Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Relay (firefox.com)
310 points by blacktulip 64 days ago | hide | past | favorite | 156 comments

I've been using this pattern for years.

I have a custom domain just for signups, and I sign up with [service].[username]@customdomain. The domain simply has a catchall email "accounts@customdomain"

Combined with a password manager (Bitwarden) this is absolutely brilliant.

* Spam: if I get any spam, I know exactly which company is responsible, whether directly, through selling user data or because of breaches. And I can simply block the whole alias.

* Multiple accounts: If you need a second account with some service, you simply use a new alias. No need to worry about secondary emails just for a few accounts.

* Mitigate data leaks: if some database gets compromised, all they get is a throwaway email. They also can't try to log in to other accounts or do password resets if they get a hold of the password. (somewhat redundant with a password manager and unique passwords, but still)

* Privacy: all those ad data aggregators have a harder time connecting me between accounts. (of course they still use names, address, credit card info, etc; but it helps)

* Easy self-hosting: email hosting can be a pain. But in this case you only need to receive, never send. And receiving basically always works, even with the most broken email server setup.

A downside is the unique domain name. I always wanted a shared domain with lots of users to further reduce exposure.

I actually thought about starting a service that provides this, but it's a niche product with non-trivial technical hurdles and potentially lots of support demands, so I'm happy that Mozilla is offering this.

The only downside is that people get really confused when they have to deal with your email, for example when calling support. But it's never been a real issue.

Highly recommended!

Heh, I work on Relay and I do the same :) While the approach is great, especially in situations away from my computer where I can't generate a new alias in advance, working on it I discovered that using Relay still has a couple of advantages:

- My other addresses are unguessable.

- It's far easier to block emails sent to a single alias. With my own domain, I'll have to go and add a filter into which I copy-paste the particular alias I want to block. With Relay, I can just open the dashboard and hit the toggle next to the alias labelled with the domain I used it on.

- I was looking for ways to give Mozilla money for a long time (though now I'm working there, so I guess I'm also taking its money).

In general, my setup now is to keep using my old setup for long-term accounts with somewhat more reliable services, and use Relay for e.g. requesting a quotation or having a single thing shipped to me.

What is Relay going to do when the domain ends up on one of the many "disposable email address" blocklists?

We're actively reaching out to maintainers of such lists (see e.g. [1]) to get us removed, and take a number of measures to make that more palatable (see also [1]). And of course Relay is a bit different from services like Mailinator, where email addresses are usually actually single-use: Relay addresses remain active until their owner actively disables them. Possibly in the future it might also be possible to bring your own domain, but I don't think we have any concrete plans for that that we can share.

That said, no solution is perfect, and I expect that there will likely always be situations where you will be forced to fall back to a regular email address.

[1] https://github.com/wesbos/burner-email-providers/pull/339

On the unguessability of other addresses - I rotate several schemas making the mask of the address something like [service].[username].$(pwgen -1 | tr '[:upper:]' '[:lower:]')@customdomain.

Sometimes "[service]" is also shortened like "hackernews -> hn" to dodge the ban on service name in the e-mail address that some service providers apparently have.

Ah, I don't necessarily mean guessability of which other addresses I use, but of how you can reach me. If I block yourservice@mydomain.com, you can still attempt to reach me at totallynotyourservice@mydomain.com and it will work. You'll also be able to link my different addresses on different services. If I throw away the Relay alias for your service, that's it - there's no way to lead that back to me anymore.


> you can still attempt to reach me at totallynotyourservice@mydomain.com not if the catch-all address is actually /dev/null and the totallynotyourservice@ has to be mined from somewhere because it's random.

Overall, I think it depends on the obfuscation strategy. It's true that having a unique @mydomain.com part is a big giveaway and someone could theoretically track one's activity by searching for all e-mail addresses coming from the domain.

My use-case is more to use unique e-mail addresses to throw off credential stuffing attacks, not become untrackable/avoid all spam. For the tracking use-case I generally think several times if I want to register somewhere at all and try the usual routes first (mailinator, random old addresses on public e-mail).

Word of advice for anybody doing this: make sure you have a way to SEND email using one of your aliased addresses - because one day you will find a critical service provider can't process your emailed attachments unless sent from your registered email address (e.g. insurance claim document, bank documents, etc.)

And make sure you can easily fetch new emails on demand! I had a Migadu-Gmail setup, but the Gmail app and mobile site only pulled from the POP3 server every 30 minutes or something.

