I love the idea of doing this. Just like I do the idea of using Apple's "hide my email" feature. But in reality you're completely locking yourself into that provider. What if I want to change provider or the provider decides to sunset this feature. My logins are now split up so much it'll be a full time job getting them set back to my primary email address. It's a trade-off I guess because you can't solve it any other way from what I know of!
Hi, one of the 1Password engineers who worked on this. Glad to hear that you like the idea!
One of the really nice parts of building this out with Fastmail is that you can create Masked Emails for your own domain. So, if you ever decide that Fastmail isn’t right for you, then you still receive all of those emails when you set up a wildcard alias with your new email provider.
Similarly, if you ever decide that 1Password isn’t right for you, that doesn’t stop you from receiving your emails. And the email addresses should still be part of your 1Password export.
I've had this thought for a product multiple times. I run my own mail server, and for years I've created a random email for every service. Main reason was to figure out who is selling my email addresses.
The main thing that always held me up was, how do you plan to avoid getting blacklisted at the domain level if people start abusing the ability to create random emails? A few services I use even disallow Gmail addresses.
I've had services refuse my fastmail.fm email address, with the reason that they don't allow "disposable" email accounts. But they accepted my gmail.com address....
Not that this was their criteria (they seldom if ever think it through to this level), but gmail requires phone number after a certain point. And they only allow 4 accounts per phone number.
I can't fully speak for the Fastmail folks, but I know that there are a few upper limits for how many masked email addresses that one account can create. We tried to set them unreasonably high to allow for all manner of legitimate use while still preventing bad actors. They're also monitoring usage and tuning that limit. Plus, you can always email support and ask for a increase for your specific account, if you ever bump up against it.
Sell private domains as an "enterprise" feature, and have different sets of IP blocks warmed and ready to go for when they eventually get blacklisted. But selling it as a service involves a higher level of effort due to that exposure. Configuring a private domain for just yourself to solve the problem just for you doesn't have the same risk exposure.
mailinator's been around providing this (as a recieve only) service for decades by this point.
Those +plus aliases still make it easy for people find your actual email address.
We go one step further and generate a random email address for each new service you sign up with. It'll look something like "hot.potatoes4827@mydomain.com".
You can create a new masked email anywhere you have the 1Password browser extension, including our brand new iOS Safari extension.
This is nice in terms of hiding your actual address. However, it makes migrating away harder because now instead of setting a simple rule to strip the + for forwarding, you need to individually map each address.
So what is it that you want? Either you want a masked email or you want an easy way to migrate away. You could still setup trashcan+randomdigits@yourdomain.com manually. Or you could setup a catchall rule for your new provider.
Unfortunately, way too many internet services don't allow the plus sign in an email address. It's weird, but it's true.
Even worse I've had front end systems accept account creation with this address format, but their backend system fails when using some integrated service. The result is 3 months after setting up the account something breaks when I try some other functionality and I have had to contact their help desk and ultimately we stumble through and realize the problem may be my email address.
There are varying level of masking. I would consider an email myusername+random@domain.com as a masked address. Of course it is trivially unmasked. But assuming I am willing to accept that, it does offer a different tradeoff with respect to convenience. It's true though that is fairly trivial to manually add +random
`sed s/[+].*@//` over the email list will get rid of enough "plus" email addresses. Better use a custom delimiter if you're relying on the + character for anything.
How hard is that though? Export all email addresses from 1Password (trivial), extract generated emails (trivial), and add forwarding rules for each one in your mail server (trivial to easy depending on your setup).
Maybe not easy for non-savvy users, but neither is a custom domain or even knowing about the + trick.
I have an extra domain attached to fastmail which I only use for junk. If you know the domain where my main email lives, you can pretty much guess a couple of aliases which will work. I want my junk mail completely separate from my useful mail
I ended up at https://$mydomain.1password.com/integrations/directory and I can only see Fastmail as an option. Clicking there it asks me to Connect with Fastmail rather than that I can provide my own domain. I already have a wildcard domain setup so I'd like to use it as @davzie mentioned.
You need to OAuth to Fastmail (the service) to hook it up, then as was mentioned above, you can go into the settings in your Fastmail account to choose which domain your Masked Email addresses are created in:
Settings -> Domains -> Team Settings -> Masked email domain
It will default to fastmail.com, but easy to change it.
Oh, I completely misunderstood then, I thought I could do this with just 1Password. I already have email setup myself and don't need Fastmail, so then it seems I cannot use this feature. I'll just continue myself to randomly generate my addresses then...
Well, as I understand it you'd have to do this manually. As in, pick a random alias for the site, use that as you email address there and enter the same one in 1password (or any other credential store).
The full "it just works" integration seems to only work between 1password and fastmail directly.
True! I've been doing wildcard.company.name@mydomain.com for a few years now with Fastmail. This makes it one step easier to generate that email address, as well as one-click blocking any alias that starts receiving spam.
That's the way to go. I set up a rule where everything going to *@a.mydomain.com goes into a folder which I largely ignore. Every website gets a unique prefix, e.g. ycombinator@a.domain.com.
The advantage of Masked Emails is that third parties won't even know about mydomain.com. The disadvantage is that you need 1Password to recall which email address you used with a particular website.
> Yes, but if you goal is to hide your identity, this really wouldn't work
It still could.
> Everything is still tagged to your identity, i.e. @mydomain.com.
If your domain is tied to your identity, then yes. But to be extra clear, this should have said "Everything is still tagged to your domain" as not everyone has their domain tied to their identity. I for example have my domain setup njal.la with zero personal details attached to the domain itself, either publicly or at njal.la.
A comment you made in the past or make in the future could reveal something; simply changing the text to "njal dot la" would prevent a google search of the domain from finding this.
Doesn’t that rather defeat the point though? I can set up a wildcard for fastmail and use any account name I want to sign up to services without any intervention from 1password.
Edit: saw someone point out this only works for one user per domain.
I've been a happy Fastmail customer for years prior to working on this feature. I've used a wildcard with my Fastmail account, created a new email address for each service I sign up with, and stored that email address in 1Password. All by hand. It's a tiny hassle, but one that I think is worth it.
The Masked Email integration makes that entire process automatic. It's even easier than before. It's enough to convince a few Fastmail-using friends to start doing it.
Yeah I also do this: I own my domain and I use a catch-all setup at my email provider so <anything>@jpreston.xyz goes to my inbox.
I suppose the advantage with a non-custom domain is you leak no info about yourself, the masked email is 'just another Fastmail email address'. But doing it for a custom domain feels like it defeats the point, isn't it just like catch-all at that point?
The value is in knowing who leaked your email address, and being able to take action based on that. If you use a unique address for every service then you can know for certain random Internet store got hacked, or sold their database. In either case, you kill the credit card you used (privacy.com) for that store before it gets used elsewhere, saving you additional time and money on having to deal with your banks.
Definitely! You can decide within Fastmail’s settings[0] which domain you want to use for masked emails. It can be fastmail.com, one of their fun domains like afcrichmond.uk, or one of your own. I've even seen some 1Password coworkers buy a brand new domain purely for their masked emails, so you can generate a “good.castle3827@youdontneedtoknowme.com” while still using “me@mydomain.ca” for your actual personal email.
I already was doing something similar and have been for what…5 years I think? Anyway, I have an account with Fastmail and my own domain configured with their “catch all addressing” feature, such that anything before the @ doesn’t matter, it ALL goes to me and only me (I’m the sole user of said domain). So I can do things like apple@mydomain, microsoft@mydomain, playstation@mydomain and so on to both keep each address separate from the others and so if there’s a breach or other shady shit going down, I know at a glance who’s responsible and this have some idea of my exposure risk. Ideally though I’d like to be using UUIDs before the @ so specific targeting by guessing something like “I’ll bet his Venmo account is venmo@“ won’t be possible, I just haven’t started doing that yet.
Lately I’ve been combining this with cards via privacy.com to further limit my risk in the event of another data breach, and so far it’s working quite well, though I do have a long way to go to fully convert everything.
As for longevity, Fastmail has been around since 1999 in some form or another, and even made themselves independent again after being acquired by another company through an employee buy-out. https://en.m.wikipedia.org/wiki/Fastmail
In addition, wildcard forwarding isn’t a perfect substitute because email spambots love sending to addresses like webmaster@mydomain.com or john.doe@mydomain.com. The number of permutations they try is varied enough that an explicit allowlist is a must.
Just use something like 'servicerelay-<randomdigits>@yourdomain.com' and setup spam filtering rules that lets pass everything received at 'servicerelay-*' and delete or reject everything else.
Adding my disagreement to the chorus— the number of permutations they try on my personal domain is not high enough to warrant an explicit allowlist. I actually don't even have a blocklist; I simply don't receive that much spam.
Most of it comes to two addresses which are public via git (one from commit logs, the other explicitly stored in a repo).
I do what the GP said and I haven’t any problem with “guessed” addresses like that. I do have a problem with obvious spam from a GMail account (which is setup to forward to my domain), so, go figure.
Have you encountered issues with signing up with certain services? I know a few run checks to see if the domain is a catch-all (eg. sending to `pwgen`@domain.example and checking for a bounce) and will block signup when that happens.
I can't find it now, but there was a mildly populae HN thread about a service that does "email validation" and part of it did catch-all detection, and there do seem to be other services that market this[0].
I really like fastmail as a service and business. It's being subject to Australian data laws that gives me pause. That's significant competitive disadvantage for fastmail when marketing internationally to privacy-conscious users.[1]
Which countries do you recommend using a similar service from? (And what are those services called?) OpSec is hard and sometimes you really do need perfect and not "good enough", but, like PGP, there need to actually be viable alternatives available today that you can make a recommendation for, unless you're just concern trolling. (Five Eyes countries are right out, fwiw.)
Maybe! But here's the rub-- a US person has some legal protection against surveillance directly by the US, in the US, but (maybe?) none against Australia, for data processed in country or by Australians. Australia then (maybe?) has no safeguards against sharing their surveillance of US persons back to the US.
It's a legal and bureaucratic not technical puzzle. I wouldn't believe any comfort statement on the point either. This sequence isn't a bug, it's a feature of the Five Eyes configuration.
At the cost of manual effort or setting up a script (for registrars/mail providers with decent APIs), you can just use normal email aliases at a domain you own. That's what I do, most sites I register at get some sort of "sitetld_account@mydomain.com" alias. That's pretty portable, lots and lots of email providers (including standard "included with registration" ones at registrars like gandi.net) support essentially unlimited aliases (not like even tens of thousands of them represent any significant resource usage, they all ultimately feed to a single email account with said account's limits on storage and sending). I own the domain so I can point it wherever, and I can just copy/paste the entire list of aliases around.
Again that is more manual effort, though I don't consider it much effort given that I'm only signing up for a limited number of sites per year. And I suppose a little extra friction in one respect isn't even that bad a thing, makes me think a bit about whether I do actually want to sign up there. Ideally I'd like to see more efforts about making such things standardized across providers so that even regular people can get the benefits from near any registrar or email provider at all with whatever tooling they like. I guess that's probably either infeasible, or if it happens it'll be out of a rise of competing centralized masking providers raising the issue high enough in the general consciousness that demand drives it. If there are any existing open efforts around that I'd be delighted to know about them though!
As a compromise, I use a catchall email adress, so @«my HN handle, without numbers».me comes to my single mailbox. Then I use sieve filtering to sort the emails into folders based on the address they're sent to; if there's no special filing rule, it comes to my inbox. So, when I want to sign up for a new service, I can just pick an email (usually based on the domain name), no setup required (unless I want it to be filled into some particular folder).
The downside is that you (and spammers) can* send email to any random address and reach me, but in practice I have not found that to be a problem; I don't actually get spam at addresses which are not posted somewhere online. And it's in your best interest to contact me at a more specific email, because if I ever do get widespread spam, I'll swap the default rule to mark as spam, and only allow specific addresses. I recommend hn+«your handle»@«my domain».
On the off chance: I'm moving to NYC soon and am in the job market; feel free to shoot me an email if you're hiring at a company that's solving real problems for humans (not, say, selling ads).
Replying to this since it's the highest one at this point, but also a response to @piaste and @distances: I know about catch-all accounts, and more complex wildcard options that can exist. But to me those don't really quite hit all the use cases that site-specific ones do when it comes to spam and such, and I have seen emails get leaked from hacks or just plain "we share only with trusted 3rd parties!" buried somewhere. And I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic. On the other hand they are indeed zero friction, so a valid option depending on where in the stack one wants to handle things.
The single other significant issue I can think of which has come up actually is when one desires to actually use email for two-way communication with a site, not just receiving stuff. Sending from aliases isn't really practical, spoofing the from address even from the same domain has a high chance of trigger all sorts of spam protection for obvious reasons. I'm sure there is probably some way to handle it from one's own server but that has its own challenges. So sending mail ends up being from a different address as the account, which most places don't seem to care about but seems to hit automated edge cases and snag things up once in a while.
> I have seen emails get leaked from hacks or just plain "we share only with trusted 3rd parties!" buried somewhere.
This is why using a different email with each website is glorious! If example.com leaks my example.com@«my domain» address, I can enable stricter filters for that address.
> I suspect if they become popular enough it's only a matter of time before spammers add some sort of "this looks like a catch-all account type email, try sending random stuff" to their logic.
This isn't game-over, either. As I noted, if this ever starts happening, I'll change my sieve filter so that any address without a filter rule gets sent to the trash, instead of my inbox. This does mean I lose the "zero friction" benefit, but adding a new address would still be just a single line in a text file. And it's much less lock-in than using the web interface of some given email provider to set up new aliases, since I can copy my filtering config over to any provider which supports sieve filters (and wildcard addresses).
That said, I don't think this will ever be a problem. Because "this looks like a catch-all account type email, try sending random stuff" is a pattern that makes you very easy to identify as a spammer. Given the possible address space, I don't see a scenario where the chance of hitting a real mailbox is worth the risk of blowing your cover and getting your mail server blocked.
If you already have a custom email domain (which is a good idea for the usual portability reasons) _and_ you pick an email provider that supports 'catch-all mailboxes', you can make it entirely frictionless.
When I sign up for a new service, I register on the spot as e.g. amazon@mydomain.com, the mails they send are considered as a 'mistaken sender' and are sent to the catch-all mailbox (which is just my regular mailbox!)
If you own the domain, you can just point the MX records to Fastmail/whatever and register to all the different service with, say, service@mydomain.com or you@service.mydomain.com. No need to set up the addresses or aliases, you can just make them up as you go and deliver everything for mydomain to your inbox.
Yeah, you either have to use one of our (Fastmail's) domains, or your own domain in which case it's linked to you by the domain registration. Not much choice there!
For sure we recommend (and make it very easy) using your own domain. We want you to stay because we're providing you enough value to be worth staying, not due to lock-in.
> I think a lot of people have been spoiled by gmail's longevity.
> I personally prefer trusting something with more longevity than fastmail
Fastmail launched 5 years before Gmail, in 1999. It's also a paid product with a sustainable business model. It's hard to get more longevity than that.
Buy a super cheap domain that you park all of these new email addresses at, like 7467j.com. Then, if you ever need to switch providers, take the entire domain with you.
I use Apple's Hide My Email to sign up on websites where I previously would have used a Temp-Mail-Service such as 10MinuteMail. These are websites I want to use anonymously (Hackernews for example). It's more convenient and they give you the option to reactivate disabled aliases later (useful if you need password reset). I don't think they made it to replace your primary email, although you could use it that way.
For "hide my email"-like feature you can use a domain with a catch-all address and either use somehash@yourdomain.tld or just servicename@yourdomain.tld for every login.
Good point, i'll keep that in mind. It seems then, this feature is best for throwaway type accounts, where one could just create another new accoint if they want to migrate.
For people who want to do this and care about retaining ownership, would be probably wise to run their own email servers and using different patterns of catch all addresses.
For cell phones we’ve legislated that you can take your number with you.
Email can be portable, but I think it’s gotta be easier to come up with a portable email address than expecting everyone to buy a domain and set up the DNS records? Does a registrar of email only domains exist today?
Long time Fastmail and 1Pass user here. While I agree that it would be best to not be locked in to particular providers, these are two of the providers who have a lot of my trust and to whom I’m paid up years in advance (at least in Fastmails case). Very excited to use this feature.
Thanks for the vote of confidence! If you have a custom domain at fastmail you can avoid any lock-in by using it for your masked addresses. Settings -> Domains -> Team Settings -> Masked email domain.
With that it's entirely portable. You can point your mx records at any other provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort.
This feature is an integration with Fastmail's masked addresses. You don't need to use their domain, but you do need to use them as your email provider.
Disclosure - I work at 1Password, though I had only tangential involvement in this effort
Law enforcement or fastmail admins reading my personal email isn’t something I want, but isn’t so distasteful as for it to really be in my threat model such that I’m willing to go the lengths required to get an email provider that doesn’t have this ability, such as proton mail. I care about security and privacy and recommend fastmail, but I could see someone whose end all be all criterion of interest being privacy not wanting to use fastmail. But, this isn’t 99.999% of the population.
This would be a large personal disaster and a full time personal project if the service provider decides to shut down the service. One would have to crawl through all services they have signed up for to update the email addresses.
Instead get a domain. Configure email as well as a catch all address. Example anything@yourdomain.com would reach name@yourdomain.com which you use as your primary email address.
And say, if I am signing up for Netflix, I would give the email as netflix@yourdomain.com. The email automatically reaches my single primary inbox with the catch-all behavior. And if I find a lot of spam to netflix@yourdomain.com, I know which service is leaking my email address and I can quickly block all emails sent to netflix@yourdomain.com
One mild word of caution on this method. I too have done this forever but recently I have been running into a few businesses that get really upset if their name is in your email address and they will flag it as fraud despite there being no logical reason to do so. It isn't like I am using a domain name matching their name. The most staunch and stubborn of these I ran into recently was The Tractor Supply Company. I've been trying for a month to get a gift card reimbursed that they cancelled the order on because I had their name in the email address. There are a couple gaming companies that do this as well. Just pick a name that is unique and put it in your password database.
Yes, although so far I have not run in to being flagged for fraud, some have been very confused by it. So I have started doing short variations of it to make it less obvious, so The Tracor Supply Company would be something like trasu@s.domain.tld
And instead of having a catchall on my domain.tld I have it on a subdomain, like s.domain.tld , easy way to keep them separate.
Your account may be old enough that the more aggressive anti-fraud measures have not kicked in. They made it clear to me that their system would flag my email by having their name it. I've explained to no less than 5 support members what a canary is and they still have not resolved my issues. I even changed my email, still no luck.
