IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.
It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.
After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.
> IMO if you're really concerned about anonymity and securing your email from credential-stuffing, and willing to pay for such a service (I used to pay for 33mail), it's easier to just buy a domain and route * to your inbox.
I've been doing this years and I usually use the domain I'm signing up for as the address. Beware tho some people get really confused by how email works. I was requesting quotes for a home improvement project and I've had employees at these companies think I was either friends with the owner or that I hacked their email.
It gets super awkward when you have to read the email aloud. My optometrist spent five minutes trying to explain that they wanted my email when they tried to transfer a prescription from Warby Parker.
"My email/username for Warby Parker is 'warbyparker.com@...'"
I have a "in-person catch all" address which is a different variation of my name @ my domain than my main inbox. Even that is enough to trip up the occasional hotel counter staff or similar when my name is in the domain rather than gmail/yahoo.
There's no real need to use a name that actually matches the sender. Choose a random word; it's easy to identify later -- from the first mail to your inbox from that address.
You'll still be able to filter on it, or know if anyone sold your address for spam, or be able to abandon the address if you need to.
> it's easier to just buy a domain and route * to your inbox
There is the caveat of the domain getting into the wrong hands, if you look long enough down the road. What if you die, or simply can't afford to renew the domain well into the future? I know if I could look down from heaven after I die and saw someone re-registering my dropped domain, I would be furious!
Then there is the issue of even when you're alive, you could simply refuse to renew for whatever reason and the domain is suddenly someone else's.
MarkMonitor and Epik are the only companies that I know of that can safeguard against this. Epik has so called 'forever domains' and ensure the domain stays active well into the future.
I gave this some thought and decided it's actually worse with gmail. If google decides they don't like me, they can kill my email and I would lose access to pretty much everything.
But if my custom-domain email provider closes shop, I can at least take my domain with me.
You have a point though, I should just prepay for the next 10 years of my domain, and set myself a reminder to renew in 9 years :-)
Renewing a .com for the maximum 10 years in advance is a bit of a trap, because to transfer the domain to another registrar you have to buy at least one additional year... which you can't do if you're already at the 10 year limit. If your registrar pulls a GoDaddy and you want to move away you might find yourself having to wait up to a year.
There might be similar caveats with other TLDs but I only have experience with .com
They have a point though, when you rely on a domain you’ve gotta be cautious. If I buy your domain when you forget to renew it I can then do password resets against any accounts you used an email on that domain with.
It would be nice if web services offered an option to disable this misfeature per account, or better yet offer to upload the user's PGP key and encrypt all outgoing email with it, incl. the password reset email.
It is probably a non-issue but one downside is that if people realize that you are doing this they can just pick a new "user" and reach you even if you have blocked their original address.
It would be interesting to do something like this with signatures. You could generate new addresses "on the fly" by picking a prefix and signing it. Then you can use this email and it can't be modified in a way to generate a new valid email.
For example you could have walmart-oaiua83n@yourdomain.example and they couldn't just change it to goodcompany@example.com.
Agreed. I do this and even without any good spam filter, my spam is down to at most 2 a week. The reason behind this is that most companies that exchange data use email/phone number as a unique key.
(I use fastmail to host. This is the only reason I can't use Hey yet.)
I would do something like that but with a simple rule/cipher that can be computed mentally and is not completely obvious at first look. Like a shift cipher of the first two characters of the name:
How on earth is that anonymous? All of your emails are on the same domain, and nobody else is using that domain. As soon as I see an email @jamesboehmersdomain, I know that it belongs to jamesboehmer.
You're right, it's not 100% anonymous. But my name's not in the domain, and I use WhoisGuard with my registrar. It's reasonably effective, cheap, and a low effort way to deflect the bots and identify suspicious activity.
7786655's point was that the custom domain is not perfect anonymity because if someone knows who owns the domain, then they know the owner of every email. If someone discovers my pseudonymous gmail account, then the same problem exists. But perfect anonymity was never my goal.
