I have a custom domain just for signups, and I sign up with [service].[username]@customdomain. The domain simply has a catchall email "accounts@customdomain"
Combined with a password manager (Bitwarden) this is absolutely brilliant.
* Spam: if I get any spam, I know exactly which company is responsible, whether directly, through selling user data or because of breaches. And I can simply block the whole alias.
* Multiple accounts: If you need a second account with some service, you simply use a new alias. No need to worry about secondary emails just for a few accounts.
* Mitigate data leaks: if some database gets compromised, all they get is a throwaway email. They also can't try to log in to other accounts or do password resets if they get a hold of the password. (somewhat redundant with a password manager and unique passwords, but still)
* Privacy: all those ad data aggregators have a harder time connecting me between accounts. (of course they still use names, address, credit card info, etc; but it helps)
* Easy self-hosting: email hosting can be a pain. But in this case you only need to receive, never send. And receiving basically always works, even with the most broken email server setup.
A downside is the unique domain name. I always wanted a shared domain with lots of users to further reduce exposure.
I actually thought about starting a service that provides this, but it's a niche product with non-trivial technical hurdles and potentially lots of support demands, so I'm happy that Mozilla is offering this.
The only downside is that people get really confused when they have to deal with your email, for example when calling support. But it's never been a real issue.
- My other addresses are unguessable.
- It's far easier to block emails sent to a single alias. With my own domain, I'll have to go and add a filter into which I copy-paste the particular alias I want to block. With Relay, I can just open the dashboard and hit the toggle next to the alias labelled with the domain I used it on.
- I was looking for ways to give Mozilla money for a long time (though now I'm working there, so I guess I'm also taking its money).
In general, my setup now is to keep using my old setup for long-term accounts with somewhat more reliable services, and use Relay for e.g. requesting a quotation or having a single thing shipped to me.
That said, no solution is perfect, and I expect that there will likely always be situations where you will be forced to fall back to a regular email address.
Sometimes "[service]" is also shortened like "hackernews -> hn" to dodge the ban on service name in the e-mail address that some service providers apparently have.
> you can still attempt to reach me at email@example.com
not if the catch-all address is actually /dev/null and the totallynotyourservice@ has to be mined from somewhere because it's random.
Overall, I think it depends on the obfuscation strategy. It's true that having a unique @mydomain.com part is a big giveaway and someone could theoretically track one's activity by searching for all e-mail addresses coming from the domain.
My use-case is more to use unique e-mail addresses to throw off credential stuffing attacks, not become untrackable/avoid all spam. For the tracking use-case I generally think several times if I want to register somewhere at all and try the usual routes first (mailinator, random old addresses on public e-mail).
Which was fine until I had to verify my identity in-person at a Verizon store to cancel service and had to explain why I wouldn't be able to receive a verification email to verizon@mydomain for a while. Also annoying for my 401(k) which uses SMS for 2FA and makes the codes expire after 2 minutes.
Since then I've switched to a custom domain with iCloud, which unfortunately doesn't support catch-all addresses at all, but is more reliable and faster.
This is what has finally ended my years of Microsoft Office use: Outlook will not let you keep your primary address out of smtp headers. No way, no how.
> Word of advice for anybody doing this: make sure you have a way to SEND email using one of your aliased addresses
So a) you need a mua like thunderbird that let's you set FROM header - and b) your domain need to be setup to allow your smtp server(s) to send from your domain (sfp).
The custom From is just a way to send from any address for that catchall, I was not suggesting to use it to send from abitrary addresses, which would be quite pointless since you then wouldn't get the replies.
This is great for categorizing messages. And you can still blacklist aliases that have been leaked to abusers.
I keep reading about people who say they have a custom domain, but I'm not sure they're aware of the caveat to that. You have to keep renewing it, and domains are infamously changing hands all the time, sometimes to bad actors who want to use the SEO juice of the domain for spam or affiliate marketing, or in the worst case: to take over your identity with it.
