Buy a domain and set your email to catchall, then make a unique email for everything and don't fiddle with aliases.
this post was submitted on 15 Dec 2024
24 points (85.3% liked)
Privacy
32482 readers
237 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
There is no one-size-fits-all solution and there likely isn't a solution that works for everyone even in specific situations due to different threat models. Purchasing and using a custom domain is often listed as a good practice for maintaining a person's privacy. However, it can be even more detrimental to a person's privacy than just using a trusted email masking/forwarding service and trusted email provider. For example:
- The domain is purchased without WHOIS protection (or without using non-personal information) or the WHOIS protection is not renewed
- The email server is hosted on hardware that can be linked to other services that identify the individual (eg: the email is self hosted using a home IP address)
- A self hosted email server is configured in a way that leaks information or is configured insecurely
- The email domain is used by only one person, which enables agencies to link each individual, unique email address back to that individual and create an aggregated profile across various accounts/services
- If the domain/DNS is not configured properly (or if the domain is not renewed), then the domain (and thus the email accounts) can be hijacked, which could lead to any additional accounts/services that are still using the domain vulnerable to a take over attack
- The email server is hosted by a privacy invasive company/service
- The person assumes that all emails are private since they use a custom domain on a trusted email provider (or self hosted email server), but continue to send emails containing sensitive information to email accounts running privacy invasive email services (eg: Gmail)
Please note that I am not saying that this is not a good option, but I just wanted to note some of the things that should be considered if a person decides to use a custom email domain to improve their digital privacy.
Which provider are you using? They don't all offer catch-all
I still have a 15 year old free Google workspace plan with that option, but I'm looking for an alternative, not excessively expensive
Previously Tuta (I don't recommend them, they're going down a path slow enshittification)
Now Disroot, which lets you use a custom domain with a catchall for a one time payment. https://disroot.org/en/perks
If you own the domain you can do everything. iCloud has a very generous 50gb plan for 1€ per month
Then you end up with an inbox full of drive-by spam to abuse/admin/aardvark/.. (insert dictionary here)../zack/ziggy.
I believe there are some services, including some selfhosted ones, that allow you to quickly create (and later delete) unique aliases.
That said, I was surprised that these dictionary spam attacks don't really happen all that much, at least based on my own experience. Most of the ambient drive-by spam my server receives targets email addresses belonging to domains I don't even own. Blocking those and a few Sieve scripts gets rid of 99% of spam for me.
Interestingly, there was one time I received spam to a bogus address belonging to my own domain: A while back, one of my actual email addresses got leaked (thanks Sega) and a few months later that address got copied into another dataset but with a typo, which I assume was caused someone using OCR.
Is that something you have experience with or are you just making up scenarios to pose as arguments?
Because I've been doing this for years and I don't have this issue. You could also just preemptively auto-trash anything that goes to those very common emails, but I don't and it's not an issue.
Is this experience or conjecture?