I wouldn't tie my entire digital identity to whatever's cheapest if I could avoid it.
In my case I use my CC TLD. I'm in a generally stable nation that follows the rule of law and the administrator of the CC TLD has all sorts of processes in place that I have access to as far as regaining control of the domain if it's inappropriately transferred, making appeals, etc.
The extra $10 or so a year this costs is very much worth it to me as basically a form of insurance.
like Hamuko said, there are domains like .party, etc that are cheap. However, some sites won't take them. My main junk account is a wildcard .party domain. It'll work with mosts sites, but the odd one won't take them. I ended up registering a .com that goes to the same inbox to get around these.
Another issue is that unless one also gets a new IP address for the mail server, it might be possible to associate the real domain with this "anonymous" one.
My experience with email in general has been so exhausting. This year I finally set up a new email address at a custom domain (with * catchall), but what I've found is that I'm afraid to give it to anyone. Right now I'm using it to communicate with like 3 people and it feels so nice.
I may use the * in the future for custom emails for groups of concerns (jobs@domain or applications@domain, hn@domain, banking@domain), but I'm worried it will just add to the heaping mental overhead I already experience when working with email (what was my address I use for this again...?, etc). I can't help the feeling that it's just a matter of time before it starts to look like my original email account where even unsubscribing from things seems like a labor of Sisyphus, but this time with the added noise of it going to an email naming system I've lost control of.
I do the catchall thing too, but Migadu has an API for creating aliases... I think it'd be pretty cool to create a little script to generate random aliases and keep track of them.
Sending email from your own domain is anything but easy. You need SPF, DKIM and DMARC at minimum. Are you going to host your own mail server? No one will accept your emails. Will you use sendgrid or postmark or SES? Enjoy having your emails (especially in the beginning) randomly end up in spam folders or worse completely quarantined (no bounce, nothing in spam folder) for various large institutions using MS Forefront.
Owning your own domain name for email and running your own email server are two completely different discussions. The first is recommended while the second is not.
This sure was the case before, and I'm likely in my own bubble when I say this. I think many spam filters are nowadays very good. SPF+DKIM+DMARC setup makes a huge difference. I have a small server that occasionally sends emails, and I never had a problem with emails ending up in spam.
The IP reputation matters a lot, followed by the content itself. I don't think email recipient servers downright mark all lesser known senders as spam.
I send only transactional emails (confirm email and so on, no newsletters, you can't say I'm spamming people - I suck at follow ups) and while Gmail and other free email providers work just fine, it's the institutions where you start with negative reputation it seems and have to work to earn the right to send email to users who asked for it
Using your own private domain does not give you the same level of anonymity. Your domain name becomes a globally unique identifier that companies (and once leaked, anyone) can use to fingerprint you activity online.
I do something like this too except the aliases are manually created. I went one step further and made an optional learning period for addresses so anything from a previously unseen sender address after x days is dropped. I also added an optional lifespan to the address so it is only valid for Y days.
I have a similar setup, but use it on a subdomain, e.g. *@sub.example.com
This makes it harder to just randomly spam <anything>@example.com because you need the subdomain, which is what spammers do - just randomly generate local parts that might exist. info, john, sales, etc.
I'm use a catchall-domain for 10 years or so, never got any botspam like that. Only think I got sometimes was spam to info@domain, and this can be easily ignored.
Do those bots really exist? I would think the TLD I use is just not interessting enough for them, but it's from a big country.
Yes, they did exist. I stopped using catchall because of them. It's not as common these days, looking at my postfix log. Though some large spammers were shut down a few years ago. I saw a sharp 60-70% drop in spam volume when that happened. So maybe someone who was doing this dictionary search gave up or was shutdown too in recent past.