I haven't run into many companies that disallow their name in email addresses. AliExpress and Amazon come to mind.
I have, however, run into a number of large companies where I've been talking with employees who see my email for whatever reason, and have received the "Oh, do you work here too?" question.
A custom domain with wildcard for catch all is how I have been creating logins for the past 17 years. It is fascinating to see which addresses suddenly start getting spam down the road.
It is also very easy to nuke an address this way once it is a spam trap.
About 10 years here and hundreds of different addresses given out. I get surprisingly little spam. Most spam I get comes to addresses that were leaked in data breaches, or email to my old gmail address which is forwarded. I'd say maybe 5 of them have ever started getting spammed.
Do you have any issues with spam being sent to whatever_random_user@yourdomain.tld ?
This concern has been my #1 reason for not doing the same setup. Basically a fear of a never-ending list of random addresses to blacklist, which won’t have any meaningful effect because the next spammer will just use a different random value.
1. It’s not frequent that someone hands out your address to a 3rd party and when it does, it’s usually exactly the site you would expect. I’ve had it happen 1 time in the last 3 years across 150 different aliases.
2. It doesn’t work well for apps with weird URLs (lots of subdomains, shared domains etc.). You forget how you the address and now can’t login. Yes, maybe you have a password manager, but password managers fail frequently in my experience (e.g. they record the wrong username etc)
3. You are still traceable since ultimately all your addresses are in the same domain. Sure, advertisers aren’t looking for that pattern, but it’s not like you are truly hidden.
4. Domain hijacking can happen. So now you have to be mindful of your domain since it’s a juicy target; Someone hijacker’s your domain, redirects your banking email for a password reset.
2. Again, not a problem. Everyone should be using a pass manager.
3. If you use the same domain/email for your banks (or any other financial/important service) as you do for social media/gaming/whatever, then that's on you.
It's basic security practice to separate the important things so basic hacks like the one you mention are useless.
4. The purpose of this is basic privacy and security, not to be truly hidden.
Good point. It is a bad idea to set up something as lasting as email addresses with a somewhat proprietary solution by two commercial entities and stray from pure standards. Temporary convenience turning into long term lock-in is a poorly understood issue, especially by people that don't necessarily have a technical background.
I have used aliases to catch spam and have gathered about 200 email aliases this way over the last 12 years or so, and it works well. Rather than using a catch-all, I manually create the alias with a script.
In this day and age, if you don't own the domain, you don't own your email. It is worth the 10 bucks to get your self a domain just so you can have a long term email.
> A canary trap is a method for exposing an information leak by giving different versions of a sensitive document to each of several suspects and seeing which version gets leaked.
If you sign up for league of legends, which email do you use? Riot? RiotGames? Lol? LeagueOfLegends?
Presumably you can always scan backwards to find your email address in your inbox, but maybe not. I guess maybe a password manager can help you remember, if you're diligent about always using it (and never end up locked out of your vault).
I recently started signing up for things with the + trick for gmail, but now I'm worried about having a bunch of email addresses I have no way of keeping track of.
Ideally, one would use me+uber@domain.tld / me+amzn@domain.tld / me+apple@domain.tld but then the identity me@domain.tld isn't masked.
If you prefer email forwarding, then: Cloudflare announced a free email-forwarding service just yesterday [0]. Not sure if they provide unlimited email forwarding rules. Other domain registrars like domains.google and namecheap.com also support email forwarding at no-cost.
If you prefer a managed mailbox, then: Zoho Mail, Fresh Mail, AWS WorkMail et al are nice if you'd also like to send emails using the address you sign up with.
Other than that, if you're technically inclined, then have SES plonk incoming emails in to S3 [1]
Be careful registering domain.tld without whois shield and/or with TLDs that require registrant to publicly reveal ownership (like .in)
I use fastmail for this. It works great although my email address sometimes confuses people. For example, a small company I ordered something online from called me to ask why their business name is in my email address. I have 2 separate domains going to the same inbox, each domain can have any subdomain and email address I want. I can send emails from any of those addresses as well.
Many registrars offer catch-all forwarding (to your free personal email), which would be your best bet if you don't expect to need to send email.
If you can afford $6/mo, Google Workspace isn't bad, there's generally better security and it grants you a lot of control over your account's settings (and will remove ads from the Gmail app on your phone, even when only looking at your @gmail account inbox).
Otherwize, Zoho works, but now costs $12/user/year (it used to be free) so ymmv. Great if you were planning on pure POP/IMAP usage anyways.
I can strongly recommend 33Mail for this. I've used it for years with zero hiccups. $1/month allows you to connect a custom domain. https://33mail.com/
I've done this a bunch in past, but wish it was easier to go back and change existing services.
Also found a couple that reject sign-ups when their name is in the username part.
As a user of both 1Pass and Fastmail for years, this is a really neat addition.
Next I'd love 1Pass to generate random phone numbers to use that I can recall quickly for things like supermarket checkout where I need to enter a number to get their discounts, and I don't want to use my real one. Doesn't even need to be a genuine phone line, just a 10 digit code.
* register a pseudonymous domain and use Fastmail to forward it in to my real email
* use Twilio + a little TwiML to register a real phone number in my area code & have all messages/calls forward to my cell
This let me establish trust domains: when I share my email with an untrusted entity they get companyname@mypseudonym.com & the phone number I registered before. I always have the ability to know where the communications come from & can quickly cut off junk/spam at either source[1]. And if a company is trustworthy I could always move them to my real domain/phone if I so wanted.
[1]: Phone is obviously harder as there's only one number, but legitimate companies seldom if ever call – their junk is from a consistent text source that's easier to block. My burner & my clean numbers get about the same amount of autodialer calls, sadly.
I've also found many, many companies that blacklist several keywords including "spam" (before using unique emails for all services I used spam@mydomain.com for most sign ups).
Kroger, at least, let's you change your "alternate ID" to any 10 digit number that isn't used by someone else. Just log in to the web site and change it.
I do this with fastmail already. I have a domain that accepts email to *@domain.tld —- all the messages reach one inbox. All my online accounts have the form service-name@domain.tld
Makes it easy when I receive spam to see who sold my email address.
There’s also zero overhead to “create” a new one. It works for any address.
I did this with even less setup. accountname+extratext@gmail.com has worked forever and you can do the same with a custom domain. I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.
I actually don't accept *@domain.tld even though I have a custom domain because I got too many fishing emails that weren't caught in spam. I didn't have the patience to deal with it. That might have changed over the decade+, though.
> unless you keep meticulous records, there's no way to figure out the exact email you used very easily
I haven't found this to be a problem. Usually it's in my password manager. Otherwise they've sent me an email, which I can quickly search my inbox for.
Be aware that using the “+” is giving you the illusion of privacy and control. A privacy research has shown, back in 2020, that companies like Oracle’s Bluekai (a massive ‘data broker’) has functions to normalize email with + in them to help with ad targeting and matching.
Other vendors and companies like FB are surely doing this too, as companies send FB emails for matching / ad targeting.
I guess it's good to know, but I never had any illusions of using it for privacy. It was mostly to see when I get added to a mailing list, where it might have come from. Another reason I abandoned it so quickly is, if someone sold my email address and put me on a new list, what can I do about it?
> I gave up fairly quickly because unless you keep meticulous records, there's no way to figure out the exact email you used very easily and I didn't get that much out of doing it.
Does one need to keep records? I just do service@domain.tld, for example: ycombinator@example.net.
I started receiving a lot of sexually-explicit spam addressed to recruiting@mydomain.tld, so now I know that one of the recruiters to which I gave this email address had their inbox/contact-list compromised.
Where I got bit was email was used as login. I was trying to log in but couldn't remember the specific email I had used even though I generally had a fairly specific schema.
A lot of services already worked out the + trick. Not many know about this feature of gmail yet: You can also put a dot anywhere inside your username. eg.
The trouble with *@domain.tld is that you get that many times as much spam. Unless your spam filter is 100% accurate, that increases the amount of spam that gets through.
I work through this by only accepting wildcards on a subdomain. I have a 'real' email address on the parent domain for actual human correspondence. Services and salespeople get the subdomain.
I am using name@random_site.mydomain because i encountered a few sites that rejected name+random_site@mydomain. reduces the "random name @ domain" spam, but still works good.
I do this too, have for 15 years. It works really well. I run a well configured postfix mail server for inbound and outbound mail. Incoming mail gets delivered to my fastmail acct. I get very little SPAM, a few messages per week, but I have spent a lot of time over the years getting it that way.
I do this too. My only issue I am having right now is I am "locked" to my current registrar because of how it is set up. Do you have a mail server you are using or just having your registrar do it? I am looking for alternate solutions that dont cost much.
Exact same for me. So far the only addresses (in probably around 200) that have been sold/leaked/spammed have been the one on my public site and Facebook, where it was public for a time.
At least for me, the main advantage is that I can instantly block or delete a "masked" email address. With a catch all, you'll still be receiving mails.
I knew fastmail was building JMAP but I didn't think to look at JMAP when I was trying to find fastmail's API that can be used to integrate this in other services. This is really nice compared to the SOAP/XML monstrosity I stumbled upon, heh.
I really wish that fastmail wasn't based in australia..
edit because of downvote: I'm referencing the new data control laws (it is even beyond surveillance at this point), which makes it impossible to anyone who cares to use any autralia based products. I should have made that more clear.
