I'm using catch all since forever. I regret nothing.
Two stories:
I don't use mails like facebook@domain uber@domain - that's too obvious. And knowing that may often disclose that I actually have an account registered on given page. I don't want that, so I go full random, using few words I have in mind, current few words from the song I'm listening too, etc. So password manager helps me with e-mails too.
But Sometimes when a website annoys me (stupid rules for passwords, crippled UX for forms, because re-writing a select component in javascript is such a brilliant idea, etc) I tend to insult the company I'm registering with using my e-mail or password, I mean mail: this.freaking.store.is.dumb@domain.com and pass: goDieInPain1312323$$$$. Once I registered account for a supermarket loyality card with some very little insult towards the supermarket. Later I got some huge amount of the points collected and their system crashed and I had to contact the support (the bonus was too high for me to give up on that). First via e-mail then via phone, when they were confirming my address. They helped me and said nothing about the name I was using.
Another story:
When I started with catch-all I was actually using mails like companyname@mydomain, and when I once contacted them via phone the person talking with me was not very into tech I think and were accusing me of... I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.
I have been using a catchall domain since 2004 and it has been a lifesaver.
The sad part is when your email leaks from big companies, you definitely know. I started getting viagra spam delivered to equifax@mydomain.com back in 2007, long before their "big data breach", so it was only a matter of time before that companies pattern of poor security caught up with them.
Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
> Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
That does seem beneficial for the most part, but do you have ideas about how to handle the use cases like establishing new relationships (what, if anything, do you put on business cards?) or allowing the general public or a broad audience to contact you (what, if anything, do you put in advertisements, on your web site, on slides of a conference presentation, in an e-mail signature on mailing lists?).
Phone numbers too. Can you imagine if you could give out a different phone number to each company and you could put a call limit, allowed call times, as well as a date expiration on the phone number you gave out. It could all be linked to specific companies, where if you got a spam call, you could report it and the company you entrusted it with would get a fine, or possibly the call would simply not go through.
Google voice allows you to set what times it will forward numbers, so that gives you a second 'group' of contacts you can assign call times to (give them your voice number, allow them through do not disturb if necessary). It rather surprises me that there's no app for granular ringtone settings to allow calls from certain contacts only at certain times or on certain days.
- allow work calls and disallow family calls 9-5 weekdays only
- allow family calls but not work calls to bypass do not disturb by ringing a second time
- allow annoying acquaintance who wants tech support to only call on weekends, and to only ring on second call
- if working two jobs, prevent each workplace from calling during other workplace's scheduled hours
- add geofencing. don't allow community/neighbor calls while at work.
Basically, just add rules for each contact/group for when your phone will ring. Android used to have multiple sound profiles available, and IIRC allowed you to change the volume and default ringer, these could be activated automatically on a schedule. Now we only have Do Not Disturb, and that's it.
The email service Hey (from the makers of Basecamp) has a feature where the first time someone emails you it goes into a screening bucket. You can then approve those senders who are allowed to email you. If you don't approve, you don't see the emails anymore.
I initially signed up for the trail when the service launched. The first or second time I went to check the site/app it wasn't working. I was pretty much done with it at that point. I probably should have given it more of a chance and maybe they worked that out, but at $99/year for email my tolerance for issues is pretty low. They did (I suppose still do) have a lot of neat ideas around email though.
I effectively do this manually in Thunderbird. I have a saved search folder I treat as my "actual inbox" and I only add email addresses I want to receive mail from to the filter rule list.
I think it's simply a hybrid approach: you'd handle those unknown contacts with many:1 addresses (since there's no real alternative, as you imply), and you'd handle most known contacts with 1:1 addresses.
A benefit is that you might let messages to some or all of those 1:1 addresses be sorted one way (e.g., they ping you) while messages to some or all of the many:1 addresses are sorted another way (e.g., you only check for them with a much longer interval). But then again, a diligently-maintained contact list can be leveraged to achieve same...
To take the tracking logic further, I think you'd do `businesscard-<date for that particular print run>@example.com`, `<name of conference>-<year>@example.com`, `<name of mailing list>@example.com` etc. Maybe come up with something snazzy yet still unique-ish for the presentation slides.
In practice, I suspect the intention is mostly to use catch-all addresses for situations where the email address is a key in a database and like a login and stuff and not an entry in an individual's contacts list.
Actually, centralized databases like DNS are a symptom of a larger problem: society is so used to the idea that you can centralize power, votes, money etc. in one place. It is why we have celebrities and state governments, and privately owned social networks. It is also why smart contracts are still based around blockchains and they allow weird things like flash loans, because only one transactiom can run at a time for the whole world.
So the problem is that bill.gates@gmail.com or bill@microsoft.com is accessible to anyone who can use the SMTP protocol. And a phone number is accessible to anyone who texts it. That’s crazy.
Instead, we shouldn’t have DNS or centralized domains at all. DNS is just a glorified search engine that only really helps you find the root resource at a site, the /index.html thing. The vast majority of URLs on the Web aren’t going to be verbally shared anyway so you may as well store them as non-human-readable strings and let people save some local or hosted index. The titles and other metadata can be taken just like google does.
In this case, sending an email would require the recipient to have given out a capability that was received by you. And if some capability was compromised, they’d just deactivate it. It’s like this dude’s email aliases, but far better
>Email should have always been a bidirectional address, representing the relationship between the sender and receiver, and not a wide open receiver for anybody who happens to have your address.
Ideally, this would also be the case for physical mail. Multiple revokable tokens, not publicly tied to your physical address.
Not having your mailing address tied to your physical address would also have major benefits when people move. Simply update your address with the post office and you're done.
The whole idea of revokable tokens would pose an issue for any company that sends bills, as I assume revoking address tokens would be common with them. I'm sure there are many situations like this.
"Simply update your address with the post office and you're done."
Welcome to the 19th century! Which is when mail redirection to a new address was introduced in the UK. I'd be amazed if it wasn't around then or earlier in the USA as well. Simply fill out a form and your mail will be redirected for up to two years (albeit at a cost). Or use a PO box and a mail forwarding service which offers filtering of junk mail. I used one for years when I used to move around a lot for less than £100 a year.
> Welcome to the 19th century! Which is when mail redirection to a new address was introduced in the UK.
That’s not the same thing. Everyone still has your old address and you need to update it with them. Not terribly painful if you move once every 5 years. Pretty annoying and error prone if you move every 6 months.
Which is rejected as a valid address by many banks, government forms, etc. I want something that the post office guarantees has a real person behind it so I can use it for literally everything that requires an address.
I do this, any bureaucratic organization that I want to be able to reach me (very very few) gets my PO box, which has remained the same across three addresses.
The US has mail forwarding for 1 year, but that doesn't solve the problem, as you still need to update the source information with all the companies. I usually end up spending several hours changing addresses when I move. It's better to do this right away than to rely on the forwarding completely. Some places get the change of address info automatically and update their records, but it's never the ones you actually want (usually catalogs and marketing mail).
A PO box would be fine, but it's not an acceptable address with many businesses, so it's not a universal solution to the problem.
Panicked phone call from a jeweller who wanted to know how and why '[their] domain was in my email address'; think he sort of understood once I explained, but still said something like 'can't be too careful in this business' - well sure ok but what am I going to do with.. oh nevermind!
Password lockout/reset over the phone, reading my 100ch 'memorable phrase' as generated by pass... Gave the guy a good chuckle, and no he was not willing to concede by the umpteenth 'upper case A' or 'backward slash' that I obviously 'knew' the phrase and could surely be relieved from reciting the entire thing... I use shorter ones now.
That is a major downside with putting gibberish in for answers to security questions… let’s hackers socially engineer support into letting you get access by saying something like, “oh man, I just mashed on my keyboard for that I don’t remember!”
You would hope it wouldn’t work, but it probably will.
That's why I always put legit but wrong answers in. Can't really guess because they're all different and made up, but also can't say, "Oh I just mashed the keyboard".
or even better, use some random non-words. There was a post here a few months back about a service which generated non-existent but plausible sounding words.
So, your "favorite city" could be i.e. HorsecrackBay Griennstone.
> I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.
I can't tell you how many non-techy people think I'm part of their company because I have yourcompany@mydomain. Sigh. Big companies have ruined the internet by having everyone have @gmail or @hotmail or something.
The "best" is when you can't even sign up without having an account at a Large Company e.g. gmail or outlook. I'm not sure what that's supposed to prevent issues with.
Sure, you can add "+thing" after the username portion, but those that know this bog standard trick can still automatically derive your email address and get around your filters. At least with a dedicated username portion a human has to think for a second.
If you use Gmail then you have a couple of ways besides using the + to make a variation of your email address that will still come to your inbox:
1) Use dots (period or full stop) between letters in the username part of your email address. For example, if your email is abcdefg@gmail.com then a.bcdefg@gmail.com and a.b.c.d.e.f.g@gmail.com also get routed to you.
2) Use @googlemail.com instead of @gmail.com in your email address.
I have a Gmail address and I use these other variations whenever a company rejects email addresses with + in them.
I've got a first@last.family. My dentist and several large companies refuse to accept this as a valid email address, so I have to use an email that doesn't identify me personally by name (uses efreak instead of my name). This annoys me every time I deal with them, especially since some of these sites use my email address as a username. I've been locked out from logging in on other devices a couple times for trying too many passwords when the problem was the address, not the password.
Another no regrets catch-all user. Looking into my rules, I have 4 "to" addresses that get sent to spam.
Two stories as well:
a) After contacting a company, I got a mail from their legal department asking me to explain why I’m using their trademarked name in my email
b) Using an online-shop that requires emailing the owner for your order (so he can send you a PayPal invoice and then snail-mail you the music CDs you ordered…) I got a personal message attached of him asking why his label’s name is in my email address.
In both cases, a short explanation was sufficient, though.
I too have been using a catchall email address since some time in the last century, and it's been cool, although the post is right when they say
> The truth is no one really sells your email
The reason I started doing this was to monitor if someone would transfer my address, and it's never happened. You also get more spam because every firstname@yourdomain works.
But the weird interactions are good! Last year I wanted to get my kid in a somewhat selective middle school (in France) and the fact that the email I was registered with was name_of_school@mydomain helped, because the principal was convinced I was and always had been a huge fan of the school, to have my email named after them...
People simply don't understand you can have more than one email address -- let alone a million. That's kind of fun.
I actually got a call from a company I bought something from, direct from their website. I had bought it using the email $company@$mydomain. Got a call (in the days before most of my calls were not spam and I answered the phone!) from a marketing person and the guy tried to bully me into ... not sure what. I couldn't even tell, like you, what he was accusing me of... I'll say, it felt really good to school him about the internet and how it worked.
I've missed out on appointments too, the business owner later told me after I finally reached them on a social platform "that address looked weird so I just deleted it"
Regardless, I still regret nothing, seeing my spam free "catch all" mailbox compared to my spam infested decade old web mail is all I need to know it was the right choice.
The phone thing has veered into outright fraud. Twitter just paid a $150,000,000 fine to the (US) FTC for letting advertisers match on telephone numbers provided for 2FA.
I am really tired of people selling my burner phone to the credit people; and no, I don't own that phone number. Prove I do.
Take my local credit union. Please. Jackasses let someone have access to my checking account. I don't bank online with them either, or I didn't, but last summer was trying to talk to them about a refi and I had to register online and they wanted a phone for 2FA. So of course instead of calling the land line, which is clearly and incontrovertibly mine, they called the burner. Several times.
Eventually I answered it with "fuck you you frauds" and they were "oooh sir, call me back on my direct line" so I tried... from my land line in the same area code, you get the idea... and their system won't route the call to their fraud department. So I ignored them for a couple of weeks.
Seriously they were so incompetent that when the actual fraudsters were probing, the first transaction was a /deposit/. When they were finally trying to clean their mess up, they /credited/ me the same amount. I'm the one who figured it out and told them well you gave me 2x their original deposit, when you really should have debited the amount in the first place.
People like that are not going to safeguard your information.
When someone tries to call into a provider and impersonate you, to take over your account… they would fail because they don’t know your login even!
Whereas, for most people, they’d sweet talk the person on the other line into resetting the password. Happened to me with GoDaddy, they almost rerouted my @mydomain.com email and then it would have been really bad
I use myname-shortbusinessname@mydomain and once the delivery person for a pizza place i ordered from fairly regularly asked if i worked for the store somehow. I changed the email i used with them to one that was less obvious after that.
Not as exciting as getting accused of trademark infringement, but it’s interesting how people interpret these things.
regarding 'copyright infringement,' you gotta love it when people get aggressive about IP without knowing what they are talking about; the relevant law would be trademark, not copyright
I've been doing this for close to a decade and sometimes salespeople and customer service people will ask to confirm, but that takes 5 seconds and isn't awkward (in my opinion.)
It has more benefits than knowing who leaked your email, it lets you easily filter your incoming email by who you gave the email to, and when your email is leaked it lets you shut off that email address. Of course you can also filter your email by the sender's domain, but that isn't as consistent, and doesn't help at all when your email address has been leaked.
It's true that you do have to set it up so that you can send email from the addresses to avoid not being able to reply by email, and you will want a password-manager or something to remember exactly what email you used, for convenience.
Personally I'm glad I've done this, it's made it much easier to organize my emails.
> Because politicians exempted themselved from anti-spam laws, as they do with most laws.
This was the most puzzling thing to me. The politicians that I saw on TV as adamantly pro-privacy, anti-tracking, who made a lot of sense in everything they were saying -- you contribute a single dollar (because they want to show grassroots support for their pro-individuals campaign) and they IMMEDIATELY give your email and survey responses to everyone in their party, including to state-level campaigns in places across the country.
There was no indication on the donation form that any of my personal details would be used for anything except to show that they had a lot of grassroots supporters.
Not only that, but their emails are so clickbait-ey like "lazyjeff, you are the reason that [hated politician] is destroying democracy."
> Because politicians exempted themselved from anti-spam laws, as they do with most laws.
Tons of companies will share/sell/buy your email address. Politicians just stand out because they're shameless about spamming, but email addresses aren't always used for spamming. They can also be used to tie logins to names and accounts across services. They can be harvested for various information they contain. Even folks with just one email address often give away their name, the year they were born, their hobbies, etc. Using an email address like uber@notcheckmark.com and Hilton@notcheckmark.com also tells a story about you and what services you use. Every scrap of data that can be collected helps build a profile of your life and email addresses are a part of that, even when they aren't used to clog your inbox with garbage.
I'd recommend using less obvious names, but I still don't see a problem with creating unique addresses for various services that demand an email account. If nothing else it's a great way to compartmentalize the crap they'll send you (spam or not). If someone questions why you have COMPANYNAME@example.com that should really just be a 2 second conversation.
I couldn't agree more. I've been using a catch-all for probably 12 years now. Sure, sometimes you get a second look when you give an email that has the business's name in it, but who cares?
I get the benefit of blocking mail coming to me forever, doing fast sorts and searches, never have to worry if the company doesn't like a + in my email address.
I use 33mail.com (33m.co) for this which gives you a personal subdomain for free, or a private domain on the paid plan. I'm on the (super cheap) paid plan due to mail volume, but haven't found the need for using a personal domain.
I find it zero effort having a unique email address per site, and when combined with unique (algorithmic) password gives effectively a unique identity per site (cookie sharing aside, but there are solutions for that.)
As a result, I have been able to call out a couple of sites for data breaches, and continue to see npm spam in particular. Worst offender so far is Pipedream, an absolute embarrassment for their CEO who appears to have initiated the data scrape. I won't be surprised to see them sued out of existence, which is a shame, as I like the service in general.
> you do have to set it up so that you can send email from the addresses
Fastmail's webmail allows you to specify the sending email address for a catch-all mailbox in the message composition page, so there is no additional setup there.
Edit: oh god, leaving this in place for posterity but I am completely misrepresenting fastmail here. It is protonmail that I recently tried and had these limitations. Apologies! How embarrassing. Also, I have no idea why the child comment correcting me would be so downvoted. It’s apparently correct.
Yes, but fastmail has a couple dealbreaker limitations when doing this: First, you can’t originate mail from that address; you can only respond. This makes it unusable for a lot of mailing list control messages and other systems where you are required to make inquiries from a registered email address. Second, you must explicitly set up each of the unique recipient addresses, which is a huge burden when you want to be able to generate them on the fly when signing up for web accounts (and when you already have hundreds in use because you’ve spent decades giving every company a unique address).
If they addressed these and I could have an unlimited number of suffixes directed to a single fastmail address, I’d sign up for a paid account in a heartbeat. Looks like a great service but those are fatal flaws IMO.
This doesn't match with my experience. I have a single catchall *@my-domain.com address that will receive anything sent to the domain (without setting up separate accounts ahead of time).
You can also send from any address, but I agree that the UI is a bit hidden. You first choose from the from-address dropdown "*@my-domain.com", and then a new textbox appears where you can type what address to send from. As another commenter pointed out, if you are replying to an email it will automatically fill in the custom from-address, but you can overrule it.
You can originate emails from anything - it just requires that you set it up as an alias (and you can set custom signature etc...)
You don't need to explicitly setup recipient addresses!
I can have as many xxx@myname.mydomain.com addresses, where xxx is anything at all. myname@mydomain.com is my main email address.
I have a single address, donotspamme@mydomain.com that I use as a throwaway and then route it to a folder to review about once a week. It draws a chuckle from salespeople when they ask for it or see it pop up in their system.
Eh, I did it for a while and while I think the OP overstated the "awkwardness," I didn't find that the effort was worthwhile. I only caught one entity selling or otherwise divulging my address: the Atlanta Journal-Constitution newspaper, oddly enough.
Oh, and someone did hack some FAA database and mine it for addresses.
But that's all I netted in several years. Beyond my main address at my own domain, I keep a Gmail address for mailing lists and other low-grade traffic.
I've been doing this for over 20 years, and it hasn't really been a problem. During the occasional real-life interaction that requires someone to confirm my address and they express surprise, I just tell them that it's correct and I have advanced email needs. It never takes more than a few seconds -- nobody has ever said "please tell me all about your advanced email needs!" :)
> I use a password manager for passwords but I also need to use it to remember the associated emails.
I do this, too. It never occurred to me that you might not populate the email/username field -- it's kind of the password manager's job to keep track of that. :)
> The truth is no one really sells your email – at least no legitimate companies.
I think that on the whole, this is true. However, I have had a number of these addresses start receiving spam over the years. I think this is due to the companies' databases being compromised due to poor security. At the end of the day, the cause of the leak isn't greatly important, and I'm glad I can simply turn off those particular addresses.
I’ve been offered the employee discount multiple times when providing storename@firstlast.tld. I declined as I’m not going to risk fighting some fraud charge over €20.
I’ve never had difficult or negative interactions either. “I bought @firstlast.tld and now I can do whatever I want” settles it.
I also have @lastna.me. My grandma has her own and mostly her bridge club mates are puzzled about how her email address just looks like her name. The whole setup is worth a few bucks, I guess.
Yeah I don't understand what the kerfuffle is. Sometimes they express disbelief or surprise, but it's never been a problem beyond telling them "I control the whole domain, you get a special address so I know if your database gets hacked and/or my information sold via this channel" and that almost always results in the employee being interested in getting the same thing for themselves.
Mix of CA and IL, but CA is like half rural desert and half SF bay.
I don't think it requires much computer literacy to understand what an email address is, how annoying SPAM is, and the problems of identity/credit theft.
Sure, these are first-world problems, but so is having to furnish an email address at all.