I have this regularly. My catch all gets emails from a bot that tries common first names at my domain, but sometimes really weird ones as well, seemingly random such as a23ssaaaa@example.com
I like the way Fastmail handles this. Your normal email is user@domain.tld, and you can configure the service to also treat emails to <anything>@user.domain.tld as having been sent to you.
I have never seen bots try random addresses on a subdomain.
This is exactly how I use Fastmail. Every newsletter/new account has a dedicated email address that is an alias to my primary fastmail address, based on a custom combination.
That way, it’s super easy to know which service is actually either spamming me, or leaked my email address.
How do you configure this? I assume I need to create a catch-all alias for this to work. I added *@domain.tld but when I send an email to test@user.domain.tld, it bounces.
This is an interesting reminder... I've been using catch-all on @mydomain for at least 15 years, and I went through a phase where I'd get a lot of random strings @mydomain. I set up dummy honeypot@mydomain accounts and added a lot of crap as aliases so they'd get tucked away in a disabled account. (I also do that with any "valid" email addresses that start to get spam.) It was a pain in the butt, but it also stopped quite a while ago. With newer domains, I tend to see stupid common ones like "info", "postmaster", etc. getting spam, but haven't seen the random gibberish ones.
Do people not already get their primary inboxes flooded with spam anyway? I've found my email provider's spam filtering pretty good anyway, it hasn't been an issue.
The age of your email address is a big factor. Both my work and personal (custom domain) addresses have been active for over 20 years. I’d say 85-90 percent of what I get in my inbox is spam, despite Google and Microsoft “ML filters” in place.
Most of this is “tech salesperson” spam or corporate newsletter type stuff. But they bought my email address, and are sending unsolicited mail, so I report it all hoping to harm their reputation with Google and Microsoft.
This is a terrible solution. Updating aliases takes a few seconds, you can even shorten this time by creating a simple script adding the new alias and updating the aliases db.
What's bad about it? Been doing this for more than a year now and I've not encountered any problems. I've had catchall emails for every domain I own for 20 years or so and the worst I get is cold sales emails to info@ and sales@.
If I want to block an incoming address it's a few clicks away, I've just never needed to because spam filtering works pretty well. Perhaps that might change some day and I'll switch to a whitelist approach.
And what happens when FireFox decides to drop this option 1-2 years into the future? I reckon they'll give time to change the email address on all the pages one used it for, but still...
nvm, it's in the FAQ:
"What happens if Mozilla shuts down the Firefox Relay service?
We will give you advance notice that you need to change the email address of any accounts that are using Relay aliases."
Note that one cannot reply using this service (yet). So the whole anonymity is gone as soon as one wants to contact some service without disclosing the real address (?)
While you're here, can you test the relay dashboard (where you can create aliases) on Firefox for Android 84.1.4 ? The scroll is incredibly sluggish, I don't know what scroll effect you added but please have a look. It's a bit unfortunate for a Mozilla service ^^ I can provide you a screen capture if needed.
> And what happens when FireFox decides to drop this option 1-2 years into the future?
The same thing if any other company did it. That said, I do hope they'll offer an option to pay for more email relays which could also ensure its viability. Having 5 relays for free is nice, but I'd personally use a unique address per service.
I'm probably going to use it for "throw-away" email. As in, I just need to receive a link right now so the service think they have my real address, after that the alias might as well be trashed.
The only thing I'm worried is that this domain will soon be blacklisted by services (especially those I don't want to give my email address to).
For that use case you can just use a temporary email provider like temp-mail.org which are harder to blacklist since they have a lot of random domains.
Firefox Relay seems easier to use, thanks to the one-click generated emails by the browser extension and the fact that the emails arrive in your actual inbox. But I agree that the domain is going to land on all the blacklists -- I hope they implement alternative domains for this reason.
Same. I have been using Tresorit Send [1] and Visée's (developer of ffsend CLI tool) Firefox Send instance [2] in the meantime. Visée is also looking for donations [3] to support hosting of that instance.
