Hacker News new | past | comments | ask | show | jobs | submit login
Masked email from Fastmail and 1Password (fastmail.com)
380 points by davidbarker on Sept 28, 2021 | hide | past | favorite | 207 comments

I love the idea of doing this. Just like I do the idea of using Apple's "hide my email" feature. But in reality you're completely locking yourself into that provider. What if I want to change provider or the provider decides to sunset this feature. My logins are now split up so much it'll be a full time job getting them set back to my primary email address. It's a trade-off I guess because you can't solve it any other way from what I know of!

Hi, one of the 1Password engineers who worked on this. Glad to hear that you like the idea!

One of the really nice parts of building this out with Fastmail is that you can create Masked Emails for your own domain. So, if you ever decide that Fastmail isn’t right for you, then you still receive all of those emails when you set up a wildcard alias with your new email provider.

Similarly, if you ever decide that 1Password isn’t right for you, that doesn’t stop you from receiving your emails. And the email addresses should still be part of your 1Password export.

I've had this thought for a product multiple times. I run my own mail server, and for years I've created a random email for every service. Main reason was to figure out who is selling my email addresses.

The main thing that always held me up was, how do you plan to avoid getting blacklisted at the domain level if people start abusing the ability to create random emails? A few services I use even disallow Gmail addresses.

I've had services refuse my fastmail.fm email address, with the reason that they don't allow "disposable" email accounts. But they accepted my gmail.com address....

Not that this was their criteria (they seldom if ever think it through to this level), but gmail requires phone number after a certain point. And they only allow 4 accounts per phone number.

That's a good concern.

I can't fully speak for the Fastmail folks, but I know that there are a few upper limits for how many masked email addresses that one account can create. We tried to set them unreasonably high to allow for all manner of legitimate use while still preventing bad actors. They're also monitoring usage and tuning that limit. Plus, you can always email support and ask for a increase for your specific account, if you ever bump up against it.

Sell private domains as an "enterprise" feature, and have different sets of IP blocks warmed and ready to go for when they eventually get blacklisted. But selling it as a service involves a higher level of effort due to that exposure. Configuring a private domain for just yourself to solve the problem just for you doesn't have the same risk exposure.

mailinator's been around providing this (as a recieve only) service for decades by this point.

Hang on hot potatoes. I use 1Password. So are you saying I can generate a login that uses



Those +plus aliases still make it easy for people find your actual email address.

We go one step further and generate a random email address for each new service you sign up with. It'll look something like "hot.potatoes4827@mydomain.com".

You can create a new masked email anywhere you have the 1Password browser extension, including our brand new iOS Safari extension.

This is nice in terms of hiding your actual address. However, it makes migrating away harder because now instead of setting a simple rule to strip the + for forwarding, you need to individually map each address.

So what is it that you want? Either you want a masked email or you want an easy way to migrate away. You could still setup trashcan+randomdigits@yourdomain.com manually. Or you could setup a catchall rule for your new provider.

Unfortunately, way too many internet services don't allow the plus sign in an email address. It's weird, but it's true.

Even worse I've had front end systems accept account creation with this address format, but their backend system fails when using some integrated service. The result is 3 months after setting up the account something breaks when I try some other functionality and I have had to contact their help desk and ultimately we stumble through and realize the problem may be my email address.

There are varying level of masking. I would consider an email myusername+random@domain.com as a masked address. Of course it is trivially unmasked. But assuming I am willing to accept that, it does offer a different tradeoff with respect to convenience. It's true though that is fairly trivial to manually add +random

`sed s/[+].*@//` over the email list will get rid of enough "plus" email addresses. Better use a custom delimiter if you're relying on the + character for anything.

> you need to individually map each address.

How hard is that though? Export all email addresses from 1Password (trivial), extract generated emails (trivial), and add forwarding rules for each one in your mail server (trivial to easy depending on your setup).

Maybe not easy for non-savvy users, but neither is a custom domain or even knowing about the + trick.

Or you could just enable a catchall address and get all of them without doing any stripping or mapping.

True although this only works if you're the only user on your domain.

I have an extra domain attached to fastmail which I only use for junk. If you know the domain where my main email lives, you can pretty much guess a couple of aliases which will work. I want my junk mail completely separate from my useful mail

Settings -> Domains -> Team Settings -> Masked email domain.

Disclosure - I work at 1Password, though I had only tangential involvement in this effort

I ended up at https://$mydomain.1password.com/integrations/directory and I can only see Fastmail as an option. Clicking there it asks me to Connect with Fastmail rather than that I can provide my own domain. I already have a wildcard domain setup so I'd like to use it as @davzie mentioned.

You need to OAuth to Fastmail (the service) to hook it up, then as was mentioned above, you can go into the settings in your Fastmail account to choose which domain your Masked Email addresses are created in:

Settings -> Domains -> Team Settings -> Masked email domain

It will default to fastmail.com, but easy to change it.

Oh, I completely misunderstood then, I thought I could do this with just 1Password. I already have email setup myself and don't need Fastmail, so then it seems I cannot use this feature. I'll just continue myself to randomly generate my addresses then...

Well, as I understand it you'd have to do this manually. As in, pick a random alias for the site, use that as you email address there and enter the same one in 1password (or any other credential store).

The full "it just works" integration seems to only work between 1password and fastmail directly.

With fastmail, you can do that already. I do that. I have addresses like some_random_list_I_joined@mydomain.com

True! I've been doing wildcard.company.name@mydomain.com for a few years now with Fastmail. This makes it one step easier to generate that email address, as well as one-click blocking any alias that starts receiving spam.

You can also do things like a wildcard on a subdomain like dodgywebsite@auto.yourdomain.com.

Otherwise subaddressing with + works well with most mail hosts other than Microsoft Exchange / Office365 (which have had endless problems).

That's the way to go. I set up a rule where everything going to *@a.mydomain.com goes into a folder which I largely ignore. Every website gets a unique prefix, e.g. ycombinator@a.domain.com.