> During the occasional real-life interaction that requires someone to confirm my address and they express surprise, I just tell them that it's correct and I have advanced email needs
When someone has asked I say I have it set to whitelist them so it doesn't get accidentally filed as spam, they really like that answer =]
For weeks our Shopify app was getting rejected because "you cannot use the Shopify name or trademark in your app". It wasn't... repeated requests for clarification just got back the same form response.
After a several frustrating back-and-forths, finally someone at Shopify said "check your email address".
The developer contact email address we had submitted, which was only used for shopify<->us communication and no customer would ever see, was shopify@ourdomain.com.
You'd think anyone competent in tech would instantly recognise that for what it was. Using an email like that for a specific purpose shouldn't be that uncommon. And they should recognise that it was an internal address. Crazy.
I assume Shopify’s position there is that the email address provided with the app is probably visible to end users somewhere and could cause confusion. The policy itself seems reasonable enough just shitty enforcement.
Based on their difficulty articulating the actual issue, I'm pretty confident that this wasn't intentional. Probably someone in a body shop following a checklist.
The specific box is labeled:
2. App submission contact email
This is the email we will use to communicate
with you during the app submission review process.
There are separate boxes for support email, review notification email, etc. So I think the reviewer was simply confused.
Not sure in this case and it's definitely possible, but usually you have an email used for the account and interacting with Shopify, and then a public facing one used for customer support.
Title says that using a catch all domain (whatever that is) is a mistake, but the bulk of the article about it being a mistake to use the other party's company name as the local part of a throwaway e-mail address which you use for communicating with that party. There is nothing about the catch all aspect being a mistake. You don't have to give a Hilton hotel an address like hilton@example.com; it could be bob-2022-05@example.com, right?
I use a throwaway e-mail system whose generated addresses look like this: 539-343-1293@example.com. The dashes can be replaced by underscores or periods: all are recognized, but not mixtures of them: basically three versions of the every alias is installed. (Why? I ran into a situation where I had to enter my e-mail address into a point-of-sale system that didn't accept dashes.)
There is no "catch all" mechanism at play. Each address is explicitly created, using a web-UI application that I wrote. The moment you create it, it goes live, as a local alias recognized by the mail server.
Each such address is associated with its creation date, and a memo field. If the memo field contains URL's, they get rendered into navigable form. They are editable. The memo field is what tells me who/what the address is associated with. I have a regex search box to filter the entries (quite a lot have accumulated).
The UI is like Web 1.5: you can checkbox these items and do bulk operations on them, like bulk delete, move to top, move to bottom and such.
When I delete an address, it immediately stops working. THAT is why "catch all" would be a bad idea; if you have a rule which routes any nonexistent local part to your inbox then you don't have any easy way to turn off an address which is being abused, other than going into the mail server rules and writing a rule to reject that address. That's not a fun UX, compared to a nice throwaway address management dashboard.
This system is called TAMARIND: Throw Away Mail Alias Randomization Is Not Defeatable. :) :)
That code you see there does evrerything, using the raw HTTPS stream and environment variables from the server. There are no libraries, no web framework, nothing.
> You don't have to give a Hilton hotel an address like hilton@example.com; it could be bob-2022-05@example.com, right?
Sure, but then it's impossible to remember, or use for classification of incoming mail. Password managers can help with the first problem but not the second one.
I don't understand. You can have filtering rules like "when a new message arrives with 12345@mydomain.com in the To: or Cc:, move mail to lists/foo-list folder".
Yes, but if you don't do it immediately you won't remember that 12345 means this or that company; and also yes, you can search for 12345 and see that all email coming to that address is from a certain company, but maybe they haven't yet sent any email, etc.
Also if you use random strings that are not actually random (you just try to come up with something on the spot) you're very likely to reuse patterns for different third parties.
In the end it's more "stateless" to have a simple rule to attach an email to a given company, than maintaining a separate reference list (or lists! one in a password manager, the other in your email client).
But it's not very important, and mostly a question of personal preferences.
iCloud+ has something like this as well. So far I've only used it with Sign In with Apple, or whatever it's called. Your comment led me to go check out the iOS Settings and it looks one-off random emails aliases can be made in there.
Of course at this point my email is so many places it almost seems like a lost cause. What I wouldn't give to have a reset button for the entire internet. I would be much more careful with my address than I was 20 years ago.
I used to have one of my domains configured to accept all mail, after spam filtering. The result was amusing. I had the domain in .com, and a school in the UK had the same domain name in .co.uk. So I'd get some misaddressed mail, usually at the beginning of the school term. Not that much.
One day I got a message "I am going to kill you tonight". It was from someone at the school, intended for someone else at the school. I wasn't sure what to do, especially since it was the middle of the night in the UK. Call the cops in the UK? Finally I found an emergency number on the school's web site, and ended up reaching the headmistress. She was at first annoyed at being awakened. Then she was fully awake and annoyed. Once she heard the name of the sender, she said "He's only 12". Some kid was in for a major chewing out, but the situation did not require police.
If that had happened in the US, there would be a SWAT team callout.
I strongly disagree. I've also been using a catch-all domain for more than a decade and giving each sign-up it's own name@mydomain.com. I can remember one small issue. Otherwise it's never been a problem. The problem has been getting marked as spam for running my own mailserver. But it's all worth it in the end.
I agree with you. So many companies end up with absolutely terrible unsubscribe code that just flat out doesn't work[1]. With my own server I can just burn a particular email with one line in a file, or I can block their whole domain. I end up having to do this fairly regularly.
I can also choose the message to send in the smtp 5xx error line and so I like to call them names. I know a person never sees it but it makes me feel good knowing my server is cursing out the spammers' servers.
[1] I would venture that roughly 30% to 40% of email unsubscribe links aren't url encoded so that the `+` in the email goes in naked to the url, resulting in the server decoding it into a ` `. Sigh.
I've had some of the same experiences as the author. "Do you work for..." or "You must be a big fan..." And plenty of "How do you... "
A few sites actually check for and prevent you from putting their domain name in as email (probably something about having employees sign up... ?) so that's a bit annoying.
I think it's worth it. Among other things, if any one alias becomes tainted enough, I'll throw it on a burner account so those emails go into a black hole, instead of my spam folder. And I'm always using a password manager on a computer, rather than trying to remember email when I visit a retailer. (Often, these days, if I'm in person, I just make up some kind of abbreviation - instead of "Ollies@", "olbgo@" because I don't care too much and even if I forget where it came from, it's not a big deal.)
And there's a slight security benefit if one email + password leaks, though these days every password is unique too (was not always the case... ah the naivety of my internet youth.) I don't think email addresses get sold "a lot" but they sure do get breached a lot and end up in the hands of spammers. Cadillac@ actually got sold or breached quite quickly after I signed up for a free car brochure, about a decade ago.
With my current host (NameCheap) and Thunderbird, it's very easy to change my from address - it just works without any hassle.
Been using a catch all email domain since 2005. I've not had any major issues with it.
The entire "calling up and having to explain the username" thing is few and far between. Had that conversation in person and over the phone dozens of times, at most I get a little ask to verify I spoke correctly. Customer support doesn't care. They have people calling them up with an email address of "420hotcock69 at something dot tld". The entire "your company name at silly domain dot tld" generally doesn't phase them.
Mispelled accounts? Rarely happens. Copy and paste the domain. Use a password manager. The only time I have trouble logging in is when I can't remember if I used social auth or created an account.
As for getting email accounts purged? Don't bother. Stop using it for whatever legit reason. Then set a filter to mark all email to that user@ to be sent to spam/deleted. Problem solved.
The ONL time I've had issues was a few random systems that had funky rules for verifying fake email addresses. Oddly they sometimes look for their own domain name in the email address. So I can't use the exact domain name at those.
Samsung does this, and it annoys me every so often. I'm using sammysung@ because they won't let me use samsung@. There's a couple others like this as well.
For such systems I just spell the domain backwards, which sometimes creates interesting things. Until now there was no system that detected this.
E.g. gnusmas@domain.tld instead of samsung@domain.tld
What you're referring to as Gnusmas, is in fact properly called GNU/Christmas (the Christmas celebrational event kernel with the GNU userland, err, I mean decorations and way of celebration).
I try to disguise it a little to avoid the awkwardness, and also put the recipient into the subdomain instead of sender name. For example for grubhub I'd do:
me@grb.mydomain.com
No need to remember anything because it's all in a password manager. I've found this worthwhile, already blocked a couple spammers.
You could also go with something fully random, you still get the same benefit. It's easy to look in your email history and see what you originally used the email address for. Password manager obviously required though.
Nice! I tried this a few years ago, and while this worked nicely for inbound email, deliverability outbound was really bad, even with DKIM etc. set. Normal mails from <my domain> were fine.
I guess "amazon.<my domain>" got quite the phishing score at the time, so good call using grb instead of grub. :D
Yeah deliverability is a good point. I'm usually only using this trick for services where I wouldn't be sending outbound email luckily. Normal emails come from mydomain.com.
Using custom subdomains for each account is a great idea. Once you start getting spam on this subdomain, you just need to remove the DNS entry and the spammer's attempts to deliver spam will be unsuccessful (versus if you use different local part names, you have to filter / reject the mails explicitly).
I have an address that ends in .fyi and continue to encounter systems that refuse to accept it as a valid domain. It's really frustrating but at least I have a .com that I can enter into those and just forward it.
Before Cloudflare, I built a company around this called Unspam. It wasn’t commercially very successful, but it allowed you a ton of power around routing/filtering emails on a per-email basis (e.g., require senders to certain emails to pass a Turing test, add a header to others, turn up or down spam filtering by the address). I haven’t had the problem the author references, but mostly because I preface conversations with: “This is going to sound weird, but my email is…”
There’s a security benefit in making your email not-the-same across services. Yes, perhaps many of mine are guessable if you know the pattern I use. But it defeats non-targeted scanning. People target me (I was just sanctioned by Russia along with Mark Zuckerberg and Marc Benioff! Woot!!) yet exactly zero people have targeted me this way.
I’m still one of the few remaining Unspam users. Works great to this day. (Impressive given I wrote the PERL that powers it.) Actually think someone could spend a week with Cloudflare + Workers + Email Routing + Area1 and replicate the functionality+++. I’d gladly pay $5/mo for that. Wouldn’t be a big business. But an example of a bootstrappable lifestyle business that could easily cash flow enough to healthily sustain a couple developers.
I'm going to mirror most of the other commenters in saying - I've been doing this for nearly a decade and have basically never had an issue with it and have absolutely prevented some spam because of it. The "social awkwardness" problem of using "Company@example.com" can be solved by using "PineappleBanana@example.com" instead or random characters or my personal favorite throwaway "[Company]SentMeSpam@example.com". Yea, you might have to use a password manager to know which random string of nouns is tied to what account - but no more "social awkwardness" of using the company name in your email (can't say I've ever had that experience either...)
In fact the only issues I've ever had with a "non-standard" email address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of my domains is a .ru address and even before the modern-day issues surrounding Russia .ru addresses get blocked in many places. My fallback email is an email hosted by https://cock.li which being chan-adjacent also gets blocked so occasionally I simply have to accept that I am not wanted as a user because my email isn't good enough.
I've had sales and customer service ask me about this a handful of times and I simply said: 'It's a unique email address so that you guys can't sell my details or get hacked and lose my email.'
The only interaction that stick in my mind regarding this when one of the sales people asked me how they might set up their own version of catch-all domain. That's about it.
I agree with a lot of the other comments here. I've been using a catch-all for years without significant problems. I think the closest to an awkward moment was when a small web comic artist wrote to me a bit confused. I had used the name of her comic to subscribe to her newsletter. I explained what it was and we had a laugh - if anything it perhaps increased a bit of human connection between us that otherwise wouldn't have existed.
I feel as though the author is throwing away a lot of advantages because of some minor social awkwardness that can be worked through, or completely avoided by using a different naming pattern.
We're even starting to see one-off emails created for you automatically (iOS can do this) because of the number of advantages.
I have not encountered the author's 2nd issue because I use a password manager.
I have encountered their 1st issue (awkward encounters) and consider it a feature. I guess this depends on certain extro/intro-vert-ish human preferences, but it can be a nice talking point if you approach it right.
The author's argument can be generalised to an appeal to normativity - doing ANYTHING that isn't common practice will garner awkward interactions. It's also a necessary early-adopter stage of anything eventually becoming common practice (and catch-all domains are becoming an automatically supported feature in many services now so here's hoping it does).
I don't buy it. The number of people on HN that say, "it takes non-zero effort, and it was hell to exert that little bit of effort, so you shouldn't do it."
That might be a worthwhile message for a hardware hacker site where putting effort in to email configurations might be different enough from the meat of what most people are doing, but for this site? No. Don't try to sell "hacking is slightly hard, so don't do it" to hackers, please and thanks.
I've been doing individual email addresses for ages, and I've forced more than one company to disclose breaches because I was able to show with certainty that an address couldn't have been lost any other possible way.
I agree that using per-company email address to sign up is not a good idea but I love my catch-all email address.
When I'm testing my software (professional or personal) I can "create" emails on the fly for new user accounts. Yes, with Gmail, you can do the base+anything@gmail.com trick but with my setup I never need to rely on that (or worry someone might block it), I just use anything@mydomain.com and I'm good to go.
Same for my LLC, I have a catchall so I can setup things like accounts@mydomain.com and get all those emails to my main josh@mydomain.com email address and then in the future if I need to turn that into a group or it's own email address it's super easy and forward compatible. Just like support@mydomain.com, right now I'm the only one that handles that but I can hand that off in the future if I need to without any issues at all.
Tangentially related: getting your own name as your domain name is really nice in more ways than you might think. Giving my email over the phone is a cake walk, I've normally just given them my name, then I just say "josh at joshstrange dot com" and I never have to worry about spelling or them hearing me perfectly since it's just a combination of the info I just gave them (my name). I get comments about it from time to time but buying that domain in high school was the best decision I ever made when it comes to tech/email. It's stayed the same for well over a decade and I never had to give out an embarrassing email or worry about "what email did I use to sign up for that account?".
If however, like myself, you have a name like Mr Fair lyPopularNameNoOneInBritainCanSpellCorrectly IncomprehensibleItalianOrSpanishOrSomethingEuropeanFamilyNameNoBritHearingItWillEverAssumeStartsWithTheLetterItActuallyDoes, it's the epitome of tedium every time you have to get someone on the phone or in person to spell your name correctly.
My wife fucking hates it that she switched from her easy, unmistakable English family name to my shit show of a Phonetic spelling exercise.
I guarantee I'd never receive a single spam message because nobody is EVER spelling my FirstnameLastname.com correctly, Mr MyNameExistsInAutocorrect Strange.
Jokes aside, seriously, my family name starts with "El" and the second you start saying it you see people write "L" and pause.
I always found the firstname@lastname.com to confuse people far more than the name itself. I often get questions like "is that at gmail.com or hotmail.com or...?"
One problem I have with catchall is passing my emailadresses between "rings of trust". Example: say I have an email for close friends and family: me@example.com. Everywhere else I use spam<random_number>@example.com. All's well, until some well wishing family member decides to give me a gift in a form of subscription, or something like that, and uses my email they know: me@example.com. And just like that the whole carefully built house of card collapses.
> The truth is no one really sells your email – at least no legitimate companies. The one outlier is political campaigns: they'll share your email till the end of time. No matter what I do I can't get bernie@ purged from any lists. Every level of government has that email and they share it as widely as they can. I'm pretty sure I only gave him $20 a decade ago.
Interestingly, when I was in Texas this never happened. I voted, I attended rallies, etc... The Democratic and Libertarian parties there just never sold my information; moreover, they never added me to lists or texting campaigns.
Then, I moved to California and the flood gates opened. I was getting back to back text messages from "campaign organizers". Later, I found out these are just normal people texting me from a burner phone because I angrily replied to one of the texts. Why, in this day and age, the Democratic party would entrust my name and phone number (and who knows what else) to some random "volunteer" or "advocate" is beyond me. You don't need to spend more than five minutes on the internet to understand many people who use that title do so with misaligned intentions.
Nowadays, I report their numbers to Google and they automatically go to spam.
I think they are mostly using a tool that proxies the SMS communications between you and the volunteer. But I don't know what tool or what its privacy or security features might look like.
Here in California the campaigns can get copies of the contact info on everyone's voter registrations: "pursuant to Elections Code §2188 and §2194, voter registration information is available for electoral, scholarly, journalistic and political purposes, as well as governmental purposes, as determined by the California Secretary of State."
I use catchall domain for... everything. Every account at every entity has its own unique address, since probably well before 2010. I have always more than happily accepted to have my address saved into marketing databases.
I can share the frustration sometimes with employees turned sudden internet experts and "teaching" me that my email address cannot start with their employer's name. I usually retaliate by withdrawing my consent to be registered into their database.
And that ends there, I disagree with everything else in the blog post.
1. Catchall facilitates blacklisting when it becomes necessary: whatever rotating address is used by the sender, I blacklist myself as the recipient.
2. It helps detect who shares databases with whom. This is not necessarily about "selling" but more often it taught me which companies operate with which companies under the umbrella of that "and our partners" statement found in every privacy policy written by legal consulting firms.
3. It's a smoking gun for companies wbo get hacked without even knowing it. I have been informed several times of a compromise before the company itself knew it.
4. I also use suffixes on my catchall addresses, this allows me optimize my email filters.
5. It makes correlation more difficult across databases and anything that helps achieving this goal is a win for me.
6. I use a password manager, I use both the login and the password fields. The title of the entry always allowed me to find the account very efficiently.
I can probably find other reasons, I'd just conclude that after more than 10 years using a catchall domain, I still can't imagine sharing the same identifier across all my interactions.
I think they meant to say to avoid using email canaries named after the company one is emailing. I used to do this but it has been a problem as companies are catching on and blocking these addresses.
My most recent experience was with the Tractor Supply Company. They were upset I used an email canary so they called it "fraud" and cancelled my gift card. I've spent some of my retirement turning their customers away and might even put a few billboards up to warn residents of my state about their fraudulent behavior and lack of integrity.
Anyway since then I have been creating more realistic looking canaries that I can still tie back to the people I interact with, thus allowing me to notify them if their email databases have been compromised. I will never stop using canaries regardless of what ire and bad behavior it draws from corporations. It seems to be a good way to detect shady businesses now in addition to companies leaking or selling their contacts.
I had to stop using plus-addressing (me+brand@gmail.com) because of broken email address parsers/validators. If I was on the phone with a support agent, I would give them my plus-address and their system would reject it and they'd ask for another one. Stubbornly, I'd refuse to budge and insist that is my email address that they need to use. It got to the point where I'd either have to forfeit my healthcare/tax/flight/<whatever> account or give up on the plus-address. And if they asked about it, I'd explain honestly that it's because I don't trust them.
It did reveal some interesting data leaks sometimes including on npm [1], but the hassle wasn't worth it.
GMail has supported the "+" alias since the service was announced, one would think there'd be no excuse to not support it everywhere at this point. My consipiracy-theory hypothesis is that many companies "know" that any address with a + in it is an alias and actively filter it out. Because they don't want an alias, they want your _real_ address.
I run my own mail server and use a "." as the alias character. Haven't seen a system reject a single one of these.
Supported since forever by Cyrus IMAP for routing into subfolders.
For some unknown reason at Pitt people were taught to finish write their email as username+@pitt.edu ca. 1995. While it supported that as the inbox, most people were unaware that you could put +foo and have it go to the folder foo if one existed. But the address without the plus also worked.
Because gmail allows periods, and many people think the period is required since that's how they signed up for it. Therefore many people consider a period an important part of an email address.
> The only benefit is that I'm able to tell when companies are breached before wider disclosures because I start getting spam emails sent to thatcompany@.
My big problem is that this is worse than useless.
I started doing unique-address-emails back in probably 2002 or 2003 and did it for around a decade before giving up.
A couple of times per year I would start getting spam or similar on an email address and would know exactly what had been breached and I would try to notify the companies involved. I'd probably spend an hour or two finding emails for key contacts and send a few paragraph email explaining how I knew they were breached etc...
90% of the time I got absolutely no reply whatsoever.
5% of the time I got a pleasant reply and someone said they were already aware or they would look into it.
5% of the time I got confused emails from a non-technical person that didn't understand how their PHP shopping cart software which hadn't been updated in 2 years got hacked, and didn't know what PHP or Linux or anything else was because the neighbor's kid had installed the site one time 2 years ago and now was too busy in college and why are you bothering us about this we have orders to ship!
5% of the time I got incredulous replies from technical people who insisted that I was wrong. That email address must have leaked some other way!
Then there was the last time I ever sent one of these emails. I guess I had found and emailed the owner of a company to email who had then added in his tech person. I explained why I had huge confidence something on their side was breached, but, couldn't explain to them what or how. They eventually got rather hostile about it, first accusing me of extorting them for the information (I never asked for money, but bounties weren't really even a thing back then like they are today). Eventually culminated in them adding in their lawyer with more threats and demands for my full name / address (presumably so they could actually sue me). I ignored them and fortunately the whole thing went away.
That was the last time I sent a report about one of my emails being compromised and shortly thereafter I stopped using tagged addresses entirely.
One time I made up a new address to use for a SiriusXM signup, and that address got a spam email before the confirmation email. As you can expect, that was filed under "people insisted I was wrong".
No one said you're supposed to contact anyone about the spam. If the problem could be solved on their end, this catch-all/tagging solution wouldn't need to exist in the first place. The assumption is that people can't be trusted with your email address, so you create a way that their incompetence/malice can't hurt you, and then you go about your business.
Imagine criticizing helmets because children keep falling off their bikes.
> No one said you're supposed to contact anyone about the spam.
Considering that, as far as I knew at the time, nobody was doing this at all, nobody told me any of what I was "supposed" to do. Even if they had told me what i was "supposed" to do, I generally am not good at following directions or doing what i'm supposed to do.
Have to say, disagree with every single point. It also feels poorly argued. The example about not being able to log into grubhub stuck out to me within 20 seconds of reading. He says he uses a password manager, then says he has to navigate many accounts while trying to login. Any sane password manager is not simply a list of emails and passwords, but also the SITES they BELONG to. This can't have happened the way he describes it.
Also, in particular, I can't understand the social awkwardness. I don't see how the interactions he has described are awkward in any way. OK, once in a while you have to explain yourself. Sometimes you might have a laugh about it. 95% of the time you just repeat yourself and move on. There's nothing awkward here. Unless he's using a different definition of awkward, as well as social.
I had the exact same experience! Almost verbatim. Nowadays, after one very long weekend spent changing my email address across dozens of different websites and services, I just use name@name.red instead of anything service-specific. Even now, though, the fact that it's a ".red" rather than a ".com" is too much for some people (e.g., my student loan servicer doesn't support .red domains at all). It's fun being special until it isn't.
Using a catch-all domain _was a mistake for me_ would be a more appropriate title here.
I’ve been using a catch all for years now and have had nothing but amusing and fun interactions and discussions with folks about my email addresses. People often understand pretty quickly and think the concept is actually cool (even if they aren’t running out to buy their own domain).
I’m far annoyed by my weird, hard-to-say/spell house street name but that’s harder to change (:
Just to provide a counterpoint, I've been doing the same thing for 6 years now and I haven't found the same issues to be a problem. Even as someone with pretty intense social anxiety, I haven't encountered any awkwardness, and don't find it particularly inconvenient to have to look up the correct email in my password manager.
The only actual issue I can remember encountering was a weird glitch with Crashplan that wouldn't let me register with crashplan@[myfullname].com, so I ended up using backups@ instead. Also, my full name is tedious to have to spell out, so I switched to using [firstname].cloud as my email domain instead.
In my case, while I haven't caught any notable email sharing/selling, I've still found unique per-service emails useful for filtering and organizing messages. Many orgs these days don't bother to use a consistent From email, so if I want to find everything from XYZ corp, it's easier to search for everything sent to xyz@name.cloud than everything from no-reply@xyz.com and orders@xyz.com and info@xyz.net and email-list-123@xyz.email and so on and so forth.
I was purchasing a car at local Honda dealership and the salesman refused to believe that my email address was honda@mydomain.com. He just insisted that I should tell him my "real" email address. If it happens today, I would just walk away. But back then I was a new grad who just got a new job and really wanted a new car in a new city, so I said "fine, does mylastname@mydomain.com sound more legit?" He was ok with that. I brought the car back home, and set a new inbox rule that blocks all emails to mylastname@mydomain.com. Because I can't think of a reason to use mylastname@mydomain.com in any cases. I have never heard anything from Honda ever again.
I once got a text message from an agent after a dealership visit, he asked me why I just couldn't give him a good feedback since he worked so hard and I seemed to be happy with the result. I was like "sorry, but for some reason I can't receive emails from Honda, including after-visit survey".
> The truth is no one really sells your email – at least no legitimate companies.
Speaking of this, I actually did sometimes catch someone sold or leaked my email addresses. They usually came from spam emails with "Undisclosed recipients" that I had to dig into headers to find out which one of my addresses was leaked.
Most of addresses used in spams are the ones I shared with individual/small business and I would like to believe that they were not intentional.
The only legit, big company that sold/leaked my email was Docker. I applied for a new job with docker@mydomain.com and a year later a bunch of recruiting spams came to me via that address. Although it was possible that it's just that particular recruiter forgot to shred my resume after I rejected their interview invite.
I also used to use catch all domains for all kind of registrations and my form was <domain>@mydomain.at (e.g. ycombinator.com@mydomain.at). That most of the time solves the management aspect, except for some special cases where several domains share a unified login (e.g. Google or Stack Exchange).
Anyway, I’ve changed to iCloud’s Hide My Email some months ago, as this is much easier to use and you have easier control on all used emails. You can even add a comment to each address in the moment of creation. Also disabling (blocking) single addresses works like a charm.
I wish there was a simple equivalent for phone numbers. Even if I had to pay <$1 / month per unique phone number it would still be worth it.
Too many services now need a phone number "for my security". I use my Google Voice whenever I can but there is no way to trace the leaker from that. Car dealerships appear to be a big source of leaks in my experience (significant uptick in spam calls and texts after I give a dealership my GV number).
this doesn't solve the SMS 2FA problem but if you know what you're doing with voip you can set up a DID to answer with a filtering message like "please press 8675 to be connected", and it'll only ring your actual phone if somebody follows the instructions. cuts down on 98% of telemarketing and scams.
then only give out the DID number not your direct phone to things like car dealerships.
i had one car dealership that I took my car to for an oil change one time that persisted in sales calls for six months until I finally escalated the matter to their general manager.
I recently tried to register at facebook using a twilio number (yes, I was pulled in kicking and screaming). They never actually sent the verification code until I used another number.
The only issue I've had was with that real estate data website that rhymes with Willow. They have a strict policy against usernames that contain their branding and my first support ticket resulted in them demanding I change my E-mail address.
I find a catch all is a spam magnet, but a little finesse with regular expressions can work wonders. On Google Workspace for example I have a rule for prefix_(.*)@domain.com that way the automated spam attempts fail because they usually just use lists of names.
I then sign up, for example as prefix_netflix@domain.com
But yes, I've often been accused of stealing the domain, even though it's not their domain. Also some companies don't send outbound email that matches their domain no matter where it matches, for example I couldn't do prefix_amex@domain.com I just never received the emails. As soon as I changed it to prefix_chargecard@domain.com the emails came through.
Why not just use regex/wildcard addresses which makes it less "akward".
Like "mail-recruiter@foo.bar", "mail-hilton.com@foo.bar", etc.
It's easy to configure, makes it more clear that you are in fact not trying to impersonate others and you circumvent the problem of receiving automated mailes to "sales@foo.bar", "hr@foo.bar", etc.
BTW: I've been using my solution for more than five years and only had one "awkward" moment when a recruiter was a bit sore I gave them my mail address specific for cold call recruiters.
I do this and haven't had nearly as many problems as the author for a couple of reasons. First, I refuse to give out my email in most of the situations he complains about. I almost never want or need to link my physical retail purchases to an email address, and in the cases where I do, it is usually faster and easier to ask for a loyalty packet and sign up online than to dictate all the information to a clerk.
Second, I'm not strict about it, and use a generic address (my-formal-name@example.com) in situations where I do need to give an email verbally (like contractors asking where to send a quote). And I also have my-nick-name@example.com which I give to friends and family.
Since I only use the catch-all emails for things I do online, they are all stored in a password manager so I don't have any problem forgetting them.
With these more relaxed rules, I still end up using a catchall email the vast majority of the time, with a fraction of the annoyances. The only time it really comes up is for telephone support calls with accounts I created online, and it isn't a big deal.
The benefit is that I can block 90% of spam using nothing but a black list of address that have been compromised. And the novelty of knowing who has shitty security with my information.
reminds me a bit of the family member who owns firstname@lastname.com and can't get random non technical people to believe that their email address domain really is lastname.com
Mine is first@fullname.com. Most just accept it (all when I visit California, maybe that's your experience?), but I do get queried about it from time to time in my home country
I used mail@firstname.lastname.name and sometimes even like the op "service"@firstname.lastname.name for some time.
This lead into all kinds of trouble, social and technical. Social as in people did not understand why I "owned" "service"@..., why I did not have something like firstname.lastname@t-online.de/web.de/gmx.de/googlemail.de, that a third level domain is even possible, or they did not recognize .name.