Founder of Owl Mail [https://owlmail.io] here. It's easy for me to promise Owl Mail will not shut down without significant advanced notice (hopefully that never happens, but if it does I will provide a clear transition plan for all users).
As a token of confidence, I've moved all ~150 of my online accounts (including all banking, financial, and healthcare accounts) to Owl Mail – it needs to exist for my life to operate smoothly.
1. Yes, only @owlmail.io domains for now. But, Owl Mail will allow for custom domains soon.
2. An upcoming feature will enable the creation of sender 'allow' and 'deny' lists for each Owl Mail address (With default sender 'allow' lists for top sites). Currently I track my account credentials in a password manager. A browser extension is also on Owl Mail's roadmap.
Big name websites generally have enough users that email "just works". Smaller websites are more likely to use misguided measures such as a bad email validating regex (hello to anyone with a non-standard TLD!), only allowing gmail, or blacklisting domains like these.
One time email domains and email forward services are usually blocked, there are very long block lists for such domains.
From my personal experience it is best to have a secondary email account on a provider that is usually not blocked (like gmail), to keep your primary email account clean.
> use misguided measures such as a bad email validating regex
Ever heard of Magento? They have that built in, at least in version 1. But it's a fixed list with "valid TLDs", anything not on that is not accepted when registering.
Feels strange, when you can't register on your own shop...
I use a .dev domain for my main email address, and I occasionally encounter sites that don't accept it as valid. Even worse, sometimes I could create an account but then something would be broken, such as when I could log in to Best Buy via their mobile app, but not their website (or vice-versa—I can't remember for sure). I'm assuming I get hit both by incomplete whitelists and ill-advised blacklists.
I've always been extremely annoyed by these attempts to "detect fake email addresses/accounts".
People can have more than one email address, so if your goal is "one account/offer/trial membership per real person", email ain't the way to achieve that, period.
Even worse are sites that disallow registering via "freemail providers" and require you to "use your ISPs or employer's". (Haven't seen this one in a while, but it definitely used to be a thing.)
The goal isn't to have one account/offer/trial per person, the goal is to ward off bots and spammers who are going to misuse your service. Since they know they are doing that and they know they could be held liable for what they do, they use sketchy disposable email addresses.
My sites and apps have a blacklist and we don't allow email accounts from those. It's just me running this thing. If I had the security and engineering workforce of even a mid-sized tech company, I wouldn't have to do this. Alas.
I encourage you to instead try out https://forwardemail.net. I'm launching our browser extension and our SMTP service very soon. It's completely open-source and free. No logging either. We're the only service that doesn't write emails let alone logs to disk nor store any metadata.
You can use unlimited custom domains and create disposable aliases on the fly as well!
Should always use two or more of such services in a cascade to generate a mix network for true anonymity. Wait: The E-Mail forwarder would actually need to remove the To: fields to support this...
Hi niftylettuce – I'm working on something similar – Owl Mail [https://owlmail.io].
I've discovered some cool new products in this thread and Forward Email looks great. I'm glad there are other people out there working on solving this problem!
I generate long completely random aliases also for other reason: to help with phishing detection.
I store aliases in DB along with a short description of to whom they were issued, and some extra flags. My mail client then highlights emails sent to these aliases in green color and shows their description instead of the alias itself in the "From" column of the message list.
I always give random aliases to online services, eshops, shipping companies, etc. These private aliases will never receive SPAM, or phishing, unless leaked by the company.
Anything that looks like a transactional email from some service, and is not sent to private alias, just gets deleted right away. It's not even worth opening, no matter how good it looks.
And I can keep my phishing guard up on much lower volume of green emails. It also makes whitelisting transactional email easier, without allowing random SPAM to the Inbox, because filtering based on the "shared secret" per company delivery address will allow in all important email from the company, regardless of how or from what address it was sent.
Services like this usually get banned by a lot of websites for various reasons. One solution could be to rotate domains from time to time, but I doubt they gonna do this.
To be fair to Firefox, the only reason there is such a high rate of churn with their services is that they are trying to preserve their mission in the face of competition with Big Tech giants like Google. The more you support Firefox, the more likely it will be that this service will stick.
Here is the list of permission the extension requires:
- Access your data for all web sites
If even the browser vendor can't do better than requesting access to everything I'm not surprised that we end up with extensions being sold and abused (for their permissions).
As a developer, I can say that this is maybe possible, but not easy.
Because so many things have to be hardcoded in the manifest, the code and UK gets complicated and messy quickly if you try to workaround to provide both ways.
I have been using AnonAddy[0] for this, with great results. I initially used Firefox Relay, but switched to get more than 5 aliases. AnonAddy also recently added support for replies.
Discovered AnonAddy (which my friends and I call AnonDaddy) last week and I'm in love. The reply function works perfectly. I cannot stop suggesting it to people.
Unfortunately HackMD rejects the anonaddy.com TLD, so I've had to use my "real" address there, but so far everywhere else it works fine. A clever friend realized you can register a new github account with an anonaddy address and use that to connect to HackMD. Smart.
Great service. Free tier is great. Will probably end up paying and adding my own domain for the odd site that rejects theirs.
The only feature I'd like is greater bandwidth allowance per month on the lite plan. Current limits are 10MB per month free tier, 50MB on $1/mo lite tier, and unlimited on Pro. But fair enough.
One of the best things about AnonAddy is that it allows you to create aliases on the fly. So, I hardly even need to visit their website, browser extension or anything.
I thought support for replies was available for a long time. Happy SimpleLogin [1] customer here, which has a pricing similar to that of AnonAddy's highest tier.
This looks great. What I couldn't easily find for any of these services was a comparison with just using a catch-all address. I already have that in place. What sold SimpleLogin and AnonAddy for you?
Ages ago I used "Bigfoot"'s free email forwarding for life. Which turned into a subset of email with limitations, fees, ads, and eventually shutdown.
Later I had my own domain, and did the address-per-site thing. Which was an absolute nightmare to undo when I sold the domain (grepping thru the raw self-hosted mbox and logging into and changing my email on hundreds of sites), although it was a great excuse to get going on using a password manager.
At this point I could use "plus addressing" at Fastmail (e.g. amazon+me@domain.com), but I find the endeavor pretty pointless. My spam is low, and I never once found it especially valuable to be able to identify or isolate an offending domain.
I don't expect that Firefox will go "full Bigfoot" on this one in terms of ads and fees but shutdown is a PITA risk. I would personally only use this kind of stuff for genuine one-offs where anonymity is paramount (read: probably not at all).
Another option for an email relay service is the venerable Spamgourmet[0]. I'm a long time-user (a decade at least) and according to the site "Your message stats: 11,298 forwarded, 27,539 eaten. You have 172 spamgourmet address(es)." I haven't had too many problems with the service, mainly the problems are with third-parties that block the spamgourmet.com domain but there are alternate, more obscure domain names that can be used (such as @xoxy.net IIRC).
There are plusses and minuses to SG, but it's free as in beer and if your Perl and ops chops are in good shape the code is available for self-hosting. The hosted service does not support bringing your own domain but has other nifty features that might appeal to HN power users. Worth a look if you're in the market for this kind of thing.
This gives you the benefit of disable-able email addresses, but not the benefit of privacy. Those companies (and once leaked, anyone) can use your custom email domain as a fingerprint for your online activity.
(Source, I'm the creator of Owl Mail [https://owlmail.io] and this is a common question.)
If you give your personal email address to hundreds of services online one of them is bound to sell or leak your email.
By using Owl Mail (or Firefox Relay, etc.) addresses everywhere, you reduce your attack surface to one security fastidious company.
And, even if Owl Mail (or Firefox Relay, etc.) were to experience a data breach, at least it would greatly increase the effort required to match emails to your identity.
Also, I think one thing you should look into as a natural evolution is promoting the use of auto-generated, secure passwords unique to each relay address.
I like the idea. But relay.firefox.com could have been shorter, I suppose it doesn’t matter here because the extension is supposed to roll you a new one and paste it in. But I’d like a service with a shorter domain for reading to people over the phone or at a store, double especially when it’s a throwaway anyhow.
Is this something similar to https://simplelogin.io/? If it is, simplelogin is a self-hostable solution. If you're really worried about privacy, this would cut out the possibility that Mozilla might be reading your messages.
I installed the extension. Turns out you only get 5 aliases which makes it kinda useless.
Also, it seems to forward to the address associated with your firefox account (which could end up at a mailprovider you don't want the relayed emails to go to)
I'll stick with my own *@sub.example.com forwarding setup in stead.
> In 2006, the Mozilla Corporation generated $66.8 million in revenue and $19.8 million in expenses, with 85% of that revenue coming from Google for "assigning [Google] as the browser's default search engine, and for click-throughs on ads placed on the ensuing search results pages."
I'll pay Mozilla and based on prior discussion on HN, I'm sure a lot of people will pay Mozilla for a paid email service just because of their reputation.
I don't know. It's so easy to just create a random Gmail address and forward email from it. Maybe this makes it easier, but Gmail is one of the few Google products that I feel pretty confident will be around for a long time.
One still has to enter a mobile number to sign up for that Google account. But the larger difference is, that account would still be a standalone email address, which just happens to forward to your main Gmail address. But Firefox Relay (and similar products, like AnonAddy and SimpleLogin) are alias services. The idea with these services is to create addresses that can be immediately blocked, if they get into the hands of spammers. I am a happy SimpleLogin customer, and have made as many as 200 addresses. AnonAddy is a great start too, for those that need unlimited addresses. Both allow responding from those addresses, while AnonAddy's count is less.
Yandex Mail [0] is a better choice for this than Gmail. It also asks for a phone number to validate, on sign up. But there's a box you can tick which says something like "I don't have a mobile phone" and then you can validate with a Captcha instead
The concept is similar. But Apple only provides this feature on sites that impliment "Sign in with Apple". Firefox Relay allows you to create these relays on the fly, ad-hoc to put into any email field on the web (like sign up for my newsletter fields).
That's nice and convenient, Mozilla, but Firefox the browser is an essential piece of software at this point. How about focusing your precious cash on that?
Essential, but maintaining a browser in the face of enormous competition from Google and Microsoft is tough. If you support Firefox with these new endeavors, you are helping preserve the browser as well. Since times are changing, Mozilla must either adapt or be out-competed.
It's the same logic by which NGOs send physical mail and even small gifts like greetings cards and personalized stationery encouraging people to donate again:
That's not what I'm donating to an NGO for, but if doing so nets them more donations usable for their causes in the end, that's something I can get behind.
If Mozilla can find ways to generate additional income that also align with their values and don't put them into conflicts of interest, I can get behind that. (The management isn't exactly known for frugality and excellence in resource allocation though, so I'm taking it with a grain of salt.)
1. No, been around for over six months. Possibly longer, but I got access sometime between June and August.
2. That may be a good questions for developers at #firefox-relay:mozilla.org (Matrix room)
3. It has come up in a few tweets in the past, but 1Password does not seem to have any plans for now. I use SimpleLogin browser extensions, and 1Password neatly picks up that alias address from my signup form.
It won't get banned by some services, you have complete control over the domain and account, you can send email from any address you wish, you can sign up for domain-wide haveibeenpwned alerts by verifying domain ownership via TXT records, and you don't have to worry about the service going out of business in 2 years.
After going through my password manager last year and changing as many logins and emails as I could, I've found several services that have sold my email address to third parties and one that was hacked. It's a relief to know I don't have all my proverbial email eggs in one basket.