this post was submitted on 25 Nov 2025

39 points (97.6% liked)

Privacy

43377 readers

456 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

How to skirt websites that block known domains of email forwarding services? [SOLVED] (slrpnk.net)

submitted 2 days ago* (last edited 21 hours ago) by curious_dolphin@slrpnk.net to c/privacy@lemmy.ml

34 comments fedilink hide all child comments

Solved: Thanks to all who commented, especially those who took the time to respond to my follow-up questions. Your responses were enough to convince me of the value of buying a custom domain in order to keep one's true email address private w/ the added benefit of working on websites that block known domains of temp/forwarding service providers.

Key takeaways:

Forwarding services' shared domains are useful for blending in w/ the crowd. (credit to @Cricket@lemmy.zip)
Custom domains are handy when you don't care about blending in and you want to use a website that blacklists known domains of disposable/forwarding service providers, including the paid-tier domains.
Deciding whether to enable catch-all:
- Enabled: You can make up new addresses without having to configure the alias manually each time, but it's also easier for spammers to guess valid addresses.
- Disabled: It's more difficult for spammers to guess valid addresses, but you'll have to configure your aliases manually unless you have regex matching for automatic creation of new aliases. With regex matching for automatic creation of new aliases, disabling catch-all has few if any downsides.
- Regex matching: Seems to provide the best of all worlds by making it harder for spammers to guess valid addresses without having to configure aliases manually each time.
For aliases, including a string of random characters after the company name makes it harder for spammers to guess your other aliases and/or learn where else you have accounts by spamming emails to every $companyname@example.com and seeing which ones bounce back. (credit to @erebion@news.erebion.eu)

Original post:

I've recently signed up for an email forwarding service w/ aliases so that I can keep my true email address private when I sign up for new websites and services. I should clarify that I'm less concerned about concealing my identity as I am about protecting my real email address, identifying who leaked my info when my email address is compromised, and being able to stop the spam by turning off that alias.

While updating my existing profiles to point to aliases instead of my real address, I've hit a snag - some sites (Steam, Slack, etc) won't allow me to update my email address to any known domains from my email forwarding service.

On these sites that block email forwarding addresses, for now I'm either updating my existing email address w/ a plus sign if the website allows it, otherwise I'm just leaving my existing email address unchanged. It's not the end of the world, they already have my real email address, and I can probably go a Very Long Time without needing to check those inboxes anyway, but I'm still miffed that I can't completely migrate my existing accounts to my new scheme.

I've read numerous posts about the benefits of custom domains to enable portability of email service providers, and I'm wondering if custom domains are the answer to these sites that disallow forwarding addresses, but I have questions:

How do other people deal with this situation?
Do these websites that block known email forwarding domains typically work on a whitelist or blacklist model? If the former (whitelist), then I'm thinking a custom domain will have the same problem, but if the latter (blacklist), then I reckon a custom domain with catchall might work.
Particularly owners of custom domains, do you find your custom domain is allowed more often than not or do you run into the same problem?

EDIT: Clarified my objectives.

top 34 comments

sorted by: hot top controversial new old

[–] anamethatisnt@sopuli.xyz 20 points 2 days ago (2 children)

Particularly owners of custom domains, do you find your custom domain is allowed more often than not or do you run into the same problem?

I've never had my own custom domain be blocked for signing up at a service personally.

[–] NightFantom@slrpnk.net 5 points 2 days ago

Years ago I was in a consulting company that had a tld ending in .consulting
So many websites didn't allow that because of shitty email verification rules that assume outdated tlds..

[–] erebion@news.erebion.eu 2 points 1 day ago (1 children)

I only ever had had a website reject my domain once, in around 15 years of using my own domains for email. I just signed up at another website providing the same service.

[–] erebion@news.erebion.eu 1 points 1 day ago

I host email using Stalwart, in case anyone is looking for something that is really easy to set up and maintain.

[–] Thorned_Rose@sh.itjust.works 2 points 1 day ago (1 children)

I use a custom domain with a personal email address that I only use for communicating with actual human beings. e.g. myname@example.com Then I have a generic email address that I use with a + for different services e.g. email+hfu2sb5d@example.com or email+ebay@example.com I use Bitwarden as my password manager and that can automatically generate a + email using random characters but I sometimes use the latter + form if I want a human readable email. This way I can see exactly what website/service has been breeched/sold my data if I get spam emails.

[–] curious_dolphin@slrpnk.net 1 points 1 day ago* (last edited 1 day ago) (1 children)

Makes sense. Follow-up question: Is there any particular reason why you use the email+hfu2sb5d@example.com or email+ebay@example.com as opposed to just hfu2sb5d@example.com or ebay@example.com?