Technical trouble was almost the same:
Systems did not recognise the new at the time .name or Systems had trouble with third level domains. Somstimes I could sign up, but something in the backend broke and I never received mails.
I would add that once you start using catch-all, you are forever limited to self-hosting or using an email provider that supports it, unless and until you want to leave behind all the individual addresses or go around updating your info everywhere.
I did catch-all for decades. I honestly wasn’t getting any benefit from it that I couldn’t get in some other way, better.
It doesn’t solve spam, so I still need anti-spam tools. Spam still comes to my main address anyway, so it doesn’t keep spam out of that account. Smart mailboxes give me more powerful tools for organizing things according to more refined criteria than just “to.” Knowing when sites leak my address isn’t especially valuable to me personally. In the end, the address I give out is sort of irrelevant. I may as well just be using my main address for everything. Which is what I’ve started doing.
Yet I’m still saddled with all these catch-all-dependent email addresses. I have a huge Swiss-cheese email perimeter, more or less forever.
It won’t be easy or fun to unwind all that, and I’m not sure I’d ever be able to do so completely. It’s the worst of both worlds.
If I could go back in time, I would tell myself the only way to win is not to play.
I use a catch-all eMail account, but only for two reasons:
1. To catch legitimate misspellings. A property deal nearly fell through for my father because his realtor had misspelled his eMail username but gotten the domain correct.
2. To fuck with people who use bogus eMail addresses under my domains to sign up for services. That includes eBay and PayPal accounts. I mean, if you’re going to bullshit with my domain name, bend over and bite the pillow!
What’s weird is I’ve noticed some sites and apps don’t like their name in the account name and won’t validate.
For example, I tried signing up for the Chronometer app using chronometer@prepend.com and can’t make it through their sign up process.
I’ve always wondered what kind of programmer makes their domain name as email not work. I’m guessing it’s some testing or debug shortcut but won’t have closure.
I’ve probably noticed 6 sites over the years like this.
My theory is that it's to dissuade less advanced spammers/fraudsters who use manually-created, consumer-grade email addresses that take time & effort to create, thus rejecting them could actually slow them down or piss them off enough to give up.
The intent is probably to ban spam/free trial abuse or obviously-incorrect addresses (though for the latter case why not just send a verification email).
So I'd be tempted to think that my address had been leaked from there, but I also got other messages sent to addresses like:
admin@steve.org.uk
sales@steve.org.uk
support@steve.org.uk
In the end I figured that I was just dictionary-attack, and optimistic senders, and I could never be sure that a particular company had actually leaked an address.
These days I just give steve/at/steve.fi to everybody (I moved countries, hence the new TLD). I ported over all the aliases that had received email in the past five years and started rejecting unknown local-parts. That stopped badbots from mailing things that seemed like poorly-scraped message-ids "blah-blah-1234@steve.org.uk".
More generally. Just coming up with a random word and assigning it rather than a specific name, and looking that word up in your password manager, should suffice.
After the dotcom bust, it was sometimes the user information which was the only thing left to sell off (even when they promised not to.) Spam was more of a problem back then, or maybe just being able to avoid it was more of a problem. So catch all email like this was actually beneficial but it became obvious only a few years later, to me at least, that no one was selling email addresses anymore and all that management was unnecessary overhead. I'd say about by 2006 it had definitely sorted itself out.
I now route mail by context and only deal with maybe a half dozen accounts regularly.
I’ve been using this style of catch-all address for years. I’ve never had to explain, and have only once had an issue with it, last year when I scheduled an appointment with a business that I’ll call Alpha Beta Gamma, and they rang me a few minutes later saying they couldn’t confirm the appointment properly because their system was objecting to the email address I’d provided, which was alphabetagamma@, and maybe that was because of their business name being in it, so could we try something else, like abg@ (yes, they made the suggestion), and that worked.
I don't understand the part about awkwardness with customer service people. How often does that really come up? And, if it is predictable, just spend a minute and think of some satisfying reply and then use that whenever it does come up.
"Oh, hilton@notcheckmark.com? You must be a big fan."
"Yep, cause of the great customer service."
Done.
Regarding shooting yourself in the foot by using nonstandard naming - seems an easy solution is to just use the entire SLD. If registering in person, I guess that's a bit harder, but either way make sure you save the login in your password manager.
I also use custom addresses with the company name as the first part of the address and it does sometimes (not often) lead me to explain how email works to a customer support rep.
I've been doing this for 5 years and while I agree that leaks are rare, it has been only smooth sailing.
I use thunderbird with an addon that automatically sets the responding email address, and have a script called "email" that generates a random address (no prefix or anything) and puts it in my clipboard. If I want to k ow what I used an email for, I can find it in my password manager or by checking from where that address first got mail.
Signing things up in person, I just use human-randomly generated strings.
In short: I have none of the problems the author has...
I've been using a catchall domain for 25+ years. Caught some companies leaking or selling my email addresses, too (the one I was most irritated with was Godaddy).
Including the company's name in the salted address is usually confusing to support staff, so I just use its initials or something memorable. Some places also seem to have dirty and suspicious word filters (for instance, mail to my child's school will just silently get dropped because of my domain name, and I have to use a gmail account instead).
The author is really saying “using the other party’s recognisable name as the localpart of your own email address is a mistake.”
I agree with that. As a catch all user of twenty years, I too found this out pretty quickly. The solution is you pretend your catchall domain is some free email service, and then make up an account name that sounds plausible.
jjsamson844 if it’s April 4th 2008. john1713@example.com if it’s January 3rd 2017. daphne.van.hampton@example.com if you want something more creative for your train journey free wifi sign up.
Most of these sign ups get a row in your password database. Remembering them isn’t a problem.
Why bother doing all of this? Because it’s not just spammers that spam you. It’s the companies themselves. Never again do you have to ask someone nicely to unsubscribe / never email you again and hope they’ll comply. You can trivially (procmail + a script) shadow ban them to another imap folder.
(Personally, I move their email to Dead/Match and then my mail filter moves all subsequent emails from them to Dead/Follow, so I can do it all just by moving messages to the right place on my iPhone.)
For the 10 times a year I have to actually email one of these people, yes, it’s a pain to configure my mail client to use the weird address. In the grand scheme of annoying many things, 5 clicks with copy and paste once every few weeks is no big deal.
If you don't feel bad about doing this, then the answer here may be "do you have an employee discount available?" (This is quite often the reason they ask you that question)
But yeah, I'm another happy user of a catch-all. No issue with sharing the accounts between domains - a password manager does this for me. And even if something like gap/banana happened - who cares, I'd just create a new account.
I did it for years, until someone started dictionary spam runs on my domain. That was a pain, so I whitelisted the ones I used, and went to email-company@domain. Works pretty well, I’ve black holed 20 or 30 over time, and it’s a decent second check on phishing emails.
Sadly, because I chose - instead of plus, I’m going to be hosting my own inbound email for the rest of this domains life. (And since it’s mylastname.net, that’s going to be a while)
> Sadly, because I chose - instead of plus, I’m going to be hosting my own inbound email for the rest of this domains life.
What do you mean? I use migadu and they support address aliases with wildcards, so I could just alias something-* to something@example.com and add a sieve script to sort it into a corresponding folder. I assume most email hosts do not support that, but I doubt they are the only one.
I've been doing this for well over a decade and while I had similar experiences sometimes, I don't see how this was a mistake by any means. Yep, not many companies sell or leak your email, but some do. And let's not forget that 10+ years ago we had much worse spam filters. (Though we had less spam as well.) And using a unique email for each provider and company it's pretty easy to block them when they start spamming you or when they give away your address.
In theory, one could use generated addresses in some cases. E.g. for throw away ones or when you have to give it in person. The problem is that then you'd have to keep track which one you gave to whom.
It also helps with filtering as services may change the from address or use multiple from addresses while you may want to label all email from them the same.
Then in some cases, where you do want to make your email public still you want to know how people found you. I think this one would be called "role based addresses". E.g. I think it's pretty nice to have your paypal address as paypal@yourdomain.com (when people were still using them for a lack of alternatives), same for github, etc.
I have a variation that I use for online sign-ups only. I have to explicitly declare the alias before using it. So it’s relatively easy to check which ones I have used in the past (and the name tells me which site I used it for) and I can easily “revoke” by removing the alias. I can’t really use it when asked for an email address at a store, for example - but it doesn’t happen that often (going to real stores, I mean :) )
My HN account email is sleepy.home9993@[mydomain]. My email provider (FastMail) creates these "masked emails" at the click of a button, with a Description field so I can identify the purpose. Each email address consists of two random words plus a 4 digit number. Then I just store the information in my password manager.
I'm not wasting time trying to fix the breaches. I can just nuke that email forever.
I do the unique Email for each service thing but not with catch all.
I use https://smplelogin.io (self hosted), there is also https://abonaddy.com, and just create a random email from random words on sign up, most of the time the usernames are fine.
I have 2 alias domains, The first one wqs a bit dark, So if I want to use aliases seriously I needed something more professional, so I bought another one with a good name.
Other than that my main domain name is never used for any normal service, only for things that are sensitive to hidden emails like hosting providers, or for professional contact.
And since bitwarden now supports mail alais integration, this is going be even better.(1)
However I've recently been bitten by my catch-all, using a money transfer service with the email worldremit@mycatchall.com (guess the company).
When they asked for additional documents to verify my account after many months, they never received my reply and I ended up banned. I could not login anymore.
When I reached out from another email address, they refused to process the documents because they originated from another, unauthorized email address, and asked that I resent the original email from the registered email. I suspect their anti-phishing filters just ban any email containing "worldremit", so it never got through and despite multiple thorough explanations I could never get someone to listen or reinstate the account.
I'm still getting the newsletter though, because unsubscribing requires logging in first...
But then I can just ban this email address, so at least the anti-spam strategy works!