Which was fine until I had to verify my identity in-person at a Verizon store to cancel service and had to explain why I wouldn't be able to receive a verification email to verizon@mydomain for a while. Also annoying for my 401(k) which uses SMS for 2FA and makes the codes expire after 2 minutes.

Since then I've switched to a custom domain with iCloud, which unfortunately doesn't support catch-all addresses at all, but is more reliable and faster.

You can manually fetch emails from external accounts via the Gmail settings - Accounts. I'm not sure if this is available in the app but it's available on the (desktop) page. It's a hassle but there is a way in tight situations.

Thunderbird supports custom From: addresses in the mail compose window.

I've been through a mile of pain to finally end up back on Thunderbird, for exactly this use case.

This is what has finally ended my years of Microsoft Office use: Outlook will not let you keep your primary address out of smtp headers. No way, no how.

But, your mail might bounce without proper sfp setup. (preventing random from like in the good old days (president@whitehouse.gov) is pretty much the raison d'être for sfp... For better or worse).

That's not relevant for the discussion in this thread where we already assume you have a custom domain with catchall inbox setup. The custom From is still needed to be able to actually send from any address on that domain.

Yes, and part of that setup is proper sfp setup? Eg allow sending from Gmail with a from on your domain?

I don't see how it's specific to sending from thunderbird. It's a general issue if you want to use a domain for mailing.

It's not spesific to the mua, no. But as thread starter (ed: first responder) said:

> Word of advice for anybody doing this: make sure you have a way to SEND email using one of your aliased addresses

So a) you need a mua like thunderbird that let's you set FROM header - and b) your domain need to be setup to allow your smtp server(s) to send from your domain (sfp).

It's worth noting that many recipients will use SPF and DMARC to avoid accepting "forged" email like this -- spammers make very heavy use of the historical lack of authorisation for sending mail as if from a particular address.

The context of this thread is having a domain with a catchall inbox and that domain already having all the necessary DNS stuff is assumed.

The custom From is just a way to send from any address for that catchall, I was not suggesting to use it to send from abitrary addresses, which would be quite pointless since you then wouldn't get the replies.

The context is also using a third-party service for the catchall, which is less likely to have suitable records set up for sending from.

If it's handled by Google Workspace, it's easy to add additional "Send as" addresses.

I do what OP does and your comment gave my cause for concern. I just checked with my email provider and, luckily, it seems I can create Send Identities to solve this issue. Thanks for bringing this to my attention though!

you can make unique addresses so they can be transparently replied to in any mail reader (including gmail/web). It takes a bit of work but is worth it. I've been using the system I built to do it for over 5 years.

fastmail supports this, but only if using their [web] app or website.

This is very similar to how I setup my (paid) Fastmail email with my own domain. But Fastmail goes one step further: When signing up for things I use an email address like: shopping.newegg@depingus.mydomain.com. Fastmail will automatically deliver any messages addressed to the above email into the Shopping folder of my Inbox. I don't have to create an alias or any rules in my email account. Fastmail will handle that when a message arrives.

This is great for categorizing messages. And you can still blacklist aliases that have been leaked to abusers.

> I have a custom domain just for signups

I keep reading about people who say they have a custom domain, but I'm not sure they're aware of the caveat to that. You have to keep renewing it, and domains are infamously changing hands all the time, sometimes to bad actors who want to use the SEO juice of the domain for spam or affiliate marketing, or in the worst case: to take over your identity with it.

By all means, yes, keep it renewed, but if you stop renewing it (for whatever reason), assume all the accounts you have tied to it will be in someone elses hands.

I (unexpectedly) went to jail. Try renewing your domains while you are in jail. As you say, now you've lost access to everything.

My solution: make sure you keep your domains renewed to the maximum allowed by your registrar if you can. 10 years with dotcoms.

Or at least make sure you have some type of plan document to have a family member or someone you trust assist, but having it done automatically is better. Unfortunately, other services like Gmail or what not may end up closing your account after a couple years. If you have your own domain, maybe see if you can prepay for email hosting for a few years as well.

I do this but on my main domain. I have another domain and I guess I might to move spam catching exclusively to that domain.

Anyway the trouble is writing mail to those services or replying to those. I have 13 from email usernames in my Mail.app right now on my domain. Then I stopped it. It’s just so tedious.

