Today I changed the way we use e-mail addresses for identification on-line.
Over time my e-mail address(es) has (have) become the carrier of a lot of important stuff. It’s not just a way to communicate with others, but also serves as generic user name on countless website accounts. And likely quite a few of those have had their security breached over time, or are unscrupulous (or even malicious) in their own right.
As part of a talk on privacy by Brenno de Winter (Dutch investigative journalist) that we went to this weekend (see previous posting), he mentioned using unique e-mail addresses (and pw’s of course) for every site you use. Or disposable e-mail addresses for sites you visit only once. That way when one site gets compromised there is no risk of your user credentials being used elsewhere, and if one site sells your email addresses on it is immediately apparent to you who did that.
I have been aware of this advice for a long time, but never saw an easy way to act on it:
Most disposable e-mail address (DEA) services offer a temporary e-mail address, usually enough to quickly confirm an e-mail address, after which it gets deleted automatically. This is useful for one time visits / registration at a website, but not for using unique addresses for services you use more often.
Some sites do not accept e-mail addresses that are clearly created by DEA type services
I own multiple domains, which I could theoretically use for unique mail addresses, but in practice that is much more unlikely. I would need to either create mail addresses before using them to register somewhere, through the domain’s administration panel, or use a catch-all that would simply accept any incoming mail on that domain, including tons of automatic spam flung out to randomly generated e-mail addresses.
What I actually need is:
The ability to create new e-mail addresses on the fly, simply by using them
The ability to both have more permanent unique addresses, as well as single use addresses
Using a domain that is not perceived as a DEA service and not easily associated to me (e.g. by visiting its website)
Using a domain that I control so I cannot get cut off from unique addresses connected to important user accounts
The ability to recognize any of these unique addresses in my regular inbox
Something that still filters out spam, while accepting any incoming address
So today I decided to investigate further and act on it.
This is the solution I came up with:
I found 33mail.com, built by Andrew Clark (in Dublin/Ireland so under EU regulations), that allows you to create addresses on the fly, and then through a dashboard simply block the ones that get misused at some point. It also forwards to one of your actual e-mail addresses, including letting you (anonymously) reply from the unique address.
33mail.com allows you to connect any other domain to their service, so that instead of using something@myaccount.33mail.com I can use something@myrandomdomain while still using 33mail. This is very useful as it helps to prevent being filtered out because of using a DEA service domain, and keeps the addresses under my control.
I registered two new domains, one for me, one for Elmine, and set up their MX DNS records to point to 33mail. So that anything@ourtwodomains.tld goes to 33mail. These domains are, apart from the records at the registrar, not otherwise easily associated to us.
I provided two unique email addresses for 33mail to forward to at two other domains I own and use.
I set up two auto-forwards for those addresses that 33mail forwards to, which makes it end up in one of my or Elmine’s regular inboxes. In our inbox we have filters that pick up on anything that comes from those forwarding addresses 33mail sends stuff to.
This is not a free solution, but it is cheap. The registration of two domains, plus a service package so I can set my own DNS settings, with our regular hoster comes to 45 Euro or so. 33mail charges 8 or 9 Euros for a premium account, which is needed to add your own domain name to their service, and I created a premium account for each of us, as we will be using two seperate domain names. Total cost: 65 Euro/yr.
Here’s a drawing of the full set-up:
Hey Ton,
since you already use gmail, I suggest you use the on the fly email address creation feature:
ton.zijlstra+@gmail.com
gmail ignores anything after the + and before the @ when it comes to email delivery, so all the emails end up on your user account. Nifty hein? 🙂
on anytag I normally use the website in question. It saves me a lot of time to hand generate all the email addresses, but it works like a charm 😉
Pedro
I use that too Pedro, for cases where I don’t mind my mail address known. (like sending out invites (me+bbq@gmail.com)
Three things that make that useless for many user accounts:
1) if your user account gets compromised at X.comg, it is easy to predict other user accounts at Y.org and Z.net
2) spammers/marketers will easily deduce your main inbox and start using that (esp on sites where you are forced to provide e-mail for content access, you want to use a throw-away one)
and
3) I’ve had sites that don’t allow you using + in an e-mail field.
Main point for me: this set-up does all of it : on the fly creation of mail address simply by making it up (never a need to predefine), 1-time mail addresses for untrusted sites/ppl, longer time mail addresses for user accounts, a domain I own, but also a domain not immediately pointing to me. It’s a way to address all my use cases in one go.
The main problem with unique email addresses for services is that nowadays the email is used to find friends on different websites to be able to connect or share.
Also on some sites were you definitely want to connect like Facebook or LinkedIn, your contacts can download your contact data to have it imported to their local address books, which I think is a brilliant idea.
I used to use unique email addresses 10 or 15 years ago but stopped because the maintenance was too high if you have many accounts. My approach was simpler: I just created a new email address for my main domain, e.g. linkedin@example.com or facebook@example.com.
Hi Michael, thanks for commenting.
Yes, I see what you mean.
However I never allow sites to use my mail address like that when given the option. As I mail with many more people than I actually am connected to I simply don’t want to be found in FB, LinkedIn or such on my e-mail address, only by name. Also I never let sites like that into my own address books to ‘see who else I know on this platform’. To me it is bad practice to link everything up like that. Same I don’t use my google account or FB account to log into other platforms.
As to downloading contact data: linkedin let’s me specify what is in the downloadable contact data, doesn’t it. No need to have the same info there as the mail address I log in with for instance.
As to your last remark, that is exactly what I am able to do with this set-up. It can be used for linkedin@example.com (just as much as for yourbogusspammersite@example.com), and I can still use linkedin@mymaindomain.com as well. The difference being that I don’t have to go through my domain maintenance panel first to create an e-mail address before using it. Providing it is creating it.
A recommendation: Never get your domains from your hosting company. If your unsatisfied with the service or want to switch for some other reason, the domains may be bound to the hosting contract and you have to wait for the contract to run out.
If you register with a domain registrar (I use dd24.net) you are able to switch to a different hosting company within a blink of an eye. And they are cheaper, too.
Good point Michael!
Over time, handling 20-30 domain names, I have slipped into registering them with my hoster when adding an additional hosting package. That is somewhat sloppy, but mainly out of ease (it means domains are immediately active).
My core domain names are however separately registered.
I do have full DNS control over all domains however, including the ones tied to a hosting package, so I can switch away immediately if needs be. Even if it may mean leaving the existing hosting arrangement in place but unused.
Neil Mather replies: Thanks for this writeup, Ton. I have been using a gmail account as the firewall between the world and my real email account, but this looks like it could be even better. I’m not particularly happy with some of my mail going through Gmail, even if it’s just for the more disposable accounts. Doubleloop.net 25-05-2019