Protect your personal email address

When our personal information is leaked, we often think the most precious piece of information is our password. When we use that password for multiple accounts (you should prioritize using a password manager! 😉), that would certainly be true. But we can safely state that the damage would be limited to only a single account when we use a password manager (take a look at the article about password managers). In that case, the leaked information would grant access to only the impacted account.

Our email address is the next piece of valuable information for an attacker in such a data leak. It is a direct line of communication. A possibility to reach us, because we check our mailbox multiple times a day. And, although we might posses multiple email address, those addresses are often deeply intertwined in our digital lives and would be very hard to just give up or delete when compromised. Additionally, that email address could be the gateway to a lot of our other accounts.

Now that we make use of a password manager, it is time to take the next step and start protecting our email address against data leaks. This is where email aliases come in!

What is an email alias?

Just like an alias is a 'fake' or 'assumed' name, used to hide your true identity, an email alias is a separate email address used to hide your real email address. An email sent to an email alias will be delivered to the inbox of your normal email address. So, you will still receive all your email in the same place.

There are multiple types of email aliases, each serving their own purpose. There is some difference in functionality and effort needed to set up the aliases.

Plus-aliases

A first example of email aliases are the 'plus'-aliases. This functionality is implemented with email providers such as Gmail and Outlook. When your normal email address is jack.smith@gmail.com, a plus-alias would be jack.smith+facebook@gmail.com (this is only an example, I do not recommend using Google, Microsoft or Facebook 😉).

What you can see right away is that these plus-aliases don't hide your real email address. They are thus not very valuable for protecting your email address from data leaks. They do however make it easier to identify who is sending you an email and allow you to use automatisation for archiving messages. As long as the sending party is using the exact email address you provided, you know who is trying to reach you, regardless of the 'From' address.

Another downside with plus-aliases: you cannot send from these aliases. Sending emails will always happen from your real email address.

Alias 'service'

Your real email address can only be really protected when you make use of an (external) service for your email aliases. One example of such a service would be Proton Pass, as part of the larger Proton ecosystem. Primarily being a password manager, Proton Pass also has email alias functionality. The 'local id' of the email address is (partly) generated and appended with a domain that is controlled by Proton, for example: facebook.bust498@passmail.net. Behind the scenes Proton makes the necessary configurations to have emails sent to this alias end up in your inbox.

Contrary to plus-aliases, you can send email from these aliases. Your initial email is sent using your personal mailbox to an 'in-between' address. This address is often a combination of your actual recipient and the alias from which you want to send the email, ending in the @passmail.net domain. The email will first end up on the Proton servers where the email headers (the invisible pieces of information attached to an email to ensure proper delivery) are rewritten and your personal details are removed. The message is then sent to the final destination.

A similar service is provided by Addy.io. You will create an account, based on a username and an email address (probably just your normal inbox, although that is not mandatory). Your username becomes part of all your email aliases, placed right after the @ symbol, creating a 'catch-all' functionality. Addy.io allows access to 2 shared domains: anonaddy.me and anonaddy.com. In combination with your username, facebook@superniceusername.anonaddy.me could be an alias for delivering email to your inbox. The 'catch-all' functionality ensures any 'local id' (the part of an email address in front of the @ symbol) automatically ends up in your inbox, as long as the domain part (the part of an email address after the @ symbol) is @superniceusername.anonaddy.me or @superniceusername.anonaddy.com. Dit approach allows alias creation 'on the fly', so you don't need to create an alias first before using it.

With both services, you get the (paid) option to connect your own domain name. This domain is linked to your account only and both services offer 'catch-all' functionality on custom domains. This way all email aliases ending in @mysupercooldomain.com will deliver to your inbox. Using your own domain provides you with more service independance. You control your domain, so you can always move between service providers and bring your domain. This way you won't have to change your alias addresses to the new service provider's domain. Keep in mind that using your own domain will require you to create the correct DNS records to get everything working. The configuration pages of the providers will help you out on what records to create.

Ultimate alias controle

A third option would be to host your own mail server or your own alias service (Addy.io has documentation to self-host, both on docker as with a 'bare' install). You will buy your own domain(s), install or rent a publically accessible server and install and configure everything yourself. Email sent to your domain(s) is deliverd on your own server and you decide what to do with it: deliver them to a self-hosted inbox (when running a full blown mail server) or forward them to your personal email address with an email provider. Everything is possible. Ultimate controle, but also ultimate responsibility, so this makes it an option for the tech-savvy users only.

Hosting your own mail server is not an easy operation and you should think this through carefully. Mail servers are always targetted by attackers to abuse them for spam campagnes. You will have to know what you are doing and master the knowledge about the 'ins' and 'outs' of email (SPF, DKIM, DMARC... to name a few).

The goal

Our goal is to protect our personal email address. We want to limit the ability to be contacted directly to people we (mostly) trust with (bits of) our personal information. We also want to limit exposure of our personal email address. Online accounts, forums, social networks, web shops... They don't need our actual personal email address to provide us with their services. As long as we receive their emails, everything will work out fine.

An additional benefit of email alias is the option to switch them off or delete them. If one of your aliases is part of a data leak, you change the password and the email address used in that account and disable or delete the alias address. Nice and clean 😉

Or when you don't like the content of a newsletter anymore. No bothering with (not functioning) 'unsubscribe' stuff. Just disable the alias (to "pause" the newsletter) or delete it (to unsubscribe for good).

Pay attention though: with some services deleting an alias is really permanent (making it impossible of anyone to re-create it), while other services make the alias available for any user (leading to possible privacy issues if someone else re-creates your deleted alias). The alias service will tell you how they handle alias deletion, but I would advise to always disable an alias instead of deleting it.

Whatever option you use, using aliases also allows you to spot what service provider sells your information or who suffered a breach without telling you. Suddenly receive email from an insurance company on your mybank@mysupercooldomain.com domain? Time to call the bank and see what is going on...

How do we continue?

Just as described in the article about password managers and in the article about 2 factor authentication now is the time to start applying the knowledge obtained in this article.

The first task is to decide on your approach: which service will you use and how will you use it? Addy.io, Proton Pass, another service? Have a look at their websites and make a comparison of what you get and what it will cost you (or what the free version offers). Think about buying or using your own domain(s) for added flexibility.

If you already have a Proton account, I would suggest you take a look at Proton Pass.

Don't have a Proton account or want to have the option to change the inbox where you receive your email? Have a look at Addy.io.

Once you have set up your choosen alias solution, I would advise to work just like we did in the article about password managers and in the article about 2 factor authentication: step by step.

Everytime you're being asked for an email address, give an new alias. Everytime you re-login to an already existing account, open the account settings and change the email address to a new alias address. Use separate, unique alias addresses for each account (just like you do with passwords: one per account).

This way you're spreading the time and effort and eventually all your accounts are becoming more secure.

Good luck!