There's something even worse than the "please write to us from your original email". On a number of occasions, I've had some random people use my email address to sign-up for something and then occasionally I have to actually contact a random company to unsubscribe me and/or delete the account.
When this happens, I've had a few insane companies insist that I send them a screenshot from my gmail app/web page, etc. to "prove" it's my email address. I have steadfastly refused despite some rather angry responses insisting that I have to. I have responded very strongly and politely that I have to do no such thing as I have no business relationship with their company. Usually once I point out that they're sending someone else's private information (receipts, etc.) to a completely unrelated individual and they could be held liable they relent and delete/unsubscribe my email address.
The most insane of these was when Uber started emailing me someone's trip receipts every time they took a trip for someone in Australia. When I contacted them, they refused to believe me and said it wasn't possible. I ended up finding one of their technical VPs on LinkedIn, messaged them blindly, and "mysteriously" it resolved itself two days later with a polite apology.
I’m another long-time catch-all email address user.
1. That is how I knew that Dropbox had been hacked; I had a couple temp/throwaway Dropbox accounts and the otherwise-unused email addresses associated with them started getting lots of spam.
2. Yes, sometimes it is slightly awkward when a rep cannot comprehend companyname-at-mydomain, but not enough to make me regret anything. Smile. Say "it will reach me!" or "I own my own dot-com!" It’s fine.
3. "Did I use BR or bananarepublic before the at sign?" That’s why we use a password manager :-) The author says he uses one, but then suggests he needs to guess the email before the password manager will tell him the password? Sounds messed up. Use 1Password. Be happy.
4. The most interesting 'downside' is that sometimes I get spam for addresses that have never been used. Why? Because there are spammers out there who have scraped my website for anything resembling a human name (e.g. John Smith) and then sent emails to my domain that fit the typical pattern (jsmith@mydomain.tld). So, I blocked a number of these addresses. Had I not set up a catch-all, they would have otherwise been bounced.
5. "Every so often I need to email a company from one of these emails" -- The "from" problem of catch-alls is a bit tricky at times, but using Fastmail + PHP I can easily send "from" any address at my domain when needed.
6. I am a big fan of the Fastmail + 1Password 'masked email' solution! It’s so great! Sign up at a website, get a brand-new email address that seamlessly forwards to you, it gets stored in your password manager, and you can kill it whenever it starts getting spammed. The random username generation even avoids that problem of telling the Hilton rep that your email is Hilton@hacker.tld. Using masked emails instead of a catch-all would also avoid the minor problems of #4 and #5. Shout-out to iCloud's somewhat similar solution, but Fastmail+1Password really is top-tier!
> I also have a bunch that I've misspelled. My GrubHub account is gruhub@. I use a password manager for passwords but I also need to use it to remember the associated emails.
I find that to be a strange complaint. What password manager is being used that doesn't support a username alongside a password in an entry?
Usernames are not always similar to email addresses. In fact, if you are "foobar@example.org", you might find that someone has already claimed the username 'foobar' on Amazon. So I believe your parent commenter's point is that he wishes he could associate both a username & an email address (or at least a comment field) with each entry in his password manager.
I've been doing this for a while, I've only really gotten static about it once. A small online retailer, their fraud department cancelled my order after it had already been charged and shipped. It was interesting, I didn't realize they could even do that but they had the carrier recall it. The customer service rep said they thought it was fraud somehow, despite my card address matching the shipping address, because I was impersonating their business by using [buinessname]@[mydomain]. I pointed out I wasn't sending anything with that address, only receiving. She didn't seem to understand my point. Oh well. They resent it overnight and I haven't purchased anything from them since. I love this setup, that experience didn't deter me in the least.
I've been using a similar system, only that I additionally append a random 5 digit number, so that if e.g. hilton-68425@domain.org gets leaked, that doesn't automatically make hyatt-95813@domain.org easy to guess. Though it does sound like something that might be possible to brute force.
Also, they feed into different subfolders of the same main address.
It definitely has caused some issues, but nothing that would make me regret choosing this system. Obviously the email gets stored in the password manager. And even if not, I just look at the existing emails and check their destination address.
Honestly, the most annoying part is the setup of new addresses. I might look into a way to automate that.
Although it is true that I have not caught a single company giving the email away, but it still helps me keep the inbox organized.
Oh, hey, that reminds me... Any T-Mobile techies reading this?
I know someone who recently was signing up with T-Mobile and discovered that the sales rep was unable to enter their email address in the system because it was rejecting emails containing a dash. They had to give him a different address, and later logged in and successfully updated it to the correct one online. Seems like there is some incorrect filtering going on in whatever UI they use in-store for account creation.
I’ve done this for 30 years. I didn’t do it to catch people selling my info, but I do enjoy it when I do. I do it so they don’t send me email to my personal email address which I only give to people I want to email me. I can also blackhole someone that’s marketing to much and it is easy to search my email for any correspondence to and from that vendor.
It is awkward sometimes when I say It on the phone but I’m also in senior leadership at a big company so my skin is about as thick as it comes with regards to awkward situations. My entire career now is a series of awkward situations I’m asked to fix.
Also, I use a password manager (dude it’s 2022, if you’re not using a unique password already you ought to reconsider your life choices and once your password is unique who cares if your email is too?)
I don't use a catch-all domain, but do use custom tagging. I started-out tagging email with the '+' character, but a lot of places just reject that character; so I started using '0' instead. If you're running your own domain and use postfix, it's not difficult to setup a user-regex which will reject any email without a valid user prefix e.g. Joe0anything@mydomain.com works, but mailbot@mydomain.com is rejected. I've been using this for about ten years now and have had to blacklist about 50 email addresses. I agree it's awkward when you're telling a store clerk or phone support person your email address, but I've found that they either think it's funny or just don't care enough to even comment.
1. I disagree nothing, I use catch-all and never had awkward conversations like the author had. Who cares, it's an email. I repeat it twice.
2. Government has transparency laws, they didn't sell his email used to support "bernie" rather due to voting laws and donation laws, that information is public and is posted and given away for free that is why you should err to use your email address to communicate with federal or state bodies because they are required to follow state laws for transparency and federal laws.
Forging or creating an actual account/alias to then "send" from if the email doesn't exist is a trivial process, you can even do it from a shell even in Microsoft Exchange and PostFix.
I have a catch all domain and regret it. I have a four letter TLD (idoh.com naturally) and not a day goes by where I don't catch splash damage from someone who made a typo or plugged in a fake email address somewhere.
Twitter, for example, seems to allow people to make accounts with unverified email addresses, and lately I've been getting password reset requests from a twitter user who plugged in some-japanese-name@idoh.com as their email address for Twitter.
Sometimes I get emails from, e.g., a vet's office, or some local cubs scout group. I've tried telling people that they got the wrong email address, but no way of explanation succeeds in getting people to understand that someone put down the wrong email address.
If anyone wants a tool to further systemize this, it can be worth looking into self-hosting AnonAddy[0]. You get a decent UI for managing and creating aliases (named/random/subdomain), which is useful if you want to manually add them and track which alias was used for which service.
They also have a hosted service with free and paid tiers[1].
I have been using email-per-account since forever. My personal scheme I recently settled upon is two letters to give me idea what is this for, plus two digits indicating when it was created. For example twitter would be tr25@domain, where 2 stands for last digit of 2022 and 5 for May. That is a must for me now. When some company I trusted my email with leaks it, I know instantly. There are cases when you MUST know. For example, a phishing mails started coming from email I gave to crypto wallet coinomi support. Would I rather not know? Hell no. You can lose a lot of money by not knowing such things
>> Especially since all these companies ask for and verify your cell phone number – which is way more static than any email address.
My domain is 27 years old, my oldest phone number is 5 years old (and it's a virtual phone number from textnow). Yes, I still receive spam to email addresses I gave out 20+ years ago. The thing is, I'm avid traveler, and phone numbers do not cross borders very well. Email does.
The biggest hurdle has been "For security purposes, write to us from your original email", which requires me spoofing the FROM line in my email client.
I use this method and experience a few of the same drawbacks, like remembering email + password per service - A password manager does make it doable. (Highly recommend KeepassXC[0])
However, contrary to OP I enjoy these somewhat awkward situations where someone doesn't quite understand my email address. I find it can naturally lead to a conversation about privacy and data protection and I'm happy to spread the awareness, if someone is interested.
I've been doing that for a very long time and never had such an interaction. Definitely not to the level of "It's been a decade of trouble and totally not worth it".
I’ve been using a catchall, same as in the article for ~20 years. I’ve had some support people confused. All I have to say is “I have a system that helps sort my emails”. People get it after that. I’ve caught 10’s of email leakers. I don’t fear signing up for a sales led webcast (or other unsavory types) that I know will sell my info. Interesting how the author didn’t have a similar experience. I must say that modern spam filter have made the utility of this less critical. I’d never go back to the old way.
Lots of me-too’s from folks using catch-all emails and/or “+” addressing, but surprised no one is mentioning unique hide my emails as available from iCloud, sneakemail, etc.
Cringe take, but fair enough on the bank freaking out part.
My interaction with them went like this:
>staff: And what's your email address?
>me: $BANK_NAME@$MY_DOMAIN
>staff: chuckles
And on the next day I got my bank account flagged.
Edit: Turns out the restriction was not related to the email address. It was a red Canadian bank.
I would say large banks like Citibank, DBS or HSBC would never care to this since all external emails are written to have a huge 'EXTERNAL' in the subject and a disclaimer before the content.
I've had people try to guess my login with Company ABC once they learned of my CompanyXYZ@mydomain.com address. Avoiding the reuse of email addresses helps here, the same way avoiding the reuse of passwords does.
For blackhats, with catchalls you can create multiple accounts on sites that try to prevent it by assuming everyone only has 1 email address.
For me the biggest drawback is migrating ALL those emails if your provider decides to end support for catchalls (like Dreamhost).
> For me the biggest drawback is migrating ALL those emails if your provider decides to end support for catchalls (like Dreamhost).