The laws in question have no meaningful impact on Fastmail, and the amount of FUD concerning those laws is unreal.
Fastmail wasn't end-to-end encrypted to begin with, so laws requiring backdoors have no relevance to Fastmail. And every civilized country has some legal method to compel information from companies relating to significant criminal activity.
You're right, of course, but this simply switches the "reason not to use Fastmail" from "based in Australia" to "not e2e encrypted and can rat out your entire email history".
I don't see e2ee email happening anytime soon. The technology is just not very user friendly. And honestly, without e2ee, I don't put much trust into providers like Protonmail either because at some point the email is coming in as plain text and that's where one could always siphon it off.
As much as this is a cool feature, the distoypian anti-privacy laws Australia [0] (where Fastmail is based) prevents me from ever using their service. I know it isn't their fault but it has to be said.
Already in the past I've been (ab)using Fastmail's email alias feature for this kind of purpose. Though it was a bit inconvenient as the UI always said that it takes 15 minutes for the new alias to become fully active. Great to see they now have simplified this!
When I get spam to a particular alias, I blacklist it to my spam folder. Naturally this might get a little difficult if a spam bot ever figures this out where I'd need to move to a whitelist rather than blacklist process. But it's worked flawlessly for years so far.
At least with my method I don't need to create the alias in advance.
Something not mentioned much is that you can respond to these messages that come in through a Masked Email, and your identity is hidden on the outbound messages as well.
They seamlessly integrate with the sender identity feature in Fastmail making it very clear that you are replying from the Masked Email.
From a quick analysis on the headers, I don't see anything that leaks who your real identity is, but of course Fastmail knows and could reveal that if legal reasons exist.
Overall smooth feature along with the ability to use a custom domain for portability (to a less sophisticated wildcard setup, or another provider).
Sounds great! Congratulations on the new offering. As a sidenote, when Fastmail blogs, can you put that on a subdomain? Webmail interface is really sluggish right now which I assume is an effect of this news.
I use fastmail's * alias against a custom domain, to achieve a similar thing. It forwards mail at any address to my normal email, then I just pick a name on signup, ie. hn@emaildomain.com.
I have registered a domain just for the purpose which doesn't have my name in it or host any websites or anything else which can be used to leak my identity with a whois privacy guard service.
It has the dual advantages of being guessable by me if something goes tits up with my self-hosted bitwarden, and I can eyeball who has leaked my email address on incoming spam.
Being locked in to a provider domain means you can never easily switch from them. It's a form of vendor lock-in. (Fastmail supports using your own domain, of course, but they also don't encrypt at rest in a way not readable to Fastmail, so you should avoid them.)
I wrote up a step by step howto for switching over to your own domain name:
Fastmail: Couldn't you give a 2 or 3 paragraph summary of your service instead of this silly "easy to read" format that seems all the rage for web pages over the last 10+ years? I mean, fastmail of all companies should get this. I have to come to hacker news to actually understand what is being offered, rather than some glitzy marketing haiku that could mean any number of things.
That's really nice, and exactly what I've been waiting for. I've been using a third party service for a while now, but it was a pain to have to manually create the email address first. Was tempted to switch to Apple, but that would lock me in to the Apple ecosystem completely. Being able to use two services that I use anyway is the perfect solution for me.
This feature is already available without 1Password account linked to Fastmail. You can already create email addresses with a random name linked to one of hundred or so domain names and have it forwarded to your email. I believe this page just details the automated 1Password integration.
But with Fastmail you can already do it using $RANDOM_STRING@$LOCAL_PART.fastmail.com and whichever password manager you use (you just have to do it in a more manual way, which in the long run can be a PITA, I understand)
One of the big selling points of this idea, and why we wanted to partner with 1Password for it, is that it has to be easy! Sure creating a new password for every site is a good idea, but the 1P plugin makes it so easy that it's simpler to use the really secure password it generates than to come up with something yourself.
And this "generate a Masked Email right there in the form where you're using it" pattern means that the friction is so low that it's a viable choice - it's EASIER to do the safe thing, and that's the real game changer.
Absolutely, making it easy it's a big selling point. As a happy FastMail customer, I would really like to see a similar thing with BitWarden which is my password manager of choice.
It'd be great to see this as a somewhat generic feature for generating usernames and email aliases in 1password. I don't use fastmail and I'm not particularly interested in switching at this point in time. I would love it if 1password had a hook where you provide your custom domain and it generates a random address according to some schema defined using the current password-style configurator. I assume that the current fastmail limitation is because fastmail is ensuring that there is no conflict with existing aliases (which seems like it should be very low probability)?
Like many others in this thread, I have been using alias-to-subdomain remapping with Fastmail since time immemorial. Having this trick automated to some degree can be convenient for less geeky or fastidious users than I :)
Other than thinning my online identity to make any assumed attempts at correlation harder, in a couple of cases over the years I had the pleasure to "Gotcha!" companies selling (or losing) their users' email addresses. In other cases I also received unrelated spam on addresses as a result of undisclosed or less-publicised security breaches.
There was a Show HN project last year that did something similar. I'd be keen to try that out before this one. Unfortunately, I can't seem to find the link.
This looks like a cross between Mailinator and Fastmail. Great idea, but why is 1password involved? I don't want to sign up with yet another damn service, and I'm happy using my browser password store (or email client API key) to access fastmail without needing 1password. I don't understand why services like 1password even exist. They just increase your computer's attack surface. Am I missing something?
@Fastmail: Please let me delete a masked email after creating it. Thanks.
I just tried it with my own domain via the Fastmail iOS app. There doesn’t seem to be a way to delete things.
I do like that I can attach notes and have an easy block button. I might start using it instead of my existing wildcard setup, but need delete.
Using unique email per service is really great. I detected Zenni Optical either had a security breach or sold my information because of the unique email I used.
Go to Fastmail → Settings → Masked Email. There, click the "Edit" link next to the address you want to delete. On the following page, there's a big red "Delete" button. Works for me. :)
Update: looks like deletion only works when using the website, though.
Looks great, but a bummer for Fastmail subscribers who use Lastpass. I can't imagine the nightmare of switching my family from Lastpass to 1Password. Password managers truly do create a lot of intertia. Though we're all Apple, at least I have the family using a third-party password manager in case we one day change hardware providers. For now, I suppose I'll have to stick with manually creating aliases.
I'm in the same situation, but with Bitwarden and not Lastpass. It's more of a hassle, but you can go to Settings > Masked Mails and generate mails as you wish.
I think we will find that majority of companies that do potentially block it would be companies we don't want to do anything with to begin with. My thinking is a lot of companies only want a single user to register once so they can track that user anyway they can.
For example, I opened up Agoda once in firefox private tab, and searched for 2 specific hotels to get an idea of pricing. As I had signed into Agoda, less than 5 minutes after searching both those hotels were listed on facebook with discounts. So with ad's and social media blocked, the only way they could link me was via email.
If everyone starts using fastmail to hide their email, then companies cannot do this targeted advertising and will block it.
FastMail does support custom domains for disposable email addresses.
They also have a pretty big library of email domains to choose from that I can create normal alias for, so I'd be surprised to not see those come as an option in the future.
This is great. I have hundreds of alias accounts in my fastmail for this exact purpose. It's really satisfying just making emails bounce back when they start sending spam. I also identified a service I used that was selling my email to straight up scammers/spammers.
I wish the block option for masked aliases was bouncing the emails and not sending them to trash.
I have always wanted to go down the one email per service method but it seemed to cumbersome to manage. Looks like it may be feasible now.
As someone who uses Fastmail and 1Password, thank you for posting this. Currently really impressed with both services, the prospect of linking the two and obtaining unique email addresses is even better!
I do it but you need a client that supports it in replies. The Fastmail web UI allows you to send from the custom email address. Clients like iOS Mail demand you configure an account-per-sender rather than letting you add an arbitrary address to the from: line.
I end up in a situation where if I don't pay close attention I leak my "main" email address.
I've been doing it with fastmail for a long time (I used another provider before them as well). I really don't see that the 1P integration changes much (I don't use 1P though, I use Bitwarden and KeepassXC, so maybe I'm missing something?).
@Fastmail: Another request. If I’m using my own domain, could the email generated be simpler?
Instead of “some.thing1234@”, I’d rather just have “thing1234@“.
Update: hmmm… looks like I can’t initiate an email with masked email though. I can set up my wildcard to do that in the more rare case when I need to initiate email.
Literally 2 days ago was wanting something like this to use alongside a privacy.com card! This is great to have and since the addresses are fastmail addresses, they're unblockable unlike various throwaway address services that play a cat-and-mouse game.
Some time ago, a site called randomail proposed the same service, but it closed...
The problem is that registration forms often blocked randomail addresses, probably because the domain was on spam blocklists
Does the 1password integration use an open Fastmail API that any password manager could theoretically use, or is it a deal they have exclusively with 1password?
I briefly got very excited about this since I'm a fastmail user, but apparently I need a 1Password account too? I don'nt understand why that would be, Fastmail is the email provider, they are the ones who can create random aliases. I don't use 1Password (they're terrible in my previous experiences with them and I prefer something that vaguely operates on principals I like), so why should I be forced to give them my data just to use a feature of my email provider? I'm sure there's something important I'm missing here.
That's great news! The post made it sound like you had to have a 1Password account, but now that it's showing up in my account it doesn't appear to be the case. Thanks!