If I understand correctly, the plus sign helps you see which organization has compromised your info, but the drawback of the plus sign is that a savvy spammer can figure out what your true email address is (the part before the plus sign), whereas aliases such as hfu2sb5d@example.com or ebay@example.com conceal your true email address.

Am I thinking about this correctly?

ETA I've also encountered sites where a plus sign in the email address is disallowed, which is another downside of the plus sign approach.

[–] Thorned_Rose@sh.itjust.works 1 points 15 hours ago

Its just less setup for me. My personal domain is shared with other people so I can't set a domain level catch all. That and its less setup for me. I have no automated way of easily creating new emails (and my email settings would get very cluttered with hundreds of different emails). With a generic email address that I use with a +, its just one email and whatever comes after the + will go to that email. Then I have more options for what to do with those emails in mail clients. In my case, I have different mail filters to send them to different mailbox folders. But I can also tag them, auto delete, auto forward, etc. Whatever your mail client filters can handle.

A savvy spammer can do that anyway by brute forcing whatever is before the @ for any email address at all.

I'm less concerned about spammers (which are annoyingly inevitable after a while) and more concerned with data breaches. Thus if I can see where my leaked email address came from, I know who to blame and its also a lot easier yo change my account logins.

And yes, some sites annoyingly disallow them but in that case I can create another email address for those since they are few and far between.

[–] frongt@lemmy.zip 7 points 2 days ago

It's a blacklist. You'd just have to use a different domain.

[–] Cricket@lemmy.zip 3 points 1 day ago (1 children)

I also use an email alias service and have dealt with this a handful of times. Here's how I've been able to address most of them, in order of what I tried which worked, meaning that items lower on the list were more rarely required but also more likely to work than items higher on the list:

Instead of using the free-tier alias domain names (like freealiasservice.com), I used the paid-tier ones (like paidaliasservice.com).
Instead of the common domain names shared by everyone (like aliasservice.com), I used a custom subdomain, (like cricket.aliasservice.com).
Instead of either of the above, I used a custom domain name.

So the above is the answer to your first question. The answer to your second is that in my experience the majority of sites that block certain email domains are using a deny-list instead of an allow-list. The answer to your third is that custom domains should work for the vast majority of sites. I think it would be silly for sites to use allow-lists for this, but I've heard of some doing it.

One other thing to keep in mind about my list is that it's also more or less in order of most private/anonymous to least private/anonymous. Item 1 hides you in the crowd, while 2 and 3 can be more easy to associate with you if you have enough of them for someone interested in finding this out to do some matching to determine if you use services a, b, and c, for example.

I hope this helps.

[–] curious_dolphin@slrpnk.net 2 points 1 day ago* (last edited 1 day ago) (1 children)

This is very helpful - thanks a lot!

[–] Cricket@lemmy.zip 1 points 22 hours ago

Glad to hear! You're welcome!

[–] JoMiran@lemmy.ml 4 points 2 days ago* (last edited 2 days ago) (1 children)

I use Proton Pass for this. It creates the alias, which can be paused when not in use, and manages the login. The free tier gives you a handful but the paid tier is unlimited. If you own/buy a domain, you can configure it to be the domain for all of your aliases. For example, you walmart login could be

walmart@curious_dolphin.net

[–] Xylight@feddit.online 1 points 10 hours ago

My problem with the own-domain tactic is that it reduces anonymity, since you're most likely the only person using that email domain.

[–] MangoPenguin@lemmy.blahaj.zone 2 points 1 day ago (1 children)

I use a custom domain with catch-all enabled.

[–] curious_dolphin@slrpnk.net 2 points 1 day ago (2 children)

I've seen this approach mentioned in other threads. Where does one configure catch-all, is that in the settings for the mail provider or the domain registrar?

[–] erebion@news.erebion.eu 4 points 1 day ago (2 children)

Don't use Catchall, this can lead to a lot of spam, as ANY address on your domain will be accepted, making it even easier for spammers guessing valid addresses.

[–] MangoPenguin@lemmy.blahaj.zone 1 points 1 day ago

I've never had issues with it, been using it for years.

[–] curious_dolphin@slrpnk.net 1 points 1 day ago (2 children)

Gotcha, so then without a catch-all, is it still possible to make up something on the fly or will I need to predetermine my aliases before I give them out? I guess it's kinda rare, but I'm thinking about the odd circumstance where I need to come up with something on the spot and I'm away from my computer.

[–] MangoPenguin@lemmy.blahaj.zone 1 points 1 day ago (1 children)

I've never had spam issues with catchall, and it saves a ton of time vs having to go create aliases constantly.

[–] erebion@news.erebion.eu 2 points 1 day ago (1 children)

I've once enabled a catchall in addition just to test and got spam, then I turned it off again. Seems you got lucky. Overall if you use catchall and later run into spam issues, it gets much harder to get rid of it, as you cannot turn off the catchall if you don't even have a list of aliases to still let through.