I wish there was an app that would let me easily do it once I proved I’m the domain owner maybe - just let me send an email from <anything>@<my domain>.tld without having to add one separately. It should also allow me to reply from same email without hassle

I tried Apple iCloud+‘S HideMyEmail feature, but:

- It’s a harder lock-in into their ecosystem

- Not available on custom domain

- You can reply from that random email username if you get email username, but you can’t start a conversation easily.

- when you stop paying those randomly generated Hide My Email are gone

- Not very convenient in the browser especially if you are not in Safari or a Mac.

You can do that in FastMail (web UI or mobile app). It supports multiple domains too.

The compose view looks like this: https://imgur.com/a/qULeL5a

Oh. Undo tuna I’m on mailbox.org and I was looking for a mobile and desktop client rather than a provider. But yeah I’ll definitely consider them the next time I’m looking to move mail provider.

For what it’s worth, MailMate on mac allows for responding via the received address in just the way you describe. It’s a large part of why I ultimately landed on using it exclusively.

I’ll need it on mobile (iOS) more than on desktop.

As someone else already mentioned, the Fastmail interface makes this super easy. When you respond to an email it by default sends from the email that was addressed. And when you send emails you can enter anything in the from field for your own domains.

The only issue I have had is non-technical people getting confused when I have their business name in my email address.

> of course they still use names, address, credit card info, etc

I haven't used this service, only heard about it. It might cover your missing piece for credit card info.


Of course, privacy.com ends up being the one that can aggregate your CC information together.

I ended up choosing Abine Blur. The interface isn't as nice, but it seemed more security-focused. Privacy.com seemed to actually collect a lot of information and prevent you from removing it later on.

> Abine Blur

So, I just googled them, they look interesting but their website seems intent on obfuscating what they do, it uses a lot of marketing speak but doesn't tell me how it works.

Are you able to use your own domain for the "email masking"?

Are you giving them your bank info for the credit card masking or are they billing the credit card on file?

I'm not sure om the first question because I use SimpleLogin for email masking instead, but the second one it is advised to use your bank info so there are no fees. The plan I am on I get unlimited masked cards as long as I use a bank. There is a fee to use a credit card. There is a minimum amount per masked card of $10 but you can immediately request a refund once you use whatever amount or if they just pre-authorize something.

I've been using this service for years and love it.

This is almost identical to my approach. One minor difference is that I got on the free Google Apps for Business plan a decade or so ago. So deliverability is there, which does come up from time to time. i.e. Occasionally you need support, and the service wants you to email them/reply to their email from the email you use with their service. So in Gmail, I have to set up an account/alias so I can send the email.

I did self-host this way back, using MailEnable on Windows Server. It... worked. But I don't recommend it!

The other downside is that the catch-all sometimes gets a lot of [gibberish]@[customdomain]. It's not too bad now, but there was a period where gibberish hexidecimal aliases were spammed regularly.

"A downside is the unique domain name" that depends, I bet that a lot of services will disallow registration with @mozmail.com addresses and the trick would not work. In case of you custom domain they will never know if this is a real thing or some throwaway address.

Your single point of failure is your account at your registrar, where your domain can be hijacked. Once your domain is taken over - all of your accounts which are connected to this domain are also owned. So you're still only one hack away here.

Well, sure. But my registrar requires 2FA and has good support. The domain also has a hard lock for transfers, which would require a signature and id.

A targeted hack that could get 2FA tokens or a social engineering attack on the registar aren't threat vectors I'm concerned about. I'm not that interesting.

Much better than being at risk of, for example, Google cancelling your Gmail account for whatever reason, or your mail account getting hacked.

That is accurate for any and all approaches with email, but it does not negate the (significant) incremental improvements this strategy grants you.

> "That is accurate for any and all approaches with email"

The likelihood of a takeover of @gmail.com or @icloud.com is much lower though.

Instead those can just cancel your account without explanation or recourse. With a registrar you have a contractual relationship enforceable in your local jurisdiction.

I went to jail. Got out. Seems like there is no way to reaccess my old gmail account.

Fastmail has recently provided masked email too: https://www.fastmail.help/hc/en-us/articles/4406536368911-Ma...

Out of curiosity, is your customdomain in this case something without any personal info on it? I have a custom domain with my first name and last name initial .com, but now I'm thinking if I want this setup, maybe it's better off getting a domain with random words so even if email leaks, no personal data is leaked.

I'm not currently using it (took down my opensmtpd server.. Haven't replaced it yet) - but I used a subdomain on a vanity domain (in my case things like hn@s.hypertekst.net). If I need a "new" domain, I can just move to another (r.hypertekst.net - s for spam, r for registration... Etc).

