Email and Alias Best Practices?

How do people approach emails and aliases? Custom domain seems like probably the best option, but it also seems like there’s a finite number of “good” domains to use for mail, so that’s not necessarily scalable for all of humanity for all time. It certainly seems like one wants some combination of a “real” (has some form of your real name/identifying information) email with anonymous emails as well.

1. Use one “real” email for everything
   • Pros
     1. Easy
   • Cons
     1. Not private
     2. If one service sells your email/data, you can get swamped with spam
     3. If one service sells your email/data, you can’t easily know which one sold your data
2. Use one anonymous email for everything
   • Pros
     1. Easy
   • Cons
     1. Not very professional. Job applications, banks, etc. might not be smooth
     2. If one service sells your email/data, you can get swamped with spam
     3. If one service sells your email/data, you can’t easily know which one sold your data
3. Use one “real” email for everything that needs it and one anonymous email (could be an alias) for everything that doesn’t
   • Pros
     1. Still pretty easy
     2. Provides better privacy
   • Cons
     1. If one service sells your email/data, you can get swamped with spam
     2. If one service sells your email/data, you can’t easily know which one sold your data
4. Use one “real” email with multiple anonymous emails (could be aliases)
   • Pros
     1. Provides better privacy
     2. Limits effects of spam / enables identification of who sells your data
   • Cons
     1. More complicated
     2. Alias domains might be more likely to be blocked by services
5. Others?

Furthermore, what classes of accounts get your “real” email (if any)? Like, banks and utilities and stuff probably should. What about online shopping? You presumably provide a real address in order to receive your package, so it probably doesn’t help much to provide an anonymous email.

Anyway, I’m definitely interested in hearing people’s thoughts and approaches.

I currently use one public email address and generate ephemeral email addresses for everything else. My public email address is specifically tied to forges, forums, mailing lists, wikis, and long-lasting, ongoing subscriptions. I am now practically unbanked at this point.

Impressive. How do you pay your subscriptions? And are you including things like Internet service in your subscriptions?

Currently it is a combination of self-sufficiency and external assistance:

1. Costco membership and groceries can be paid using cash and/or with the Costco Shop Card (up to $2,000 CAD).
2. Purism has cryptocurrency support using Coinbase.
3. 1984 and FranTech/BuyVM has cryptocurrency support for Monero.
4. Freedom Mobile is a prepaid plan of $100 CAD per year by cash.
5. TELUS PureFibre X 3G and the OVHcloud VPS are currently being paid by family members using credit cards, but compensated by cash afterwards, currently in transition to gift cards.
6. Long & McQuade in-house financing requires banking information, but can be paid by cash every month. That is currently tied to my prepaid credit card, which has a balance of zero.

You seem to be thinking this from privacy perspective, but there is a security aspect also. A cross between 3. and 4. is to use

• one “admin” email that is used to control those logins that need to be kept secure and can/should not be set up with “free” email services (if your known email is compromised, the other systems linked to this logins-only are not)
• one main communication email (if it’s not used for login anywhere then any site’s compromise won’t affect it)
• any number of more or less anonymous emails that can be one use or just for different purposes with less secure and less important sites that have higher chance of being compromised

The idea being that you have a separate email that is for logins and separate for communications, so that in case of being hacked, you’re not totally screwed. A good system should have a username that is not email, so the “admin” email is not used unnecessarily, but that is not always the case. If a system offers a restoration feature (in case of locked up profile or stolen credential and changed password etc.), you want those to be separate, possibly even on a third email that only gets used in emergency (depending on how many you want to use to separate different services). The extreme example for this would be to go to example 2.

[edit to add: for messages, of course, set up forwarding from the others to the main, so you get all the possible alerts]

In Qubes OS terminology, essentially a Work, Personal, and Untrusted AppVM.

Principle of compartmentalization. I’d expand that though - work email should be an additional fourth email in that list, although it’s just the first point but distinguished by different profile (not a good idea to mix personal and work messages [and your organization may have some controls/requirements]).

Freemail provider for the real junk sign-ups / emails that I am not bothered too much about. Otherwise personal domain for everything else, with rewriting rules so that every sign-up / email can have a unique address.

Using a unique address helps to identify the source of the problem if a party that I deal with is hacked (data breached) or if a party shares my information with other parties.

Note that using a personal domain is not necessarily good for privacy - since it usually traces to you, one way or another, and since it is only used by you (or by you and your circle). It is however better for economics and flexibility (you can move it to any provider or self-host, if your provider becomes undesirable) and better for control (you control the domain).

A personal domain, depending on how you arrange it, comes with the need to keep it secure and may impose some system administration burden and may require a certain level of expertise.

Can you explain how this works? What’s a rewriting rule?

Let me give an example using everyone’s least favorite company .

If you have a gmail address fubar@gmail.com then a sender can send to fubar+absolutelyanything@gmail.com and it will still arrive in the mailbox identified by fubar@gmail.com or at least that’s what they tell me, and it seems to be correct as documented here: Official Gmail Blog: 2 hidden ways to get more from your Gmail address (which also discusses another way in which gmail rewrites addresses).

So basically gmail just ignores anything in the email address after the plus sign.

Address rewriting is something that an incoming SMTP server implements in order to process the address that the sending SMTP server specifies and convert that address into the final address of a mailbox to deliver the email to.

Different SMTP servers may use different terminology i.e. it won’t necessarily be referred to in the product’s documentation as “address rewriting” or “rewriting rule”.

Different SMTP servers may be more or less powerful in the kind of address rewriting that they can perform.

This kind of rewriting can be used to create aliases but it can also be used for other things.

In generic and simplified terms then gmail needs to use a rule of the form

anything+absolutelyanything@gmail.com → anything@gmail.com

That is to say, this rule just deletes +absolutelyanything in any email address.

gmail also allows you to add aliases (up to 30 of them). So let’s say that fubar is my primary email address but I want snafu as an alias. So then I might add another rule (to operate afterwards).

snafu@gmail.com → fubar@gmail.com

(I’m not suggesting that gmail implements any of the above in this manner; I am just using it as an example.)

For more concrete examples: Understanding Sendmail Address Rewriting Rules and I think it was sendmail that originated the term “rewriting rule”.

Edit: PS Address rewriting is also possible on the way out.

Ah, ok, so you just use re-writing rules to implement aliases then?

For several years, I’ve been using some custom domains where the domain providers offer an email forward. I don’t have to bother to run an email server for it, and it allows me to sign up for purism with purism@mydomain.xyz and for facebook with facebook@mydomain.xyz and youtube with youtube@mydomain.xyz or whatever.

Then, later when I decide that facebook is trash and I should no be using it, I can change the forward facebook@mydomain.xyz to go to some trash heap email account that I will never read. And when I decide that I do not wish to use Google anymore, I can change purism@mydomain.xyz to forward to some other thing, maybe at a bare minimum a free Protonmail account for example, and because I have this middle layer between me and the websites I can redirect how I interact with the site without requiring the site to have properly implemented that feature.

This also means that when I get spam mail sent to tickermaster@mydomain.xyz because I used ticker master 10 years ago, I have a direct record for which company is garbage and sold my email to spammers.

It does seem like custom domains are the best solution, at least as long as you can manage to get a domain you like

If your desired domain name is already taken, you can use a domain broker to negotiate a suitable price with the domain owner, among other methods.

Or (my preference) bounce the email - if you actually want to cease use of that service provider. Why have it take up bandwidth and/or storage?

Or forward the email to the round filing cabinet i.e. send success status to sending SMTP server but email is not stored and is just thrown away.