Hi @Steve and Security Now Listeners,
Long time, first time - After recent discussions in SN965 regarding Mark's issues, as well as Emma in SN963, I wanted to share my solution for email aliases. I was previously a long time user of plus aliases with gmail. Like Mark, I received occasional issues with services not supporting the plus sign in the email field. I most commonly ran into weird issues where a website frontend would accept the plus alias for sign up but the backend would seemingly have issues - I would maybe not receive the confirmation email, or not be able to log into the app.
I have also received spam to
So I looked for an alternative solution that wouldn't use the plus sign. When I was searching, this was well prior to many of the current alias solutions that have been discussed in recent episodes, and I believe my solution remains superior on many aspects. I have used this solution at several different providers over the years.
I settled on an email forwarding provider that allows setting regex aliases on a personal domain. I can set simple patterns to match, and corresponding email address or addresses to forward matching emails to. The best part about this solution is that, once setup, I have infinite aliases that I can create on the fly. Its not a solution I would recommend for most people, but I don't think it should be very complicated for Security Now listeners. Here are some examples of my use cases:
Long time, first time - After recent discussions in SN965 regarding Mark's issues, as well as Emma in SN963, I wanted to share my solution for email aliases. I was previously a long time user of plus aliases with gmail. Like Mark, I received occasional issues with services not supporting the plus sign in the email field. I most commonly ran into weird issues where a website frontend would accept the plus alias for sign up but the backend would seemingly have issues - I would maybe not receive the confirmation email, or not be able to log into the app.
I have also received spam to
username+xxxxxxxxxxx[at]gmail.com
- where the x's are literally in the address. They didn't strip the alias, they just overwrote it with x's! I found this especially galling.So I looked for an alternative solution that wouldn't use the plus sign. When I was searching, this was well prior to many of the current alias solutions that have been discussed in recent episodes, and I believe my solution remains superior on many aspects. I have used this solution at several different providers over the years.
I settled on an email forwarding provider that allows setting regex aliases on a personal domain. I can set simple patterns to match, and corresponding email address or addresses to forward matching emails to. The best part about this solution is that, once setup, I have infinite aliases that I can create on the fly. Its not a solution I would recommend for most people, but I don't think it should be very complicated for Security Now listeners. Here are some examples of my use cases:
^bob-.+
@mydomain.tld forwards tousename+bob[at]gmail.com
- Using this I can create any email alias on the fly, just like plus aliasing. Anything sent to
bob-
[anything]
is forwarded to me:bob-amazon[at]mydomain.tld
,bob-facebook[at]mydomain.tld
, etc. - I typically use this for sites where I want to create an account.
- A site cannot "strip" the alias (like plus aliasing) because it is a non-standard format and only known to me.
- I can subsequently blackhole any specific aliases that are abused, leaked, or spammed.
- Using this I can create any email alias on the fly, just like plus aliasing. Anything sent to
- My whole domain won't be blocked like commercial alias services (e.g. @duck.com, etc.)
- I can still subscribe to breach notifications on haveibeenpwned.com/DomainSearch
- This cannot (easily) be done with a commercial alias provider, or plus aliasing
- The on-the-fly creation is even more convenient that using a browser addon
- It can be used in-real-life too - like when at a kiosk or at a coffee shop
- I save the address used for signup in my password manager so I don't have to remember what term I used for any particular website
- I can create gmail filters to match and sort these alias patterns to organize my inbox
- More examples of my regex aliases:
^news-.+
@mydomain.tld forwards tousename+news[at]gmail.com
- this could be used for those news websites that now require a valid email address to be entered in order to read a website. I can filter these in gmail to archive automatically, or send to spam, etc.^family-.+
@mydomain.tld forwards to both myself and family members to share an account which regularly requires an email 2FA code (*cough* streaming services *cough*), or for a website that doesn't have a password and uses magic links to login, as has been discussed on the recent podcast episode.^receipt-.+
@mydomain.tld forwards to myself- I travel often and need to keep receipts. It is increasingly common for places to only offer emailed receipts. So you need a receipt and the only way to get it is to give them your email. The store will also now automatically sign you up for their rewards and spam list (I find this extremely offensive). Using this alias, I can collect my receipt and mitigate the unrelenting spam that is sure to follow.
^blackhole-.+
@mydomain.tld is setup to blackhole at the forwarding provider. It is valid and I could enable forwarding if ever needed
- All of my aliases can be linked under a common domain
- I believe my pros outweigh this con. This is no different than using plus aliases and this is moot when an alias service is blocked (e.g. @duck.com, etc.)
- Email replies
- I cannot easily reply from my alias. I can set up a new sending address through my provider, but this is manual and a hassle.
- I haven't come across any issues with this this in practice. I can reply from name[at]mydomain.tld