Not OP, but same setup. I have a custom domain that has a generic name. Not entirely random just in case I ever have to spell it out or something, but no PII in the domain name. Also, Whois privacy service through my registrar.

The functionality isn't easy to discover, but you can use an account at outlook.live.com (MS) to create e-mail aliases.

You can manage the aliases within the same parent account.

Similar here.

Instead of using the same email address and different password per site, I use my "burner" domain so foo.com@burner and just use the same password for everything. Nothing to remember for a login - just the domain name and the usual password.

For "important" things (anything with money or PII etc) I use a unique password + bitwarden

I'm conflicted about this.

For me, the best implementation of private alias is the Apple one: %randomwords%[at]icloud.com. It's way harder to wildcard block [at]icloud.com, as there are legit users of the icloud domain, than a wildcard block for: [at]mozmail.com.

Unfortunately, using the apple implementation is just one more stone into their walled garden. I really wish firefox could create a legit free [at]firefox (or something else) mail and then create this alias service as premium bundle. It would be way harder for services to start blocking it.

Furthermore, I'm not really excited to the overall direction that Mozilla is moving with its side projects:

1. They bought Pocket (which I loved) and now it's on life support.

2. They created an awesome private file sharing service (firefox send) and quickly butchered it.

3. They have a vpn that is simply mullvad with new clothes and fewer geographic availability. Why anyone would use it instead of mullvad is beyond me.

Mozilla needs some serious trust building before I trust it to manage several mail aliases for me.

> 2. They created an awesome private file sharing service (firefox send) and quickly butchered it.

Thankfully it was MPL licensed[0] and has an active fork[1]. The only problem is that Mozilla requested their trademarks Mozilla/Firefox be removed, so finding this fork is a bit hard on Google.

0: https://github.com/mozilla/send/blob/master/LICENSE

1: https://gitlab.com/timvisee/send

> They bought Pocket (which I loved) and now it's on life support.

I've been waiting a long time to find someone who thought that Pocket was a good idea. Can you expand on what you like about it being integrated into firefox natively as opposed to an extension?

> Can you expand on what you like about it being integrated into firefox natively as opposed to an extension?

Nowhere in my post I’ve said that I thought it was a good idea to integrate pocket to Firefox natively. I said that I loved pocket as a service. A service that improved constantly before Mozilla acquired it and now it seems like there’s no significant upgrade for the last however many years Mozilla acquired it.

As an addendum, I absolutely do not think that integrating pocket to Firefox was a good idea. Even though I love(d) pocket and Firefox, it should be an extension.

I've been a heavy user of Pocket, and I obviously think it's great. In the end it's not much more than a reading list, but what really makes it useful is its integration with the Kobo e-readers. I can happen upon an interesting long form article at work, save it to Pocket and read it on the subway on the way home on my phone, or before sleeping on the e-reader.

I'm not a Firefox user, so I'm using the extension, but if I were I'd really appreciate the integration.

Thanks for the reply. However, I was specifically hoping to hear a testimonial from a Firefox user who prefers it as a native integration rather than the extension.

Agreed. They are all over the place and don't take good care of the only important thing, which is the browser. If I want a vpn, I will get a vpn. Same with email alias. This is yet another distraction. I'm not very optimistic.

I think they have a revenue issue. They can't make the money necessary to sustain a lot of their work so they are trying to find other sources of revenue that are privacy focused to help. See the layoffs from last year for example.

The problem is that half the commenters in any given thread about Mozilla say things like "they're too dependent on Google for revenue" and the other half say things like "they have too many side-projects, they should just focus on Firefox" and some select few complain about both simultaneously.

Pocket, VPN, and Relay are all revenue generating and probably don't require that much effort to run.

> 1. They bought Pocket (which I loved) and now it's on life support.

Why do you say it's on life support?

No significant improvements in the last however many years. Yeap, it's a simple service but they constantly fail on the basics such as parsing the complete article.

Over the years I had several instances of widely popular sites not being completely parsed, missing paragraphs or images, to the point where I had to manually check every time I've saved something there. Whereas, on instapaper or safari reader mode, it parsed perfectly. I've submitted several fixes requests for such sites and they "promised they would look into it", nothing happened.

Yeap, I was a paying costumer and a heavy user for over three years, I finally gave up and closed my subscription.

I actually think Mail, VPN and password manager are three things that Mozilla should have done since day 1.

The three have one thing in common that is privacy and trust. They are also all proven profitable and sustainable business. Which they should have used to market it and generate some safe income.

