How to Use Email Aliases for Security and Peace of Mind

Published: 
β€’ OpSec
Updated: 
Author
VS profile picture
User
VS

enter image description here

Most people hand out their email address without thinking. Sign up for a newsletter? Drop it in. Create an account to buy something once? Sure, why not. Cashier asks for it? Oh come on, really? Over time, that single inbox becomes a magnet for spam, leaks, and unwanted tracking.

There's a better way that I've been employing since the early 2000s: use a different email address for each website and/or service you sign up for. This approach - sometimes called email aliasing - can save you headaches, protect your privacy, and even help you track down who leaked your info.

You wouldn't use the same password for every website/service login you have, right? So why would you do that with your email address when you don't need to?

What Is Email Aliasing?

Email aliasing is simply creating unique variations of your email address for each website and/or service. Instead of giving everyone the same contact info, you create a new address (or alias) for each account.

Depending on your setup, that might mean:

  • Adding a "tag" to your Gmail address 'yourname+amazon@gmail.com', sometimes called the plus hack.
  • Generating random forwarding aliases through a service like SimpleLogin, Firefox Relay, or Apple's Hide My Email.
  • If you own your own email domain name, use a catch-all address '*@yourdomain.com'.
  • Create forwarding addresses for your domain if you can't have a catch-all.

It's not about changing where your messages go - all your variations still land in your main inbox. It's about controlling how you hand out your digital identity.

Why Bother? The Benefits

  • Spam Control: If a unique alias starts getting junk mail, not only do you know which website/service is responsible for it, you can filter, disable, or delete it without any negative effects.
  • Privacy: Companies can't easily build a complete profile if every site sees you under a slightly different address.
  • Security: If your shopping123@domain.com address suddenly gets hit, you know exactly which site was breached.
  • Organization: You can set up filters to sort mail by alias, automatically labeling messages from stores, newsletters, or banks.
  • Compartmentalization: Using unique aliases means one leak doesn't expose your entire online life.

The Downsides

Like any strategy, this isn't magic:

  • Management overhead: Keeping track of multiple aliases requires discipline. A password manager can help, or just a simple text file stored in a secure manner.
  • Not always accepted: Some websites may block disposable or tagged addresses, I've never run into this issue using my own domain name though.
  • No silver bullet: You still need strong, unique passwords and two-factor authentication (2FA).

How to Get Started

Option 1: Use Built-In Aliasing

  • Gmail: Add +something after your name and before @gmail.com (e.g. `myname+netflix@gmail.com'. No setup required, just type whatever alias you want when you sign up or register somewhere.
  • Outlook.com/Hotmail: Supports custom aliases, some setup required.
  • Proton: similar to Gmail but also supports hide-my-email aliases.

Option 2: Use a Forwarding Service

  • SimpleLogin, AnonAddy, Firefox Relay, Apple Hide My Email: These generate random addresses that forward mail to you.

Option 3: Use Your Own Domain

  • Register a domain and set up a catch-all mailbox or e-mail forwarders. Then you can make up any alias you want 'xitter@yourdomain.com', 'pepperoni@yourdomain.com', etc.

Tips for Staying Organized

  • Keep a master list of aliases in your password manager.
  • Group aliases by category: shopping, banking, subscriptions, one-time use.
  • Set filters: emails to pepperoni@yourdomain.com can go straight into a "Pizza" folder.
  • Retire compromised aliases instead of deleting them, so you don't lose access to old accounts.

Bonus: Advanced Tricks

  • Use subdomains 'forum@signup.yourdomain.com'.
  • Combine aliasing with unique usernames.
  • Create "burner" addresses for sketchy sites you don't trust.
  • Don't simply use the domain name of the site or service, such as amazon for your amazon.com account, add a little whimsy to your life and use something like CEOentrepreneur@yourdomain.com or something less obvious and harder for someone that isn't you to guess correctly than "oh, this person just uses the servicedomainname@yourdomain.com pattern for everything". This could, in theory, make you harder to hack because you aren't following the simplest of rules for your various online accounts.

What About Single Sign-On (SSO)?

Services like Google, Apple, and Facebook offer one-click login for thousands of sites. It’s convenient (you don’t have to juggle passwords) but it also ties many of your accounts to a single provider. If that provider account is compromised, a lot of your online life is suddenly at risk. It also means your login activity is visible to that company, which does not align with my own privacy goals.

If you do use SSO, protect it with strong security: enable 2FA, use hardware keys if possible, and consider limiting SSO logins to low-risk services, not critical accounts like anything with ties to your banking or finances.

Don't Forget the Bigger Picture

Using unique emails is powerful, but it works best alongside other good habits:

  • Avoid oversharing your personal info.
  • Unique passwords for every account. If you've memorized a password it's not unique enough.
  • Turn on 2FA wherever possible. SMS messages are not secure for 2 factor authentication but arguably better than nothing. One time passcode generators and hardware tokens are more secure.

Final Thoughts

Your email is more than just a way to get messages - it's the key to your online identity. By creating a different email for each service, you gain control, protect your privacy, and make it easier to shut down spam before it takes over.

You don't have to overhaul your whole system overnight. Start small: pick one aliasing method, use it for your next few sign-ups, and see how much easier it becomes to manage your digital life.

Sidenote

I'm toying with the idea of turning this into a series, perhaps calling it "OpSec Wednesday" (derived from Odin's day) but not sure I can really come up with a ton of ideas for this category that I have good amount of knowledge about and experience with.

Related posts

  • No related post found