[–] curious_dolphin@slrpnk.net 1 points 22 hours ago (1 children)

if you use catchall and later run into spam issues, it gets much harder to get rid of it, as you cannot turn off the catchall if you don’t even have a list of aliases to still let through.

If the forwarding/aliasing service automatically creates an alias when the first email is received, then that skirts this problem, right?

[–] erebion@news.erebion.eu 1 points 22 hours ago (1 children)

No, it cannot know for sure whether the first email is spam.

[–] curious_dolphin@slrpnk.net 1 points 21 hours ago (1 children)

I see the problem now; however, if the aliasing tool has regex matching (and the matching pattern is hard to guess), then I believe that solves the problem of keeping spam out while enabling automatic creation, would you agree?

[–] erebion@news.erebion.eu 1 points 21 hours ago

Probably, but building all that takes far more effort than adding an alias. Or many.

[–] erebion@news.erebion.eu 2 points 1 day ago (2 children)

Well, in my case I just add an alias to my mailserver each time. Your mail-eage may vary.

I don't want to use plus signs as that always let's anyone kow what the real address is.

I forward those emails to an address which is random. For example: udhxhdjeiwk@example.com

This address is never used anywhere. So I know all emails appearing there aren't spam but from the original sender.

Each alias looks like this: company_name-[eight random character/numbers]@example.com.

If I ever get spam, I simply delete my account at the company, as they had leaks (I often know way before Have I Been Pwned) and delete the alias. This way I have no spam (only on my personal address, which I hand out).

[–] curious_dolphin@slrpnk.net 1 points 1 day ago* (last edited 1 day ago) (1 children)

I forward those emails to an address which is random. For example: udhxhdjeiwk@example.com.

Can you elaborate on the benefit of using a random string for your secret/true inbox? Is it so that if it's ever compromised you can just spin up a new random string as your new inbox, point all your aliases to the new one, and burn the old one?

Each alias looks like this: company_name-[eight random character/numbers]@example.com.

Same question, how do the random characters after the company name benefit you? Is it so that if you want (or need) to continue using that particular service after a data leak, then at least you can update your profile to company_name-[different set of random characters]?

[–] erebion@news.erebion.eu 2 points 1 day ago

Can you elaborate on the benefit of using a random string for your secret/true inbox?

Something obvious like "inbox@" or "hello@" would get a lot of spam, a random string does not receive spam as spammers usually do not send anything to my random string. :)

Is it so that if it’s ever compromised you can just spin up a new random string as your new inbox, point all your aliases to the new one, and burn the old one?

I doubt it'll ever get compromised, as I don't use this emailadress anywhere. It's just internal for my emailserver. I could also have it drop that all in a specific folder of my personal emailadress, but that's how I've set it up. Should I ever receive spam there, I'd set up a new random string and fix my aliases to point there.

But again, highly unlikely that this should become necessary.

Same question, how do the random characters after the company name benefit you? Is it so that if you want (or need) to continue using that particular service after a data leak, then at least you can update your profile to company_name-[different set of random characters]?

No, it's just so that I receive less spam. Imagine you use corp@example.com at a website, that gets leaked. Someone could have the idea, looking at this, that they could use this to find out where you have accounts by seeing whether emails get rejected from the mailserver or not and they could also just flood you more easily by just sending thousands of emails to every $companyname@example.com.

For a short while, I had it without, but this way I got some spam, which is solved now.

[–] curious_dolphin@slrpnk.net 1 points 1 day ago

Okay, I think I'm following, thanks for the detailed explanation.

mail-eage

Nice!

[–] MangoPenguin@lemmy.blahaj.zone 2 points 1 day ago

Its a setting on the mail server/provider.

[–] artyom@piefed.social 2 points 1 day ago (1 children)

I deal with it by not patronizing those sites. Refusing to accept alias domains is nothing short of malicious. Same with VoIP.

[–] curious_dolphin@slrpnk.net 2 points 1 day ago

Going forward, this approach checks out, but I'm also looking to unfuck my existing accounts. Beginning to think a custom domain is the way to achieve that.

[–] gary_host_laptop@lemmy.ml 3 points 2 days ago

I have a list of the websites that I can't use an alias that I'm signed up for, for those sadly I just leave my real e-mail address or use a secondary one depending on how much I trust the web site. Luckily I changed my alias on some that don't let you before they added the blacklist (like Steam and GitHub) so I am able to use aliases, although they are not formatted like how I format them now.

[–] Zomg@piefed.world 2 points 2 days ago* (last edited 2 days ago)

I use fastmail for this, maybe give it a shot if you haven't heard of them before. I've never had their domain blocked so far. You create masked emails for whichever service you need. It's also integrated into 1password.

[–] lepinkainen@lemmy.world 1 points 1 day ago

Fastmail + masked email has worked flawlessly