File sharing and content ads were all too risky moves.

Now that their product brand are damaged it is harder to built. Not to mention they now have a fewer user to capture those value.

Relay is very cool but it took me like 24 hours since discovering and adopting it, to being unable to use it for an account. So I cannot recommend it to my family and friends who are much less tech literate than I am.

In my case I was trying to create an account on the Linux Mint Forums [1]. The confirmation email never arrived, which was very confusing to me.

[1]: https://forums.linuxmint.com/

After a couple emails with the admin, they told me this:

> The forum tried sending you the activation email but it'd rejected by the Firefox relay with this message:

    <...@relay.firefox.com>: host
        inbound-smtp.us-west-2.amazonaws.com[] said: 550 5.7.1 TLS
        required by recipient (in reply to RCPT TO command)
> This is a known issue of the Firefox relay: https://github.com/mozilla/fx-private-relay/issues/757. I'll check but I think TLS is not under our control, same as in the linked issue.

> For now I think you'll have to use a different email address.

So while it looked promising, sadly the next day I was already back to using gmail addresses...

> So while it looked promising, sadly the next day I was already back to using gmail addresses

I know this pain point well. Some sites, instead of using a blacklist of every single disposable e-mail service, just use a whitelist of 'popular' email domains like gmail.com, outlook.com, yahoo.com etc

This is why I have accounts with gmail and other popular e-mail providers. That's the only reason. Sad that you have to conform to be a normie just to use a website. Thank all the bots and bad faith actors for that...

> Some sites, instead of using a blacklist of every single disposable e-mail service, just use a whitelist of 'popular' email domains

This is very interesting to me as I've had my own domain for a very long time and haven't encountered this more than twice in that time. If you don't mind sharing, on what kinds of sites have you seen this?

I am not at all discounting your experience. We probably have different interests and visit different sites so I'm interested to explore that.

I have very often hit the "you can't use emails from that service here" deny list which is why I think these kinds of services are neat but will quickly be rendered useless once the deny lists are updated.

I've had it happen on my DMV's 'personalize license plate' site. In order to reserve a plate I had to provide a gmail address, and could not in fact use my personal domain or protonmail account.

(Tech lead of Relay here)

Thanks for the detail! We'll look into this. We definitely want to maximize deliverability.

I'm glad to hear it! It's been almost a year since I reported this bug, and I still run into web-compat issues everywhere.

Thanks for reporting it! Nothing like an influx of new users (and now premium customers!) to re-light some fire under a bug! We'll work on it.

Thank you very much! Just to make it clear, I still use Relay for those sites that allow me to use it, I just wouldn't recommend it to friends because this kind of hiccups mean that it's not something that one can rely on with blind eyes. Glad to see there is active interest in ironing them out.

So.. Relay require tls on incoming connections - but site sends confirmation link over plain text smtp? What site refuses to upgrade to tls these days? (or am I reading that wrong?)

This is cool, however, personally I feel like for my use case that integration with 1Password and Fastmail is better because I don't want to depend on a browser that I cannot use everywhere to manage this.

In the same way that I avoid Sign in with Apple - what am I supposed to do when I need to Sign in without Apple?!

I find 1P+FM is a much more cross-platform solution.

However, I commend Firefox for creating this functionality for people that don't use a separate password manager or Fastmail!

(Relay engineer here.)

While we provide a Firefox extension with which generating an alias is just a click away, you're not dependent on Firefox specifically: you can generate and access your generated alias through the web interface at https://relay.firefox.com in any browser.

A little bit unrelated question, but since we're talking about being available anywhere. Is there a reason the extension is not available for Firefox on Android? I'm thinking about using Relay but I'm afraid it won't be easy to add aliases from mobile.

No technical one I think; probably mostly a matter of resources (same reason it's not on other browsers yet).

That said, the extension is mostly useful for generating new aliases. If you've already used it on desktop to generate an alias for a website, then regular cross-browser sync of form autofill data should make it easy to reuse the same alias on mobile.

Correct me if I'm wrong, but you would still need to pay $3 USD/mo for Fastmail even if you use 1P. Whereas with Relay, it's 0.99 USD/mo, and no need to migrate my existing email to any other service.

Well yes, it is much better if you already use Fastmail.

Right with you on Fastmail, it's excellent. Just wondering though where do you feel you can't use Firefox? As far as I know it runs on all major platforms even if the rendering engine on iOS is still Safari.

I find on iOS it just isn't as well integrated as using Safari.