With Gmail for Business / GSuite / Workspace, I had gone through the trouble of adding aliases through the Gmail.com UI when I wanted a from address. And I had created a bunch of dead accounts with aliases to reduce spam.
But when I switched away from Workspace to NameCheap, I just set up my one account as a catch-all, and in Thunderbird, when I want to send from one of those aliases, I just type it in, and it works fine. (Gmail had a setting that if you got it wrong, it sent it as an alias, but also used your mail address as the actual from/reply-to, which I found annoying!)
I also stopped bothering setting up those "honeypot" accounts. I get more spam, but... it's almost all detected as spam and put in the spam folder, so I don't worry too much. A few weeks ago, I had a day where a couple dozen gibberish addresses came in, like 8aeef09lk@domain.com, but then it stopped again.
Of course, all that is to say, if my current host does end support, it would be a pain!
Someone could go just a little bit further and build an app that generates a random, but short and easy-to-say email address on demand from your domain and links it in a database to the company you want, when you created it, etc.
Instead of jcrew@yourdomain.com it would be ec5@yourdomain.com or mz2@yourdomain.com and an email client could replace the "to address" in your inbox with some description field linked to that email like "jcrew"
I've used VERPs¹ sometimes, even for individual mail. It's a pity that so few general-purpose email clients will generate them out of the box. You can make it happen with MTA configuration, which is one of many reasons I still run my own mail server.
I don't know a single person who would legitimately infer the affiliation of a person based on the username part of an email address.
I've been using a catch all since forever, foremost to detect when shady companies illegally sell my data -- i.e. I register with shady-store@ci.ax and when I suddenly get unrelated spam to that email I immediately know who's responsible. (Or who got hacked without acknowledging it.)
I have stuff like "info@" "register@" or "support@" that I filter through in my inbox. The only problem I've had with catch-call email is getting a ton more spam from bots... for some reason they'll add randomname@ bc our name shows up with some other company name, some spam CRMs will confuse some other company's staff with our email address and send to that address
I use 33mail with a custom domain and I use it as a permanent actually working unsubscribe button. I’ll sign up with a service for whatever, as soon as they start sending me spam and I no longer need the account, instead of trusting their unsubscribe button, I disable the account and never think about them again, been doing this for about 2 years I must have over 100 disabled accounts at this point.
Seems like the compliant is having to relay the email address verbally...
in the last 10 years I could probably count on one hand the number of times I had to verbally give out my email,
Hell the Hilton example with their mobile app you do not even need to talk to the front desk person at all to check in..., even before this miracle of technology, I never had to give out my email...
My solution to this problem is, while continuing to use unique email addresses for each service, to just put a short random string of letters before the @ instead of the service's name (e.g. jcnclp@example.com instead of hilton@example.com). They're all just stored in my password manager, so I don't need to remember what address I used for what service.
I blacklisted a lot of my catch-all addresses because of spam.
Paypal/ebay is the worst offender, I had to start rotating that one,. Every 2nd oversea seller seems to sell your mail address.
joby.com (making these nice tentacle tripods) is one of the offenders who got breached, refused to reply to my inquiry about it and later blocked me on twitter when I tried to stir things up there.
I've been using a catch-all email routing setup for many years. I use unique breach canaries to maintain this list of companies that have sold or leaked my personal data to unauthorized parties: https://gist.github.com/eligrey/5084991
Unique email @<your burner domain> per website, so you only have to remember one password for everything.
Handy for places where you need to sign-up but otherwise you don't care. I don't use this approach on "meaningful" accounts where I'd care about a breach.
I think this person's mistake was not having a memorable system for the username aspect.
> The truth is no one really sells your email – at least no legitimate companies.
`xfinity2@mydomain.com` is the only email that I've ever caught being sold via my catch-all email. I get a decent amount of phishing, scams, malware, etc. to that address. But I guess the author is still correct, since Xfinity/Comcast are sometimes less than legitimate.
I have a very short email address, containing only five characters. It looks like: a@bc.de (But not that.)
I thought that a short email address would be convenient for typing into touch screens and it is, but it's much less convenient for reading out in person. No-one ever believes that it is real, even though it is.
Dunno if all these gripes are describing a "huge mistake". Some inconvenience, maybe not the best domain/confusion on the naming, and maybe the realizing down the road the threat might not be that big, but you still got to organize and manage your concern with only a few technical steps.
Certainly people's experiences might vary, but I have only had a couple companies threaten me for using their company name and way more success in just blocking addresses when I get spam-stormed. I agree it's rare, but so annoying when it happens, so it seems easier just to have a catchall.
How are users that do this not getting absolutely blasted with spam? I stopped using catch-alls years ago when mail servers were getting inundated with (random letters & numbers @ mydomain) types of emails. Are they added them to an allow list in Postfix or something similar?
I’ve also been doing this for more than a decade. Other than my spouse rolling her eyes when I give an email address over the phone, it hasn’t been hard and definitely has helped. I have put blocks on a few email addresses that were involved in data breaches and became spam spigots.
Actually, it's not a mistake. This same method taught me that 50% of computer systems worldwide think '+' is an invalid character in an email address. Which was the final proof I needed that software development is an inherently stupid process.
This is a great idea that I had never thought of. Something that might help, if it does actually make a person feel awkward, is to use a numeric code. That way, you could be commercial301@mydomain.com and then 301 could equal Gap, or whatever you want.
I've been using email aliases for over a decade and have never experienced the leading examples the author mentions. Although I already have email accounts setup for impromptu scenarios, setting up an email alias in one minute is easy enough.
I have several times. Generally I can just say "you can write anything before the @ and it still comes to me" and people understand it though. It doesn't need to become a big discussion about how email works and they've probably forgotten by the end of the interaction.
Maybe once or twice I've given my address to a new friend as newfriend@domain.com and it's lead to at least a small discussion about it.
Never had any trouble with catch-all. Except once in about twenty years have I met a pissed off restaurant owner at my table who thought I'd hacked his website. Only thing I do different since is that I sometimes use `base64@domain.com`.
Now that I think about it: my experience with catch-all is quite the opposite: thanks to catch-all I was able to alert a number of owners their site had been breached.
I do this and it keeps my main inbox nice and clean.
In the case where I have to reply, Google allow you to set up a from email which you can use from your spam trap account. So if you need to send an email as banana@domain.com it's a few clicks away
I got unsolicited email from DHL just today addressed to a catch-all that I used with a retailed who shipped via DHL. I didn't sign up for a newsletter ... I still find it useful to use special addresses, as the author described.
For those of you using a catch-all domain - how do you keep track of it if you do not have a simple mnemonic like the name of the company you are getting emails from? Do you use a spreadsheet?
If a company is unhappy with me because "you can't have our name in your email address" I just spell their name backwards, that usually shuts them up and we can all move on with our day.
I had one small business owner so confused "but that's our domain name, we own it, you can't have it in your email address".
It depends what scheme you use to generate the addresses, for eg if you generate short XKCD style passwords and use those, then lots of those problems aren't an issue. Internally you then map those generated addresses to a single folder for each business.
I use "contact@" for when somebody who isn't a friend wants my email address. I have a separate, private address for people who actually matter to me. Everything addressed to "contact@" immediately gets marked as read and saved to a separate folder so it doesn't clutter my inbox.
contact@ specifically is high up in things that spammers try when they have no leads to go on though. ~50% of my spam in my catchall comes from contact@ admin@ and similar addresses.
True, but I can't be bothered to come up with anything more distinctive. And if my local gym wants to send me bullshit notifications and advertisements despite me being a longtime customer who pays for his membership annually, they can damn well go in the spam bucket alongside the cold emails from tech recruiters, Ukrainian mail-order brides, and Danielle Kennedy from Prime Equity Funding. I don't really give a shit. Email has achieved parity with snail mail: it's nice to get from friends, but otherwise an annoyance.
It's true that trying to use a "pure" solution ("[source]@[yourdoma.in]" - e.g. "amazon@mydomain.com") causes a lot of problems (red flags being issued on the remote site).
On the other hand with a mixed solution ("[partial_source_mixed_with_something_else]@[yourdoma.in]" - e.g. "zeama@mydomain.com") I never had any problems (I anyway keep files/keepass-entries to track which userid&pwd&email I'm using for which URL).
2a)
My common&real email address gets quite some spam (no filtering applied) (but I admit that the amount during the last years was stable).
2b)
My custom email addresses almost never get spam (even the ones that I used for "weird" sites) => I assume that whoever gets in some way email addresses performs some kind of healthcheck on them to get rid of the ones that might identify the source (from where they were extracted).
2c)
The few spam emails that I got during the last years on my custom email addresses indicated that they originated from 1) the garage which I use to swap winter/summer tires and 2) my doctor (?!) => it was interesting (e.g. is my doctor's IT compromised + did the garage sell my email address because I didn't visit them during the last two years?) => anyway changing address (which got rid of the spam) was super easy in these cases :)
Two stories:
I don't use mails like facebook@domain uber@domain - that's too obvious. And knowing that may often disclose that I actually have an account registered on given page. I don't want that, so I go full random, using few words I have in mind, current few words from the song I'm listening too, etc. So password manager helps me with e-mails too.
But Sometimes when a website annoys me (stupid rules for passwords, crippled UX for forms, because re-writing a select component in javascript is such a brilliant idea, etc) I tend to insult the company I'm registering with using my e-mail or password, I mean mail: this.freaking.store.is.dumb@domain.com and pass: goDieInPain1312323$$$$. Once I registered account for a supermarket loyality card with some very little insult towards the supermarket. Later I got some huge amount of the points collected and their system crashed and I had to contact the support (the bonus was too high for me to give up on that). First via e-mail then via phone, when they were confirming my address. They helped me and said nothing about the name I was using.
Another story:
When I started with catch-all I was actually using mails like companyname@mydomain, and when I once contacted them via phone the person talking with me was not very into tech I think and were accusing me of... I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.