By all means, yes, keep it renewed, but if you stop renewing it (for whatever reason), assume all the accounts you have tied to it will be in someone elses hands.
My solution: make sure you keep your domains renewed to the maximum allowed by your registrar if you can. 10 years with dotcoms.
Anyway the trouble is writing mail to those services or replying to those. I have 13 from email usernames in my Mail.app right now on my domain. Then I stopped it. It’s just so tedious.
I wish there was an app that would let me easily do it once I proved I’m the domain owner maybe - just let me send an email from <anything>@<my domain>.tld without having to add one separately. It should also allow me to reply from same email without hassle
I tried Apple iCloud+‘S HideMyEmail feature, but:
- It’s a harder lock-in into their ecosystem
- Not available on custom domain
- You can reply from that random email username if you get email username, but you can’t start a conversation easily.
- when you stop paying those randomly generated Hide My Email are gone
- Not very convenient in the browser especially if you are not in Safari or a Mac.
The compose view looks like this: https://imgur.com/a/qULeL5a
The only issue I have had is non-technical people getting confused when I have their business name in my email address.
I haven't used this service, only heard about it. It might cover your missing piece for credit card info.
Of course, privacy.com ends up being the one that can aggregate your CC information together.
So, I just googled them, they look interesting but their website seems intent on obfuscating what they do, it uses a lot of marketing speak but doesn't tell me how it works.
Are you able to use your own domain for the "email masking"?
Are you giving them your bank info for the credit card masking or are they billing the credit card on file?
I did self-host this way back, using MailEnable on Windows Server. It... worked. But I don't recommend it!
The other downside is that the catch-all sometimes gets a lot of [gibberish]@[customdomain]. It's not too bad now, but there was a period where gibberish hexidecimal aliases were spammed regularly.
A targeted hack that could get 2FA tokens or a social engineering attack on the registar aren't threat vectors I'm concerned about. I'm not that interesting.
Much better than being at risk of, for example, Google cancelling your Gmail account for whatever reason, or your mail account getting hacked.
The likelihood of a takeover of @gmail.com or @icloud.com is much lower though.
You can manage the aliases within the same parent account.
Instead of using the same email address and different password per site, I use my "burner" domain so foo.com@burner and just use the same password for everything. Nothing to remember for a login - just the domain name and the usual password.
For "important" things (anything with money or PII etc) I use a unique password + bitwarden
For me, the best implementation of private alias is the Apple one: %randomwords%[at]icloud.com. It's way harder to wildcard block [at]icloud.com, as there are legit users of the icloud domain, than a wildcard block for: [at]mozmail.com.
Unfortunately, using the apple implementation is just one more stone into their walled garden. I really wish firefox could create a legit free [at]firefox (or something else) mail and then create this alias service as premium bundle. It would be way harder for services to start blocking it.
Furthermore, I'm not really excited to the overall direction that Mozilla is moving with its side projects:
1. They bought Pocket (which I loved) and now it's on life support.
2. They created an awesome private file sharing service (firefox send) and quickly butchered it.
3. They have a vpn that is simply mullvad with new clothes and fewer geographic availability. Why anyone would use it instead of mullvad is beyond me.
Mozilla needs some serious trust building before I trust it to manage several mail aliases for me.
Thankfully it was MPL licensed and has an active fork. The only problem is that Mozilla requested their trademarks Mozilla/Firefox be removed, so finding this fork is a bit hard on Google.
I've been waiting a long time to find someone who thought that Pocket was a good idea. Can you expand on what you like about it being integrated into firefox natively as opposed to an extension?
Nowhere in my post I’ve said that I thought it was a good idea to integrate pocket to Firefox natively. I said that I loved pocket as a service. A service that improved constantly before Mozilla acquired it and now it seems like there’s no significant upgrade for the last however many years Mozilla acquired it.
As an addendum, I absolutely do not think that integrating pocket to Firefox was a good idea. Even though I love(d) pocket and Firefox, it should be an extension.