The advantage of Masked Emails is that third parties won't even know about mydomain.com. The disadvantage is that you need 1Password to recall which email address you used with a particular website.

You also need to be a Fastmail customer.

Yes, but if you goal is to hide your identity, this really wouldn't work. Everything is still tagged to your identity, i.e. @mydomain.com.

> Yes, but if you goal is to hide your identity, this really wouldn't work

It still could.

> Everything is still tagged to your identity, i.e. @mydomain.com.

If your domain is tied to your identity, then yes. But to be extra clear, this should have said "Everything is still tagged to your domain" as not everyone has their domain tied to their identity. I for example have my domain setup njal.la with zero personal details attached to the domain itself, either publicly or at njal.la.

Except now this comment ties your username to that domain ;)

To njal.la? I guess that's fine, I'm not their only user ;)

Maybe not the best idea to provide that info in searchable plaintext tied to an account you own?

Neither my identity here, my domain or my account on njal.la is connected to anything in my real life so not sure why it would be a bad idea?

A comment you made in the past or make in the future could reveal something; simply changing the text to "njal dot la" would prevent a google search of the domain from finding this.

Doesn’t that rather defeat the point though? I can set up a wildcard for fastmail and use any account name I want to sign up to services without any intervention from 1password.

Edit: saw someone point out this only works for one user per domain.

I've been a happy Fastmail customer for years prior to working on this feature. I've used a wildcard with my Fastmail account, created a new email address for each service I sign up with, and stored that email address in 1Password. All by hand. It's a tiny hassle, but one that I think is worth it.

The Masked Email integration makes that entire process automatic. It's even easier than before. It's enough to convince a few Fastmail-using friends to start doing it.

Yeah I also do this: I own my domain and I use a catch-all setup at my email provider so <anything>@jpreston.xyz goes to my inbox.

I suppose the advantage with a non-custom domain is you leak no info about yourself, the masked email is 'just another Fastmail email address'. But doing it for a custom domain feels like it defeats the point, isn't it just like catch-all at that point?

The value is in knowing who leaked your email address, and being able to take action based on that. If you use a unique address for every service then you can know for certain random Internet store got hacked, or sold their database. In either case, you kill the credit card you used (privacy.com) for that store before it gets used elsewhere, saving you additional time and money on having to deal with your banks.

It lets you migrate without having to update your email across every account.

It’s what I do with a custom domain (though only have a handful of custom aliases currently).

Having this integrated in a first class way is a nice surprise and a really great feature imo.

It’ll make it easy to see who leaked your email and kill the alias while also not locking you into to fastmail forever as a provider.

I already was doing something similar and have been for what…5 years I think? Anyway, I have an account with Fastmail and my own domain configured with their “catch all addressing” feature, such that anything before the @ doesn’t matter, it ALL goes to me and only me (I’m the sole user of said domain). So I can do things like apple@mydomain, microsoft@mydomain, playstation@mydomain and so on to both keep each address separate from the others and so if there’s a breach or other shady shit going down, I know at a glance who’s responsible and this have some idea of my exposure risk. Ideally though I’d like to be using UUIDs before the @ so specific targeting by guessing something like “I’ll bet his Venmo account is venmo@“ won’t be possible, I just haven’t started doing that yet.

Lately I’ve been combining this with cards via privacy.com to further limit my risk in the event of another data breach, and so far it’s working quite well, though I do have a long way to go to fully convert everything.

As for longevity, Fastmail has been around since 1999 in some form or another, and even made themselves independent again after being acquired by another company through an employee buy-out. https://en.m.wikipedia.org/wiki/Fastmail

In addition, wildcard forwarding isn’t a perfect substitute because email spambots love sending to addresses like webmaster@mydomain.com or john.doe@mydomain.com. The number of permutations they try is varied enough that an explicit allowlist is a must.

Just use something like 'servicerelay-<randomdigits>@yourdomain.com' and setup spam filtering rules that lets pass everything received at 'servicerelay-*' and delete or reject everything else.

Adding my disagreement to the chorus— the number of permutations they try on my personal domain is not high enough to warrant an explicit allowlist. I actually don't even have a blocklist; I simply don't receive that much spam.

Most of it comes to two addresses which are public via git (one from commit logs, the other explicitly stored in a repo).

I do what the GP said and I haven’t any problem with “guessed” addresses like that. I do have a problem with obvious spam from a GMail account (which is setup to forward to my domain), so, go figure.

Not an issue for me, so far. And I have been using that domain for over 5 years now.

you can block a specific alias or address from receiving mail in the mail rules, even if you have wildcard rules setup

Have you encountered issues with signing up with certain services? I know a few run checks to see if the domain is a catch-all (eg. sending to `pwgen`@domain.example and checking for a bounce) and will block signup when that happens.

I've been doing the catch-all signup for over a decade myself and haven't had any issues. What service checks stuff like that?

I can't find it now, but there was a mildly populae HN thread about a service that does "email validation" and part of it did catch-all detection, and there do seem to be other services that market this[0].

0: https://www.email-validator.net/blog/validating-catch-all-em... (warning: annoying marketing page)

But do you have a chrome/FF extension that makes it easier to use? Or do you just own your own domain name?

I really like fastmail as a service and business. It's being subject to Australian data laws that gives me pause. That's significant competitive disadvantage for fastmail when marketing internationally to privacy-conscious users.[1]

[1] https://en.m.wikipedia.org/wiki/Mass_surveillance_in_Austral...

Which countries do you recommend using a similar service from? (And what are those services called?) OpSec is hard and sometimes you really do need perfect and not "good enough", but, like PGP, there need to actually be viable alternatives available today that you can make a recommendation for, unless you're just concern trolling. (Five Eyes countries are right out, fwiw.)

Maybe! But here's the rub-- a US person has some legal protection against surveillance directly by the US, in the US, but (maybe?) none against Australia, for data processed in country or by Australians. Australia then (maybe?) has no safeguards against sharing their surveillance of US persons back to the US.

It's a legal and bureaucratic not technical puzzle. I wouldn't believe any comfort statement on the point either. This sequence isn't a bug, it's a feature of the Five Eyes configuration.

At the cost of manual effort or setting up a script (for registrars/mail providers with decent APIs), you can just use normal email aliases at a domain you own. That's what I do, most sites I register at get some sort of "sitetld_account@mydomain.com" alias. That's pretty portable, lots and lots of email providers (including standard "included with registration" ones at registrars like gandi.net) support essentially unlimited aliases (not like even tens of thousands of them represent any significant resource usage, they all ultimately feed to a single email account with said account's limits on storage and sending). I own the domain so I can point it wherever, and I can just copy/paste the entire list of aliases around.

Again that is more manual effort, though I don't consider it much effort given that I'm only signing up for a limited number of sites per year. And I suppose a little extra friction in one respect isn't even that bad a thing, makes me think a bit about whether I do actually want to sign up there. Ideally I'd like to see more efforts about making such things standardized across providers so that even regular people can get the benefits from near any registrar or email provider at all with whatever tooling they like. I guess that's probably either infeasible, or if it happens it'll be out of a rise of competing centralized masking providers raising the issue high enough in the general consciousness that demand drives it. If there are any existing open efforts around that I'd be delighted to know about them though!

As a compromise, I use a catchall email adress, so @«my HN handle, without numbers».me comes to my single mailbox. Then I use sieve filtering to sort the emails into folders based on the address they're sent to; if there's no special filing rule, it comes to my inbox. So, when I want to sign up for a new service, I can just pick an email (usually based on the domain name), no setup required (unless I want it to be filled into some particular folder).

The downside is that you (and spammers) can* send email to any random address and reach me, but in practice I have not found that to be a problem; I don't actually get spam at addresses which are not posted somewhere online. And it's in your best interest to contact me at a more specific email, because if I ever do get widespread spam, I'll swap the default rule to mark as spam, and only allow specific addresses. I recommend hn+«your handle»@«my domain».

On the off chance: I'm moving to NYC soon and am in the job market; feel free to shoot me an email if you're hiring at a company that's solving real problems for humans (not, say, selling ads).

Replying to this since it's the highest one at this point, but also a response to @piaste and @distances: I know about catch-all accounts, and more complex wildcard options that can exist. But to me those don't really quite hit all the use cases that site-specific ones do when it comes to spam and such, and I have seen emails get leaked from hacks or just plain "we share only with trusted 3rd parties!" buried somewhere. And I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic. On the other hand they are indeed zero friction, so a valid option depending on where in the stack one wants to handle things.

The single other significant issue I can think of which has come up actually is when one desires to actually use email for two-way communication with a site, not just receiving stuff. Sending from aliases isn't really practical, spoofing the from address even from the same domain has a high chance of trigger all sorts of spam protection for obvious reasons. I'm sure there is probably some way to handle it from one's own server but that has its own challenges. So sending mail ends up being from a different address as the account, which most places don't seem to care about but seems to hit automated edge cases and snag things up once in a while.

> I have seen emails get leaked from hacks or just plain "we share only with trusted 3rd parties!" buried somewhere.

This is why using a different email with each website is glorious! If example.com leaks my example.com@«my domain» address, I can enable stricter filters for that address.

> I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic.

This isn't game-over, either. As I noted, if this ever starts happening, I'll change my sieve filter so that any address without a filter rule gets sent to the trash, instead of my inbox. This does mean I lose the "zero friction" benefit, but adding a new address would still be just a single line in a text file. And it's much less lock-in than using the web interface of some given email provider to set up new aliases, since I can copy my filtering config over to any provider which supports sieve filters (and wildcard addresses).

That said, I don't think this will ever be a problem. Because "this looks like a catch-all account type email, try sending random stuff" is a pattern that makes you very easy to identify as a spammer. Given the possible address space, I don't see a scenario where the chance of hitting a real mailbox is worth the risk of blowing your cover and getting your mail server blocked.

If you already have a custom email domain (which is a good idea for the usual portability reasons) _and_ you pick an email provider that supports 'catch-all mailboxes', you can make it entirely frictionless.

When I sign up for a new service, I register on the spot as e.g. amazon@mydomain.com, the mails they send are considered as a 'mistaken sender' and are sent to the catch-all mailbox (which is just my regular mailbox!)

If you own the domain, you can just point the MX records to Fastmail/whatever and register to all the different service with, say, service@mydomain.com or you@service.mydomain.com. No need to set up the addresses or aliases, you can just make them up as you go and deliver everything for mydomain to your inbox.

Yeah, you either have to use one of our (Fastmail's) domains, or your own domain in which case it's linked to you by the domain registration. Not much choice there!

For sure we recommend (and make it very easy) using your own domain. We want you to stay because we're providing you enough value to be worth staying, not due to lock-in.

To be fair, fastmail has a significant number of fun domains to create adddresses with :)

They actually seem to have thought about this.

> New Masked Email addresses will be created @fastmail.com. You can change this in Settings → Domains

I agree with you, and I'm looking forward to be trying this out.

What do you do if you want to change email provider or your email provider decides to stop their email service.

I think a lot of people have been spoiled by gmail's longevity. Unless you're using your own domain it's a wash anyways right?

I think this is an acceptable trust. I personally prefer trusting something with more longevity than fastmail (apple hide my email).

> I think a lot of people have been spoiled by gmail's longevity.

> I personally prefer trusting something with more longevity than fastmail

Fastmail launched 5 years before Gmail, in 1999. It's also a paid product with a sustainable business model. It's hard to get more longevity than that.

> I think a lot of people have been spoiled by gmail's longevity.

> I personally prefer trusting something with more longevity than fastmail (apple hide my email).

Fastmail (launched 1999) is older than Gmail (launched 2004).

Buy a super cheap domain that you park all of these new email addresses at, like 7467j.com. Then, if you ever need to switch providers, take the entire domain with you.

I have my own domain

I use Apple's Hide My Email to sign up on websites where I previously would have used a Temp-Mail-Service such as 10MinuteMail. These are websites I want to use anonymously (Hackernews for example). It's more convenient and they give you the option to reactivate disabled aliases later (useful if you need password reset). I don't think they made it to replace your primary email, although you could use it that way.

You can own the domain and use catch-all for the domain. Been doing that for years, works perfectly and it's super cheap.

For "hide my email"-like feature you can use a domain with a catch-all address and either use somehash@yourdomain.tld or just servicename@yourdomain.tld for every login.

Good point, i'll keep that in mind. It seems then, this feature is best for throwaway type accounts, where one could just create another new accoint if they want to migrate.


For people who want to do this and care about retaining ownership, would be probably wise to run their own email servers and using different patterns of catch all addresses.

For cell phones we’ve legislated that you can take your number with you.

Email can be portable, but I think it’s gotta be easier to come up with a portable email address than expecting everyone to buy a domain and set up the DNS records? Does a registrar of email only domains exist today?

HMM let's see

Wait till 2038 so you can say "aha! I told you so!"

or have peace of mind during the prime of my life for the next two decades

Long time Fastmail and 1Pass user here. While I agree that it would be best to not be locked in to particular providers, these are two of the providers who have a lot of my trust and to whom I’m paid up years in advance (at least in Fastmails case). Very excited to use this feature.

Thanks for the vote of confidence! If you have a custom domain at fastmail you can avoid any lock-in by using it for your masked addresses. Settings -> Domains -> Team Settings -> Masked email domain.

With that it's entirely portable. You can point your mx records at any other provider.

Disclosure - I work at 1Password, though I had only tangential involvement in this effort.

I second those thanks. We very much appreciate your confidence in us!

Disclosure - I run Fastmail, though also only had tangential involvement in this effort.

Can I generate masked emails without fast mail? I already have a domain setup

This feature is an integration with Fastmail's masked addresses. You don't need to use their domain, but you do need to use them as your email provider.

Disclosure - I work at 1Password, though I had only tangential involvement in this effort

As mentioned above, but which I think is a point worth being made several times, because I really think they've done a lot correctly here:

You can use your own domain.

>You can use your own domain.

But only if you use Fastmail for that domain.

Nah, you can set up a catchall on almost any provider and generate your own random usernames.

Fastmail doesn't (and, due to their model, can't) encrypt your email at rest in a way they can't read it.

I can't recommend using an email system like this to anyone who cares about security or privacy.

Fastmail admins can themselves read your entire email history, as well as any law enforcement fishing expedition in US or AUS.

That's true, but hardly unique to them; proton is the only email provider I know of that even tries to cover that case.

Hushmail did it years ago, until they were eventually forced to backdoor their client to steal a surveillance target's pass phrase.

Law enforcement or fastmail admins reading my personal email isn’t something I want, but isn’t so distasteful as for it to really be in my threat model such that I’m willing to go the lengths required to get an email provider that doesn’t have this ability, such as proton mail. I care about security and privacy and recommend fastmail, but I could see someone whose end all be all criterion of interest being privacy not wanting to use fastmail. But, this isn’t 99.999% of the population.

This would be a large personal disaster and a full time personal project if the service provider decides to shut down the service. One would have to crawl through all services they have signed up for to update the email addresses.

Instead get a domain. Configure email as well as a catch all address. Example anything@yourdomain.com would reach name@yourdomain.com which you use as your primary email address.

And say, if I am signing up for Netflix, I would give the email as netflix@yourdomain.com. The email automatically reaches my single primary inbox with the catch-all behavior. And if I find a lot of spam to netflix@yourdomain.com, I know which service is leaking my email address and I can quickly block all emails sent to netflix@yourdomain.com

One mild word of caution on this method. I too have done this forever but recently I have been running into a few businesses that get really upset if their name is in your email address and they will flag it as fraud despite there being no logical reason to do so. It isn't like I am using a domain name matching their name. The most staunch and stubborn of these I ran into recently was The Tractor Supply Company. I've been trying for a month to get a gift card reimbursed that they cancelled the order on because I had their name in the email address. There are a couple gaming companies that do this as well. Just pick a name that is unique and put it in your password database.

Yes, although so far I have not run in to being flagged for fraud, some have been very confused by it. So I have started doing short variations of it to make it less obvious, so The Tracor Supply Company would be something like trasu@s.domain.tld

And instead of having a catchall on my domain.tld I have it on a subdomain, like s.domain.tld , easy way to keep them separate.

I ran into this with a store credit card backed by Wells Fargo. They wouldn't accept

but they accepted

just fine. Seems like someone messed up the regex :)

Huh, I haven't had any problems using tractorsupply@mydomain.com

I've had a few people ask "That's your email?" and just briefly explained that I own the domain and get all email sent to it.

Your account may be old enough that the more aggressive anti-fraud measures have not kicked in. They made it clear to me that their system would flag my email by having their name it. I've explained to no less than 5 support members what a canary is and they still have not resolved my issues. I even changed my email, still no luck.

I haven't run into many companies that disallow their name in email addresses. AliExpress and Amazon come to mind.

I have, however, run into a number of large companies where I've been talking with employees who see my email for whatever reason, and have received the "Oh, do you work here too?" question.

A custom domain with wildcard for catch all is how I have been creating logins for the past 17 years. It is fascinating to see which addresses suddenly start getting spam down the road.

It is also very easy to nuke an address this way once it is a spam trap.

About 10 years here and hundreds of different addresses given out. I get surprisingly little spam. Most spam I get comes to addresses that were leaked in data breaches, or email to my old gmail address which is forwarded. I'd say maybe 5 of them have ever started getting spammed.

Been wanting to get into hosting my own email. This is genius. Thanks for the tip.

Do you have any issues with spam being sent to whatever_random_user@yourdomain.tld ?

This concern has been my #1 reason for not doing the same setup. Basically a fear of a never-ending list of random addresses to blacklist, which won’t have any meaningful effect because the next spammer will just use a different random value.

I recently abandoned this setup.

1. It’s not frequent that someone hands out your address to a 3rd party and when it does, it’s usually exactly the site you would expect. I’ve had it happen 1 time in the last 3 years across 150 different aliases.

2. It doesn’t work well for apps with weird URLs (lots of subdomains, shared domains etc.). You forget how you the address and now can’t login. Yes, maybe you have a password manager, but password managers fail frequently in my experience (e.g. they record the wrong username etc)

3. You are still traceable since ultimately all your addresses are in the same domain. Sure, advertisers aren’t looking for that pattern, but it’s not like you are truly hidden.

4. Domain hijacking can happen. So now you have to be mindful of your domain since it’s a juicy target; Someone hijacker’s your domain, redirects your banking email for a password reset.

1. Not sure how this is a problem.

2. Again, not a problem. Everyone should be using a pass manager.

3. If you use the same domain/email for your banks (or any other financial/important service) as you do for social media/gaming/whatever, then that's on you. It's basic security practice to separate the important things so basic hacks like the one you mention are useless.

4. The purpose of this is basic privacy and security, not to be truly hidden.

Good point. It is a bad idea to set up something as lasting as email addresses with a somewhat proprietary solution by two commercial entities and stray from pure standards. Temporary convenience turning into long term lock-in is a poorly understood issue, especially by people that don't necessarily have a technical background.

I have used aliases to catch spam and have gathered about 200 email aliases this way over the last 12 years or so, and it works well. Rather than using a catch-all, I manually create the alias with a script.

In this day and age, if you don't own the domain, you don't own your email. It is worth the 10 bucks to get your self a domain just so you can have a long term email.

That is exactly what I do.

There has to be a name for it; the closest I've come across is a canary trap.


> A canary trap is a method for exposing an information leak by giving different versions of a sensitive document to each of several suspects and seeing which version gets leaked.

How do you pick emails consistently?

If you sign up for league of legends, which email do you use? Riot? RiotGames? Lol? LeagueOfLegends?

Presumably you can always scan backwards to find your email address in your inbox, but maybe not. I guess maybe a password manager can help you remember, if you're diligent about always using it (and never end up locked out of your vault).

I recently started signing up for things with the + trick for gmail, but now I'm worried about having a bunch of email addresses I have no way of keeping track of.

Note that Fastmail already supports this even without 1Password, see “subdomain addressing” and “catchall aliases” in their help pages.

Okay, you convinced me that this is a good idea.

I can get a domain pretty easily but I hate the idea of managing my own email. Do you recommend a particular provider? Zoho or something?

Ideally, one would use me+uber@domain.tld / me+amzn@domain.tld / me+apple@domain.tld but then the identity me@domain.tld isn't masked.

If you prefer email forwarding, then: Cloudflare announced a free email-forwarding service just yesterday [0]. Not sure if they provide unlimited email forwarding rules. Other domain registrars like domains.google and namecheap.com also support email forwarding at no-cost.

If you prefer a managed mailbox, then: Zoho Mail, Fresh Mail, AWS WorkMail et al are nice if you'd also like to send emails using the address you sign up with.

Other than that, if you're technically inclined, then have SES plonk incoming emails in to S3 [1]

Be careful registering domain.tld without whois shield and/or with TLDs that require registrant to publicly reveal ownership (like .in)

See also: simplelogin.io and anonaddy.com

[0] https://archive.is/BEKi7

[1] https://archive.is/2iQCN

I use fastmail for this. It works great although my email address sometimes confuses people. For example, a small company I ordered something online from called me to ask why their business name is in my email address. I have 2 separate domains going to the same inbox, each domain can have any subdomain and email address I want. I can send emails from any of those addresses as well.

You can add a rot13 transformation on the company name (if there is a human on the other end), to be less confusing for them.


Nice tip. I've encountered the same thing. Love to see an email generator using this automated in bitwarden/keepass.

I'm extremely happy with mxroute, pricing is great and support is quick. I even host the email of two small companies there.

Many registrars offer catch-all forwarding (to your free personal email), which would be your best bet if you don't expect to need to send email.

If you can afford $6/mo, Google Workspace isn't bad, there's generally better security and it grants you a lot of control over your account's settings (and will remove ads from the Gmail app on your phone, even when only looking at your @gmail account inbox).

Otherwize, Zoho works, but now costs $12/user/year (it used to be free) so ymmv. Great if you were planning on pure POP/IMAP usage anyways.

Wait, the Gmail app on phones has ads?

Yes, it's unfortunate. I had forgotten about it since I've had a GSuite locally for a while but I see them when someone else opens their app.



Ah, I guess they're only for the Promotions and Social inbox categories, and I have inbox categories disabled.

If I saw an ad in my email client, my immediate action would be to find a new email client.

I can strongly recommend 33Mail for this. I've used it for years with zero hiccups. $1/month allows you to connect a custom domain. https://33mail.com/

Interestingly Fastmail have also allowed subdomains in addition to name+blah@domain.com routing, to make it harder to guess your "real" email.

So you can sign up for new companies with random@someservice.mydomain.com and have it still route into our inbox.


I've done this a bunch in past, but wish it was easier to go back and change existing services.

Also found a couple that reject sign-ups when their name is in the username part.

As a user of both 1Pass and Fastmail for years, this is a really neat addition.

Next I'd love 1Pass to generate random phone numbers to use that I can recall quickly for things like supermarket checkout where I need to enter a number to get their discounts, and I don't want to use my real one. Doesn't even need to be a genuine phone line, just a 10 digit code.

My personal solution to this problem was:

* register a pseudonymous domain and use Fastmail to forward it in to my real email

* use Twilio + a little TwiML to register a real phone number in my area code & have all messages/calls forward to my cell

This let me establish trust domains: when I share my email with an untrusted entity they get companyname@mypseudonym.com & the phone number I registered before. I always have the ability to know where the communications come from & can quickly cut off junk/spam at either source[1]. And if a company is trustworthy I could always move them to my real domain/phone if I so wanted.

[1]: Phone is obviously harder as there's only one number, but legitimate companies seldom if ever call – their junk is from a consistent text source that's easier to block. My burner & my clean numbers get about the same amount of autodialer calls, sadly.

> Also found a couple that reject sign-ups when their name is in the username part.

This is how you know not to use that company.

I've also found many, many companies that blacklist several keywords including "spam" (before using unique emails for all services I used spam@mydomain.com for most sign ups).

Kroger, at least, let's you change your "alternate ID" to any 10 digit number that isn't used by someone else. Just log in to the web site and change it.

I do this with fastmail already. I have a domain that accepts email to *@domain.tld —- all the messages reach one inbox. All my online accounts have the form service-name@domain.tld

Makes it easy when I receive spam to see who sold my email address.

There’s also zero overhead to “create” a new one. It works for any address.

I did this with even less setup. accountname+extratext@gmail.com has worked forever and you can do the same with a custom domain. I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.

I actually don't accept *@domain.tld even though I have a custom domain because I got too many fishing emails that weren't caught in spam. I didn't have the patience to deal with it. That might have changed over the decade+, though.

> unless you keep meticulous records, there's no way to figure out the exact email you used very easily

I haven't found this to be a problem. Usually it's in my password manager. Otherwise they've sent me an email, which I can quickly search my inbox for.

Be aware that using the “+” is giving you the illusion of privacy and control. A privacy research has shown, back in 2020, that companies like Oracle’s Bluekai (a massive ‘data broker’) has functions to normalize email with + in them to help with ad targeting and matching.

Other vendors and companies like FB are surely doing this too, as companies send FB emails for matching / ad targeting.


I guess it's good to know, but I never had any illusions of using it for privacy. It was mostly to see when I get added to a mailing list, where it might have come from. Another reason I abandoned it so quickly is, if someone sold my email address and put me on a new list, what can I do about it?

> I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.

Does one need to keep records? I just do service@domain.tld, for example: ycombinator@example.net.

I started receiving a lot of sexually-explicit spam addressed to recruiting@mydomain.tld, so now I know that one of the recruiters to which I gave this email address had their inbox/contact-list compromised.

Where I got bit was email was used as login. I was trying to log in but couldn't remember the specific email I had used even though I generally had a fairly specific schema.

A lot of services already worked out the + trick. Not many know about this feature of gmail yet: You can also put a dot anywhere inside your username. eg.

a.ccountname@gmail.com is the same as



and so on.

The trouble with *@domain.tld is that you get that many times as much spam. Unless your spam filter is 100% accurate, that increases the amount of spam that gets through.

I almost never get spam (see reply above), and if I do, then those addresses can be filtered easily. That is one of the purposes of using this setup.

I work through this by only accepting wildcards on a subdomain. I have a 'real' email address on the parent domain for actual human correspondence. Services and salespeople get the subdomain.

I am using name@random_site.mydomain because i encountered a few sites that rejected name+random_site@mydomain. reduces the "random name @ domain" spam, but still works good.

I do this too, have for 15 years. It works really well. I run a well configured postfix mail server for inbound and outbound mail. Incoming mail gets delivered to my fastmail acct. I get very little SPAM, a few messages per week, but I have spent a lot of time over the years getting it that way.

You don’t even need a wildcard email address to do it really, using a + delimiter in the user part of the address will accomplish the same.

For example: jdoe+netflix@example.org would be the address used on a netflix account.

However I do appreciate the additional anonymity a randomized or hashed user part provides

I do this too. My only issue I am having right now is I am "locked" to my current registrar because of how it is set up. Do you have a mail server you are using or just having your registrar do it? I am looking for alternate solutions that dont cost much.

Exact same for me. So far the only addresses (in probably around 200) that have been sold/leaked/spammed have been the one on my public site and Facebook, where it was public for a time.

If your facebook@domain.tld leaked, someone can guess you use mybank@domain.tld too and send something there.

And yet they haven't. If it becomes a problem, I could switch domains with a little work.

I do exactly the same, what is the advantage of masked emails over this pattern?

At least for me, the main advantage is that I can instantly block or delete a "masked" email address. With a catch all, you'll still be receiving mails.

And of course it's all just JMAP under the hood!

["MaskedEmail/set", { "create" : { "k1" : { "state" : "enabled", "description" : "Hacker News", "url" : "https://news.ycombinator.com" } } }, "R1"]


["MaskedEmail/set", { "created" : { "k1" : { "id" : "masked-123456", "email" : "flighty.emu5803@mydomain.example", "createdAt" : "2021-09-28T14:19:19Z" } } }, "R1"]

Very simple to work with.

Oh wow.

I knew fastmail was building JMAP but I didn't think to look at JMAP when I was trying to find fastmail's API that can be used to integrate this in other services. This is really nice compared to the SOAP/XML monstrosity I stumbled upon, heh.

I really wish that fastmail wasn't based in australia..

edit because of downvote: I'm referencing the new data control laws (it is even beyond surveillance at this point), which makes it impossible to anyone who cares to use any autralia based products. I should have made that more clear.

The laws in question have no meaningful impact on Fastmail, and the amount of FUD concerning those laws is unreal.

Fastmail wasn't end-to-end encrypted to begin with, so laws requiring backdoors have no relevance to Fastmail. And every civilized country has some legal method to compel information from companies relating to significant criminal activity.

You're right, of course, but this simply switches the "reason not to use Fastmail" from "based in Australia" to "not e2e encrypted and can rat out your entire email history".

I don't see e2ee email happening anytime soon. The technology is just not very user friendly. And honestly, without e2ee, I don't put much trust into providers like Protonmail either because at some point the email is coming in as plain text and that's where one could always siphon it off.

I would consider that a valid position to take! I don't feel my threat model justifies the limitations of E2E email, but many do.

I am not trying to tell you to use Fastmail, just that fear of doing so explicitly because of Australian law is silly. ;)

As much as this is a cool feature, the distoypian anti-privacy laws Australia [0] (where Fastmail is based) prevents me from ever using their service. I know it isn't their fault but it has to be said.

[0] https://www.iflscience.com/policy/australias-new-police-powe... [1]

It was the same, in my case. I was considering them for an email service, and then that happened.

There's a few alternatives to this:

https://www.spreadprivacy.com/introducing-email-protection-b... (beta only)



I know there are plenty of others, but I use all the above and found them reliable and intuitive.

I suggested this feature as a paid option to Bitwarden, hopefully they'll add this.

For now I'm using Firefox Relay, but the 5-email limit (without a plan for more) is a showstopper.

My worry was this required both FastMail and 1Password, to my delight you only need FastMail. Masked Email is an option under settings.

Already in the past I've been (ab)using Fastmail's email alias feature for this kind of purpose. Though it was a bit inconvenient as the UI always said that it takes 15 minutes for the new alias to become fully active. Great to see they now have simplified this!

I'm a current user of Fastmail and set up a wildcard alias for this purpose:


When I get spam to a particular alias, I blacklist it to my spam folder. Naturally this might get a little difficult if a spam bot ever figures this out where I'd need to move to a whitelist rather than blacklist process. But it's worked flawlessly for years so far.

At least with my method I don't need to create the alias in advance.

This is good to know. I might use this in a few scenarios, but I would not be willing to implement a password management service to get it.

Something not mentioned much is that you can respond to these messages that come in through a Masked Email, and your identity is hidden on the outbound messages as well.

They seamlessly integrate with the sender identity feature in Fastmail making it very clear that you are replying from the Masked Email.

From a quick analysis on the headers, I don't see anything that leaks who your real identity is, but of course Fastmail knows and could reveal that if legal reasons exist.

Overall smooth feature along with the ability to use a custom domain for portability (to a less sophisticated wildcard setup, or another provider).

Sounds great! Congratulations on the new offering. As a sidenote, when Fastmail blogs, can you put that on a subdomain? Webmail interface is really sluggish right now which I assume is an effect of this news.

I use fastmail's * alias against a custom domain, to achieve a similar thing. It forwards mail at any address to my normal email, then I just pick a name on signup, ie. hn@emaildomain.com.

I have registered a domain just for the purpose which doesn't have my name in it or host any websites or anything else which can be used to leak my identity with a whois privacy guard service.

It has the dual advantages of being guessable by me if something goes tits up with my self-hosted bitwarden, and I can eyeball who has leaked my email address on incoming spam.

Use your own domain for this!

Being locked in to a provider domain means you can never easily switch from them. It's a form of vendor lock-in. (Fastmail supports using your own domain, of course, but they also don't encrypt at rest in a way not readable to Fastmail, so you should avoid them.)

I wrote up a step by step howto for switching over to your own domain name:


Fastmail: Couldn't you give a 2 or 3 paragraph summary of your service instead of this silly "easy to read" format that seems all the rage for web pages over the last 10+ years? I mean, fastmail of all companies should get this. I have to come to hacker news to actually understand what is being offered, rather than some glitzy marketing haiku that could mean any number of things.

That's really nice, and exactly what I've been waiting for. I've been using a third party service for a while now, but it was a pain to have to manually create the email address first. Was tempted to switch to Apple, but that would lock me in to the Apple ecosystem completely. Being able to use two services that I use anyway is the perfect solution for me.

This feature is already available without 1Password account linked to Fastmail. You can already create email addresses with a random name linked to one of hundred or so domain names and have it forwarded to your email. I believe this page just details the automated 1Password integration.

Would be great to have it with bitwarden.com as well

But with Fastmail you can already do it using $RANDOM_STRING@$LOCAL_PART.fastmail.com and whichever password manager you use (you just have to do it in a more manual way, which in the long run can be a PITA, I understand)

One of the big selling points of this idea, and why we wanted to partner with 1Password for it, is that it has to be easy! Sure creating a new password for every site is a good idea, but the 1P plugin makes it so easy that it's simpler to use the really secure password it generates than to come up with something yourself.

And this "generate a Masked Email right there in the form where you're using it" pattern means that the friction is so low that it's a viable choice - it's EASIER to do the safe thing, and that's the real game changer.

Absolutely, making it easy it's a big selling point. As a happy FastMail customer, I would really like to see a similar thing with BitWarden which is my password manager of choice.

Anyway, keep up the good work!

It'd be great to see this as a somewhat generic feature for generating usernames and email aliases in 1password. I don't use fastmail and I'm not particularly interested in switching at this point in time. I would love it if 1password had a hook where you provide your custom domain and it generates a random address according to some schema defined using the current password-style configurator. I assume that the current fastmail limitation is because fastmail is ensuring that there is no conflict with existing aliases (which seems like it should be very low probability)?

Like many others in this thread, I have been using alias-to-subdomain remapping with Fastmail since time immemorial. Having this trick automated to some degree can be convenient for less geeky or fastidious users than I :)

Other than thinning my online identity to make any assumed attempts at correlation harder, in a couple of cases over the years I had the pleasure to "Gotcha!" companies selling (or losing) their users' email addresses. In other cases I also received unrelated spam on addresses as a result of undisclosed or less-publicised security breaches.

There was a Show HN project last year that did something similar. I'd be keen to try that out before this one. Unfortunately, I can't seem to find the link.

This looks like a cross between Mailinator and Fastmail. Great idea, but why is 1password involved? I don't want to sign up with yet another damn service, and I'm happy using my browser password store (or email client API key) to access fastmail without needing 1password. I don't understand why services like 1password even exist. They just increase your computer's attack surface. Am I missing something?

@Fastmail: Please let me delete a masked email after creating it. Thanks.

I just tried it with my own domain via the Fastmail iOS app. There doesn’t seem to be a way to delete things.

I do like that I can attach notes and have an easy block button. I might start using it instead of my existing wildcard setup, but need delete.

Using unique email per service is really great. I detected Zenni Optical either had a security breach or sold my information because of the unique email I used.

Go to Fastmail → Settings → Masked Email. There, click the "Edit" link next to the address you want to delete. On the following page, there's a big red "Delete" button. Works for me. :)

Update: looks like deletion only works when using the website, though.

Ah thanks. Currently out so didn’t check the desktop website. Hope the delete button can work on mobile too.

This is a great feature. I’m glad this will bring it to more people.

Looks great, but a bummer for Fastmail subscribers who use Lastpass. I can't imagine the nightmare of switching my family from Lastpass to 1Password. Password managers truly do create a lot of intertia. Though we're all Apple, at least I have the family using a third-party password manager in case we one day change hardware providers. For now, I suppose I'll have to stick with manually creating aliases.

I'm in the same situation, but with Bitwarden and not Lastpass. It's more of a hassle, but you can go to Settings > Masked Mails and generate mails as you wish.

Wont this just get fastmail.com blocked on registrations?

Hopefully not. These are still valid email addresses, they aren't throwaways (unless you want to throw one of them away!).

I think we will find that majority of companies that do potentially block it would be companies we don't want to do anything with to begin with. My thinking is a lot of companies only want a single user to register once so they can track that user anyway they can.

For example, I opened up Agoda once in firefox private tab, and searched for 2 specific hotels to get an idea of pricing. As I had signed into Agoda, less than 5 minutes after searching both those hotels were listed on facebook with discounts. So with ad's and social media blocked, the only way they could link me was via email.

If everyone starts using fastmail to hide their email, then companies cannot do this targeted advertising and will block it.

FastMail does support custom domains for disposable email addresses.

They also have a pretty big library of email domains to choose from that I can create normal alias for, so I'd be surprised to not see those come as an option in the future.

Does this also work for existing accounts within 1Password with e-mail addresses attached?

I can't find anything in the 1Password interface to change a login for current accounts.

All the language makes it sound like it's only upon login/account creation.

I guess the fallback is just manually creating one in Fastmail, but it's a bummer if you can't just do it from one place in 1Password.

This is great. I have hundreds of alias accounts in my fastmail for this exact purpose. It's really satisfying just making emails bounce back when they start sending spam. I also identified a service I used that was selling my email to straight up scammers/spammers.

I wish the block option for masked aliases was bouncing the emails and not sending them to trash.

I have always wanted to go down the one email per service method but it seemed to cumbersome to manage. Looks like it may be feasible now.

As someone who uses Fastmail and 1Password, thank you for posting this. Currently really impressed with both services, the prospect of linking the two and obtaining unique email addresses is even better!

I do it but you need a client that supports it in replies. The Fastmail web UI allows you to send from the custom email address. Clients like iOS Mail demand you configure an account-per-sender rather than letting you add an arbitrary address to the from: line.

I end up in a situation where if I don't pay close attention I leak my "main" email address.

I've been doing it with fastmail for a long time (I used another provider before them as well). I really don't see that the 1P integration changes much (I don't use 1P though, I use Bitwarden and KeepassXC, so maybe I'm missing something?).

@Fastmail: Another request. If I’m using my own domain, could the email generated be simpler?

Instead of “some.thing1234@”, I’d rather just have “thing1234@“.

Update: hmmm… looks like I can’t initiate an email with masked email though. I can set up my wildcard to do that in the more rare case when I need to initiate email.

FWIW, Yahoo! (of all places!) has had this feature for many years.

You can create an arbitrary number of disposable email addresses, keeping up to 50 of them active at a time.

You choose a prefix, and then your disposables have the form prefix-<whatever you want>@yahoo.com.

Literally 2 days ago was wanting something like this to use alongside a privacy.com card! This is great to have and since the addresses are fastmail addresses, they're unblockable unlike various throwaway address services that play a cat-and-mouse game.

Is this available for the permanent 1Password 7 license, or only for subscription customers?

I love Fastmail, I love 1password the two most important services in my life that I can pay for and the most satisfying.

I've just registered a new random domain to use for these aliases to further separate my identity from email leaks.

Some time ago, a site called randomail proposed the same service, but it closed... The problem is that registration forms often blocked randomail addresses, probably because the domain was on spam blocklists

The only reason I don't share my fastmail email id except for very specific cases is the fear of it getting circulated for spam.

With this feature, I can stop using my gmail account for general junk.

I'm using Fastmail's alias to serve the same purpose.

It seems Masked Email is useful primarily if you have 1Password account as a deeper integration to auto-fil email addresses during sign-up.

Does the 1password integration use an open Fastmail API that any password manager could theoretically use, or is it a deal they have exclusively with 1password?

I’d love this feature with Bitwarden.

I'm surprised spamgourmet.com has not been mentioned - created-on-use forwarding addresses with a built-in self destruct. It is a superb solution.

What a brilliant feature. May consider using fastmail now

I briefly got very excited about this since I'm a fastmail user, but apparently I need a 1Password account too? I don'nt understand why that would be, Fastmail is the email provider, they are the ones who can create random aliases. I don't use 1Password (they're terrible in my previous experiences with them and I prefer something that vaguely operates on principals I like), so why should I be forced to give them my data just to use a feature of my email provider? I'm sure there's something important I'm missing here.

It looks the 1Password integration is only for convenience. You can still go into Fastmail settings and create masked email addresses manually.

That's great news! The post made it sound like you had to have a 1Password account, but now that it's showing up in my account it doesn't appear to be the case. Thanks!

2nd confirmation here: I'm a Fastmail user who's never had a 1Password account and I seem to be able to create masked emails in settings no problem.

How is this different than user aliases? I am already making heavy use of those and this seems to do the same thing.

I wonder if this is tied in with haveibeenpwned.com? Compromised emails could almost be deleted automatically.

This is great, but why does Fastmail need 1Password to do this? Just a marketing collab thing?

Amazing feature. Couldn't be happier as a 1P and Fastmail user. Thanks!

We need additional research, funding and development into the Darkmail (DMTP/DMAP) protocols. https://darkmail.info/

Lavabit went under though, right ? I think the feds pretty seriously proved they could pull the rug out from under anyone using it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact