@example.com. This makes it much harder for someone to correctly guess one of your aliases.
I'd recommend using a password manager; password managers can store your login credentials (email/username and password) for all websites, meaning it is easier to keep track of the individual aliases and passwords you have created for each different account.
Using email aliases can be a great way to protect your identity online. Depending on what type of aliases you decide to use it can be very hard for hackers to link your true identity to your email aliases.
This can help reduce the chance of them cross-referencing your accounts in the event of a data breach.
If you are using aliases at a subdomain that is unique to you like with 33mail or addy.io then I would recommend choosing a username that is not linked to you in any way and that you have not used elsewhere online.
You will then be able to create aliases on the fly e.g. alias@username.anonaddy.com (or .me).<