I'm not a Firefox user, so I'm using the extension, but if I were I'd really appreciate the integration.
Pocket, VPN, and Relay are all revenue generating and probably don't require that much effort to run.
Why do you say it's on life support?
Over the years I had several instances of widely popular sites not being completely parsed, missing paragraphs or images, to the point where I had to manually check every time I've saved something there. Whereas, on instapaper or safari reader mode, it parsed perfectly. I've submitted several fixes requests for such sites and they "promised they would look into it", nothing happened.
Yeap, I was a paying costumer and a heavy user for over three years, I finally gave up and closed my subscription.
The three have one thing in common that is privacy and trust. They are also all proven profitable and sustainable business. Which they should have used to market it and generate some safe income.
File sharing and content ads were all too risky moves.
Now that their product brand are damaged it is harder to built. Not to mention they now have a fewer user to capture those value.
In my case I was trying to create an account on the Linux Mint Forums . The confirmation email never arrived, which was very confusing to me.
After a couple emails with the admin, they told me this:
> The forum tried sending you the activation email but it'd rejected by the Firefox relay with this message:
inbound-smtp.us-west-2.amazonaws.com[184.108.40.206] said: 550 5.7.1 TLS
required by recipient (in reply to RCPT TO command)
> For now I think you'll have to use a different email address.
So while it looked promising, sadly the next day I was already back to using gmail addresses...
I know this pain point well. Some sites, instead of using a blacklist of every single disposable e-mail service, just use a whitelist of 'popular' email domains like gmail.com, outlook.com, yahoo.com etc
This is why I have accounts with gmail and other popular e-mail providers. That's the only reason. Sad that you have to conform to be a normie just to use a website. Thank all the bots and bad faith actors for that...
This is very interesting to me as I've had my own domain for a very long time and haven't encountered this more than twice in that time. If you don't mind sharing, on what kinds of sites have you seen this?
I am not at all discounting your experience. We probably have different interests and visit different sites so I'm interested to explore that.
I have very often hit the "you can't use emails from that service here" deny list which is why I think these kinds of services are neat but will quickly be rendered useless once the deny lists are updated.
Thanks for the detail! We'll look into this. We definitely want to maximize deliverability.
In the same way that I avoid Sign in with Apple - what am I supposed to do when I need to Sign in without Apple?!
I find 1P+FM is a much more cross-platform solution.
However, I commend Firefox for creating this functionality for people that don't use a separate password manager or Fastmail!
While we provide a Firefox extension with which generating an alias is just a click away, you're not dependent on Firefox specifically: you can generate and access your generated alias through the web interface at https://relay.firefox.com in any browser.
That said, the extension is mostly useful for generating new aliases. If you've already used it on desktop to generate an alias for a website, then regular cross-browser sync of form autofill data should make it easy to reuse the same alias on mobile.
Edit: I am trying it again and it seems a lot better integrated than when I last tried - you can set it as your default browser! Is there a reliable way to block ads, though?
"Relay Premium is available in the United States, Germany, United Kingdom, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland. "
Note that that's for the Premium service - the free tier is available in most countries. We're hoping to expand to more countries in the future.
Edit: looking FAQ it appears it's not even available in Finland, I'm active user of relay and i saw the upgrade option, not reading the FAQ at all.
Seems like a really bad idea to rely on this service.
Sadly, after literally 20+ years of using Firefox, I recently switched to Brave. The performance of FF was wearing on me.
I realize it would seem to be very strange if Mozilla were to create a Chromium extension. But in this case, it is a paid service separate from the browser.
(Also, I'm sure you've already tried a lot of things, but in case you didn't: perhaps refreshing Firefox helps? See https://support.mozilla.org/en-US/kb/refresh-firefox-reset-a....)
I don't understand why would one want to pay for a step down in privacy, voluntarily adding an identifier that allows to track them. The only thing it does is adding some extra information about the alias owner - something that does not make any sense to me, given that the whole point of the service is to obscure users' identities.
I would understand really using my own domain (not this falsey advertising - "foo.mozmail.com" is not something I "own") rather than Mozilla-provided subdomain of theirs. Yea, that would also counter the privacy but at least there's a tradeoff - I retain control of that domain, so if I'm unhappy with Mozilla I still have the email addresses.
The random aliases at mozmail.com are certainly the most private option. The subdomain aliases are for convenience so you can make up any alias you want even if you don't have a device on you. (e.g., checking into a hotel, etc.)
As you say - there's always trade-offs involved.
If so - thank you, yes, now I see the point. My bad and please consider telling marketing team to highlight this hotel use case more prominently, because without it just comparing @mozmail.com vs @foo.mozmail.com is not really compelling and could be even confusing.
I have been using alias services like Anonaddy and SimpleLogin for nearly two years. I have seen only on website block SimpleLogin, and it was a Pixelfed instance. I simply signed up on another Pixelfed instance as these are federated.
These alias companies also have multiple domains, so in a way these blocks can be worked around.
The premium paid subscription is said to be only available in specific countries, but the payment form seems to appear in other places too. So I’m not sure how the service allows or disallows subscriptions.
A quick thought also occurred to me comparing this with iCloud email aliases from Apple, which is available for all paid iCloud subscriptions starting at the same price as this one ($0.99 per month) and allows the user to use their custom domain (Firefox relay premium gives you one custom subdomain under mozmail.com).
And for the same price, Apple also provides 50GB of storage and supports the iCloud Relay hop service for Safari (and apps, if supported).
I’d like to support Firefox monetarily, assuming the revenue from this service goes to Mozilla Corporation (not Mozilla Foundation) and to Firefox. But the attachment size limit is currently unacceptable for me.
Please keep the great feedback coming :)
On the other hand, they are injecting little scare bubbles into everybody's website to advertise this, and that rubs me up the wrong way so much i want nothing to do with it.
We fixed the original bug in Facebook Container that was showing the prompt on every website - now it only shows the prompt on websites where Facebook trackers are detected.
Facebook Container is something that inspired and influenced the development of Relay in the first place. Facebook Container users reported that they used websites and still saw ads from those websites in their Facebook feed, even though they were using Facebook Container. Because Facebook lets anyone create custom audiences for re-targeting, we need to give users a way to protect themselves from "back end" data sharing & tracking.
Pretty nice service however again I am afraid that one day the plug will be pulled and the email addresses will be orphaned.
The currency of this subscription is not valid for the country associated with your payment.
Just to clarify my earlier comment, you should be able to subscribe to premium if you're in the following countries with payment details that match the country: United States, Germany, United Kingdom, Canada, Singapore, Malaysia, New Zealand, France, Belgium, Austria, Spain, Italy, Switzerland, Netherlands, and Ireland.
For users outside these countries, we know that it's not as clear in the experience that premium isn't available yet, and we'll be making updates very shortly to make this more clear. Additionally, we'll continue to try and grow the list of countries that Relay is available in, so please give us your feedback to help us prioritize expansion. Also, the free experience is available globally, if you're not able to subscribe to Premium yet, but still want to use Relay.
I use https://improvmx.com/ to forward all subdomain email to my main email (gmail) account. It has a option to forward emails to a black hole too.
From that I have learned that big companies like adobe & lendingtree gets hacked too. Or they sell your data.
Probably works with other email providers too.
It's supported on Exchange Online/Office 365 environments. There's a switch to enable it. We use it in our organisation.
firstname.lastname@example.org is the same as email@example.com
Is there any way to create aliases on the fly?
Something like creating a new alias automatically when an email is received?
Alternatively, if you have a Premium subscription, you can set up a catchall subdomain for yourself, so that e.g. firstname.lastname@example.org gets forward to you without having to create the alias in advance. Of course, this has the disadvantage of being able to associate that alias with other aliases you create.
Unfortunately the Premium service that we launched yesterday is only available in a limited (but growing) number of countries. The free version should be available to you though.