Also, apps.

Edit: I am trying it again and it seems a lot better integrated than when I last tried - you can set it as your default browser! Is there a reliable way to block ads, though?

Sign In with Apple is a regular OAuth service and works fine in a browser.

You can use Apple’s solution even if on Linux and using any browser.

You can only hope that the service will last long enough and not be discontinued like Firefox Send. Otherwise you have created online accounts with dead alias emails. I create the alias mail addresses in my postfix installation under /etc/aliases

I have domains with catchall so every email is different, can be created on the fly and can be easily revoked. This is the simplest solution I think.

If you rely on catchall, doesn't that make it more difficult to eliminate spam from breaches or bad actor companies/services? With aliases and no catchall, I just delete a one-time-use alias and all spam goes away. Can you do something similar even if you are using catchall?

With a catchall you can just setup a filter rule that auto-deletes mails to certain destination addresses and add more to the filter as they get compromised. Which doesn't even happen all that often in my experience.

instead of domain, use subdomain. You can use forwarding service like improvmx to filter out bad actors. Also, forward email to Gmail. Gmail will reject standard spam emails.

I’m cautious, but IIRC much of the issue with Firefox send was it being abused for huge/illegal files, which seems like less of an issue with a receive-only email address.

Country limited...sight:

"⁨Relay Premium⁩ is available in the United States, Germany, United Kingdom, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland. " (https://relay.firefox.com/faq)

(Relay engineer here.)

Note that that's for the Premium service - the free tier is available in most countries. We're hoping to expand to more countries in the future.

Tried signing up for Relay Premium (from France), Stripe is telling me that "The currency of this subscription isn't valid for the country associated with your payment"...

Hi! I'm the Product Manager on Relay. I'm sorry about this! We've deployed a fix this morning. Let us know if you're still having this issue and we can help troubleshoot it further.

I'm having same issues with PayPal as option, coming from Finland

Edit: looking FAQ it appears it's not even available in Finland, I'm active user of relay and i saw the upgrade option, not reading the FAQ at all.

What happens when the service is discontinued, and suddenly I won't receive any emails from potentially hundreds of accounts?

Seems like a really bad idea to rely on this service.

the primary use case for me is to generate throwaway registration emails, I wouldn't necessarily use this for anything you really depend on.

This sounds interesting, and I'd pay for it, but it seems to be dependent on a Firefox extension.

Sadly, after literally 20+ years of using Firefox, I recently switched to Brave. The performance of FF was wearing on me.

I realize it would seem to be very strange if Mozilla were to create a Chromium extension. But in this case, it is a paid service separate from the browser.

(Relay engineer here.)

While we provide a Firefox extension with which generating an alias is just a click away, you're not dependent on Firefox specifically: you can generate and access your generated alias through the web interface at https://relay.firefox.com in any browser.

(Also, I'm sure you've already tried a lot of things, but in case you didn't: perhaps refreshing Firefox helps? See https://support.mozilla.org/en-US/kb/refresh-firefox-reset-a....)

Not dependent on extension:


> Your own email domain youremail@yourdomain.mozmail.com

I don't understand why would one want to pay for a step down in privacy, voluntarily adding an identifier that allows to track them. The only thing it does is adding some extra information about the alias owner - something that does not make any sense to me, given that the whole point of the service is to obscure users' identities.

I would understand really using my own domain (not this falsey advertising - "foo.mozmail.com" is not something I "own") rather than Mozilla-provided subdomain of theirs. Yea, that would also counter the privacy but at least there's a tradeoff - I retain control of that domain, so if I'm unhappy with Mozilla I still have the email addresses.

Howdy, relay engineer here.

The random aliases at mozmail.com are certainly the most private option. The subdomain aliases are for convenience so you can make up any alias you want even if you don't have a device on you. (e.g., checking into a hotel, etc.)

As you say - there's always trade-offs involved.

Aah, so the personal subdomains are catch-all accounts? So one doesn't have to talk to the Relay services at all and can just give out whatevertheycanthinkof@yourname.mozmail.com and it would get forwarded?

If so - thank you, yes, now I see the point. My bad and please consider telling marketing team to highlight this hotel use case more prominently, because without it just comparing @mozmail.com vs @foo.mozmail.com is not really compelling and could be even confusing.

Won’t websites just blacklist this domain from creating accounts?

It's rare though.

I have been using alias services like Anonaddy and SimpleLogin for nearly two years. I have seen only on website block SimpleLogin, and it was a Pixelfed instance. I simply signed up on another Pixelfed instance as these are federated.

These alias companies also have multiple domains, so in a way these blocks can be worked around.

Mailinator's domains are pretty much all blocked in lots of cases. There are lists filled with such domains that services often seem to use.

Mailinator is very famous. I never heard about the other services in this sub thread though. It could be that they are allowed because few people know that they exist.

About a year after Gmail launched, commercial services blocked the domain for account registration, in droves. I remember seeing errors about using "free" email services. It hasn't happened yet me in a long time but I also use a wildcard address and a personal domain for most things now. (My gmail account is regularly blocked but that's becaue people assume it's fake and they use it for testing... I get all the spam.)

Some probably will.

I've find a good amount of sites that do not blacklist, but whitelist maybe four or five domains (gmail, hotmail, outlook...) and any others not allowed.

Cat v Mouse

This looked interesting when I explored it, but the 150KB attachment size limit is too low. I also checked the GitHub issues list for this project and found some open issues with respect to attachment sizes lower than this not getting through (maybe because of inflation with encoding, which end users may not know about or can’t predict).

The premium paid subscription is said to be only available in specific countries, but the payment form seems to appear in other places too. So I’m not sure how the service allows or disallows subscriptions.

A quick thought also occurred to me comparing this with iCloud email aliases from Apple, which is available for all paid iCloud subscriptions starting at the same price as this one ($0.99 per month) and allows the user to use their custom domain (Firefox relay premium gives you one custom subdomain under mozmail.com). And for the same price, Apple also provides 50GB of storage and supports the iCloud Relay hop service for Safari (and apps, if supported).

I’d like to support Firefox monetarily, assuming the revenue from this service goes to Mozilla Corporation (not Mozilla Foundation) and to Firefox. But the attachment size limit is currently unacceptable for me.

Hi! Product Manager on Relay here. Thank you for the feedback. We're actively working on upping the attachment limit as we know that is a major pain point. I hope that's something we can deliver to you shortly.

Please keep the great feedback coming :)

Urgh, on one hand i love the idea and i think its a good business venture for mozilla.

On the other hand, they are injecting little scare bubbles into everybody's website to advertise this, and that rubs me up the wrong way so much i want nothing to do with it.

Howdy. I'm an engineer on both Facebook Container and Relay.

We fixed the original bug in Facebook Container that was showing the prompt on every website - now it only shows the prompt on websites where Facebook trackers are detected.

Facebook Container is something that inspired and influenced the development of Relay in the first place. Facebook Container users reported that they used websites and still saw ads from those websites in their Facebook feed, even though they were using Facebook Container. Because Facebook lets anyone create custom audiences for re-targeting, we need to give users a way to protect themselves from "back end" data sharing & tracking.


You only get the bubbles if you install the extension.

I just signed up and sent myself a test email. It took a couple of minutes but it came through with banners above and below the content.

Pretty nice service however again I am afraid that one day the plug will be pulled and the email addresses will be orphaned.

Hi! I'm the Product Manager on Relay. Thank you for sharing your concerns, we absolutely understand this risk and the investment and trust it takes to sign up for a service like Firefox Relay. We're actively investing resourcing into our privacy and security products like VPN and Relay and hope to grow these services while providing more protections to more people. I hope that you can come along with us and try out Relay.

At least one service I use has already blocked @mozmail.com addresses, unfortunately. Without a more common/generic TLD this is dead in the water.

Mozilla, I want to give you money and subscribe, Yet you refuse with this ambiguit error:

The currency of this subscription is not valid for the country associated with your payment.

Try again

PM of relay posted a few comments up that they had delivered a fix 2h ago. Try again, it might work this time.

Thanks for "relaying" the comment! :)

Just to clarify my earlier comment, you should be able to subscribe to premium if you're in the following countries with payment details that match the country: United States, Germany, United Kingdom, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland.

For users outside these countries, we know that it's not as clear in the experience that premium isn't available yet, and we'll be making updates very shortly to make this more clear. Additionally, we'll continue to try and grow the list of countries that Relay is available in, so please give us your feedback to help us prioritize expansion. Also, the free experience is available globally, if you're not able to subscribe to Premium yet, but still want to use Relay.

I created a subdomain, and create email on fly based on the domain name example ycombinator@subdomain.com

I use https://improvmx.com/ to forward all subdomain email to my main email (gmail) account. It has a option to forward emails to a black hole too.

From that I have learned that big companies like adobe & lendingtree gets hacked too. Or they sell your data.

You can create aliases on Gmail with "+". firstname.lastname+spam@gmail.com.

Probably works with other email providers too.

Yes, that is standard subaddressing but not all email providers support it (I've never heard of a Microsoft Exchange server supporting it). One problem with it is it exposes your real email address. Another problem, as the Wikipedia article notes, is there are a lot of inputs with poorly written validation that won't accept '+' as a valid email address character (they often only allow a-z, '.', and '@').


> I've never heard of a Microsoft Exchange server supporting it

It's supported on Exchange Online/Office 365 environments. There's a switch to enable it. We use it in our organisation.

This is a standard and every semi-smart spammer can strip the "\+.+" part so it works only with legit websites that you want to handle in a special way.

Fastmail has subdomain addressing [0] to solve that.

whateveryoulike@username.domain.tld is the same as username+whateveryoulike@domain.tld

[0]: https://www.fastmail.help/hc/en-us/articles/360060591053-Plu...

So, spammers will learn to look at the "domain.tld" at one moment if this gets popular.

another options is to buy a domain with a cpanel and set up a forwarder and filter to a specific folder in your secret main email account. The extra benefit here, since you own the domain, is that you can create a send identity of your arbitraryforwardingaddress@yourdomain.tld

Be careful with this. I once ordered something with Dell, and while their front-end system would accept my email address just fine, apparently one of their back-end systems choked on it, and not only did my order get stuck in limbo somewhere, but their customer service agents also couldn't easily fix it for me since their systems weren't able to handle this properly either.

I use this scheme. I have a separate account (x@example.com), were I only give addresses with aliases (x+N-RANDOM-LETTERS@example.com). There are of course broken sites, that do not allow + in the e-mail address. Also Bolt (bolt-rider.com) ignores the alias and just sends to the base address (x@example.com).

You can also add dots ('.') anywhere in a gmail address and still have it delivered. You can use an unary encoding of your random letters if necessary.

So this is anonaddy but with unlimited replies? Pretty cool! I just signed up for purelymail recently, I wish I had heard of this sooner, but it's better than never.

Is there any way to create aliases on the fly?

Something like creating a new alias automatically when an email is received?

The extension allows you to create aliases on the fly (although the free version has a limit of 5 aliases total). Note that the extension is at this time only available for Firefox on desktop.

Alternatively, if you have a Premium subscription, you can set up a catchall subdomain for yourself, so that e.g. anyarbitraryidentifier@ranguna.mozmail.com gets forward to you without having to create the alias in advance. Of course, this has the disadvantage of being able to associate that alias with other aliases you create.

Fastmail provides multiple aliases (I have over 400+) and they never seem to have any problem.

What the f. Do they even want users. I can not create a Firefox Account. Every register page is a login page. When I enter an email and a password it expects an existing account (which I do not have). This is beyond belief.

If it's asking for a password then you do have an account. Try triggering a password reset.

I've been using Spamgourmet for over a decade for this functionality. I'm surprised it's not more popular here.


I think I've been using it for nearly 15 years. And I selfishly hope it never gets more popular since it's so obscure that it seems to fly under the radar of most blacklists despite its 20+ year history. I like how it keeps a count of all of the messages it's blackholed to a given address so you can see who pimped you like a used car if you use a unique address per signup.

Never heard of this one. I'd love to get something like this that I can self-host, or pay to use my own domain.

I've been using SimpleLogin for a while now which does just this. The thing I like about SimpleLogin, is that it can be self-hosted and they have an open source app on F-Droid.

My issue with SimpleLogin is that they mutate the emails forwarded to your inbox in a manner that breaks features based on the sender. If you're using gmail's email grouping feature it gets thrown off by this. I am not sure how I would go about it, but I would guess that spam detection would become somewhat (more) difficult too.

I made this as a side project a while back. The issue I ran into is my server being blocked to send due to its ASN even though it only sends to my addresses.

I like this idea a lot, but I don't trust it to stick around. Mozilla is going to pull a Google and this will be a very painful thing to undo.

Solving privacy by sharing all your emails [were obscuring your email address matters] with Mozilla.

Doesn’t seem like I can sign up in Australia, payment is not accepted..

(Relay engineer here.)

Unfortunately the Premium service that we launched yesterday is only available in a limited (but growing) number of countries. The free version should be available to you though.

simplest thing is to create a gmail, which will never be blocked. then forward certain types of emails to your regular email.

So is this like craigslist email censor?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact