Get the top HN stories in your inbox every day.
binwiederhier
rootusrootus
I do a simplified version of this. I just use a catchall account with Fastmail and then pick email addresses in the domain randomly. If someone abuses the address, I block it. I specifically do not use addresses that make it obvious what my strategy is. I end up just using a name and number that would look right at home on gmail.
I'm also not trying to stop tracking, so much as I'm trying to have my own semi-permanent equivalent to mailinator that nobody will recognize as such, that I can use to cut back on the amount of spam I get.
beeboop
I've been happily using fastmail for years and I think I'm going to be forced to stop. My outbound emails are constantly getting caught in spam and it recently cost me a job offer.
calvinmorrison
if you're having this issue I would reach out to Fastmail support. A real human will dig through the smtp logs and find out what the issue is. Based on my experience... Fastmail is very on top of spam, blacklists and other deliverability issues.
Hakashiro
Oh hey, I'm not alone!
In my case, it costed me two offers. One from Google and one from GitHub. Come to think of it, yeah I will begin migrating everything away from FastMail and stop using it completely.
csomar
One event that pissed me off with them: Instead of forwarding an email to SPAM, they simply throw it away instead. Turns out the email was not SPAM (2FA) and I had to go through weeks of support to find out what happened (thank god that you get a human for support but still).
Also I think they are still based in Australia? Would be happy to hear about alternatives.
PascLeRasc
I really really want to like Fastmail too, but it’s also cost me a job interview when the RSVP didn’t go through.
itsthejb
With your own domain? Make sure you’ve got an the SPF, DKIM set up correctly, and register your domain with gmail’s postmaster tools. I moved my domain recently, and had completely forgotten about all that stuff I’d set up years ago. Started losing mails, redid the setup
nvarsj
I wonder if you can provide more context. I've only had issues when I tried to use external domains, e.g. gmail, as my reply-to when sending in fastmail.
b1n
I've been thinking of a new way to use my email...
- Only use one email address: hi@example.com
- Always add a filter: hi+hn@example.com
- Send all emails without a filter to SPAM
Since it's not a common strategy, it is much more likely that spammers remove the +hn before sending an email than add one.
VTimofeenko
I have tried this approach. Unfortunately, some services will not accept plus sign in the username no matter what RFC says. On top of that, some services seem to not like seeing the service name in the username. I.e. foo.tld will refuse sending email to mailbox+foo@mydomain.tld.
vmception
would not recommend
not only can you not sign up to many services, customer support can often get confused when you need to email reply to them and you cannot email from your aliased email. they see you as a separate user not in their system, or the wrong person replied to the support ticket, etc.
IAmEveryone
Gmail also ignores the dot. If you choose a 17-character mailbox name, you can use any one of 2^16 different patterns of placing dots between them.
Capitalisation could also be used for such a purpose, but may be more likeely to accidentally get stripped.
3-cheese-sundae
I used to do it this way too, but got overwhelmed by dictionary attacks.
plsbenice34
Fastmail seems to be based in Australia unfortunately, so it is not secure
withinboredom
There is nothing secure about email. It's less secure than Telnet.
You can email anyone on the internet as anyone and it will be delivered with NO validation. Clients may/may not validate any DKIM signature and the may/may not validate that it actually came from the domain. It's literally the easiest thing on earth to spoof.
Email is sent over cleartext, it is not encrypted. Anyone can read email if they can inspect packets.
Gigachad
Email is not secure full stop. Don't do any kind of sensitive conversation over it regardless of where it is hosted.
ohlookabird
Nice! I do something similar, but using an automatic aliasing scheme so that I don't have to manually configure an email address for each service and other users can use this without me knowing their aliases. In my setup, aliases can contain wildcards, represented as percent signs. If an alias phil.%@domain1.com is set up, all your examples will be sent to the respective aliased address. I use Postfix Admin with a MySQL database. Hence the Postfix setup looks like this:
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps_wildcard.cf,
hash:/etc/postfix/virtual
user = mail
password = <password>
hosts = 127.0.0.1
dbname = maildb_postfix
query = SELECT a1.goto FROM alias a1
LEFT JOIN alias a2 on (a2.address = '%s')
WHERE '%s' LIKE a1.address
AND a1.active = '1' AND a2.address IS NULL
Note: with the above code SQL injection could be possible through an alias name, but given that in this setup I am the only one managing the mail accounts, I was willing to take this risk. :-) Postfix Admin might do some cleaning/validation, but I haven't checked on it.
hackernewds
Why not just use phil+craigslist@gmail.com or phil+kmart@gmail.com? same effect and lands in the same phil@gmail.com address
ratww
Because it's not as effective if the goal is to catch spam. Spammers are already wise to the meaning of + and will strip it automatically when selling data in bulk. Plus, some services block creating accounts with the + or with their name in the address.
ohlookabird
How do you mean? This is exactly what I can do with my setup. If you are referring to the use of Gmail: I prefer to run my own infrastructure as long as this is possible.
KennyBlanken
> It's not as shiny as Apple's thing, but it's 100% selfhosted and I own the domain.
Apple's system is "shiny" because it provides near total anonymity, whereas your setup has all the deliverabilty issues of a self-hosted domain and rather uniquely identifies you...at the domain level?
I'm not sure why you are maintaining a hundreds-of-lines virtual table and a web UI, instead of just using a regex or two to capture phil.*@domain2.com or something along those lines (maybe you want to do one including a year or something to cut down on spam), or blacklisting as needed by having postfix reject during the SMTP session so the email is marked as invalid and is removed from the spammer's database.
Or, I dunno, just use VERP? I don't think I've yet run across anyone smart enough to drop VERP from email addresses.
megous
Apple's system will only work until they decide to shut you out or shut down this service for whatever reason. Anonymity is not really a concern for most uses, privacy, longetivity and reliability of reception is though.
I still want to use random unique addresses even for important and trusted services, not just for throwaway uses. So third party domain is not an option.
I use self-hosted unique addresses mostly for registering to services, so forwarding those messages in both directions through Apple's service would expose all those services to a silent takeover via password reset by Apple's employees in control of this service. So this service is exactly as useful as those random throwaway email inboxes available on the web. More polished maybe.
0xCMP
I imagine Apple would come down on them pretty hard in the App Store if they did that so for most applications it's enough of a deterrent that most places would not do it. I also think that because Apple can mostly control which addresses and how many of them there are it can control the spam issues enough to avoid that problem. If not... then yea that's gonna happen in a few years. Would be short sighted for Apple to not do it though.
binwiederhier
I'm maintaining hundreds of lines because I started with one. And i was too lazy to change it. Your approach it probably better ;-)
z8
I'm doing the exact same thing. Built a small web app that lets me manage all my email aliases for the domain. Unfortunately there are a couple of websites that do only allow a select list of whitelisted domains meaning I cannot use my own, but for the other 99% it works wonders. I wish I had had this idea ten years ago, it would have saved me so many headaches.
aendruk
Who whitelists email domains? Do they explain why?
Semaphor
I think Aliexpress does it, at least I wasn’t able to use my domain and had to use my old gmail account.
All I got was "not a valid email" or something like that.
z8
The most recent incident I remember was with a debrid service. I opened a ticket with their support and was told that the point of the policy was to combat abuse of their service. Not entirely sure why a paid service that accepts cryptocurrencies would care about email addresses.
rhn_mk1
I think yandex does. Or at least they didn't allow one person send emails to me. "invalid address".
scoot
I use 33mail.com (33m.co) which does the same thing (it has a link on the email to disable the address). You can use a subdomain or custom domain. It has a generous free tier, and ridiculously cheap paid tier. (Paid is required if you want to be able to reply to inbound emails though.)
r2b2
The problem with self hosted email is that your domain becomes a unique (or near-unique with a few domains) tracking reference.
jen729w
Only if the entity on the other end understands this though, right? Which they probably don’t.
Otherwise everyone @example.com is the same person.
r2b2
It's worth a lot of money for the ad-tech (consumer tracking) industry to understand.
If a domain only occurs once in a user database, it's likely to be a personal domain. A data broker that sees the same domain in a few different datasets (once in each) can be quite confident that the domain is an individual's.
herval
I used to do this too, but it's a considerable amount of effort, and doesn't really prevent much: many domain hoarders/resellers know the trick, so they'll try to match other data they get from you, and sometimes build a fuller "profile" on you than they would if you only had gmail/other generic domain (eg if they have your name, which often leaks along email, they'll try your first name, first name + last name, initial + last name, first name + last initial, etc).
TonyTrapp
I'm doing it the other way around, which is slightly less work because you don't have to create new email addresses explicitly: Catch-all by default, with a recipient blocklist as part of smtpd_relay_restrictions that I update whenever some service gets breached.
yifanlu
I signed up for Comcast Xfinity using a brand new “hide my email” address and three months later I started receiving phishing emails at that address. (I’ve gotten over half a dozen so far). Made me realize that either Comcast was hacked (without disclosing it) or they’re selling people’s emails.
redmattred
I’ve experienced the same with comcast and have contacted their support. They claim there was no data breach or they aren’t selling emails, but that obviously isn’t the case.
EE84M3i
Well, it could also be the case that everything is working as designed, and that they gave your address to someone else who did have a data breach or is themselves sending the phishing emails.
cromka
Surely some attorneys would be interested in a class-action.
sneak
According to https://www.xfinity.com/Corporate/Customers/Policies/Subscri... you have to give up your rights to a class action and a jury trial to get Comcast service.
Additionally, they spend a ton of money lobbying and otherwise unfairly impeding competition, so in many places in the US, they are the only option, so it's give up your civil rights to lawsuits, or stay offline (or pay a wireless carrier who does the same anticompetitive scumbag shit a heinous price per gigabyte).
The state of both wireless and wireline broadband in the US is totally broken, and it's not getting fixed because it's broken by design, as part of the general attitude by large corporate interests and cooperative legislatures and regulatory bodies to treat the US population as a sort of natural resource like a flock of sheep to be fleeced rather than as legitimate customers to be serviced (or a legitimate market to be participated in on merits).
They do this by ensuring that there is no meaningful competition, and ensuring that if you do "willingly" engage in service with them, you have no meaningful legal recourse if they abuse you.
"We're the phone company. We don't have to care."
You have no real power against them because the people who control the system have decided that you should not have any real power against them.
randomluck040
I do that the old fashioned way with a catchall mail address and forward them. If they start smelling weird, I filter the address and change the mail address with the service provider.
ed25519FUUU
I wouldn’t rule out both.
mslate
Isn't it entirely possible that they are guessing your email address?
dwighttk
Probably both!
up6w6
The most popular open-source alternatives are SimpleLogin[1] and AnonAddy[2]. The former one was just acquired by ProtonMail[3].
[1] https://github.com/simple-login/app/
[2] https://github.com/anonaddy/anonaddy
[3] https://protonmail.com/blog/proton-and-simplelogin-join-forc...
Vinnl
Mozilla also has Firefox Relay: https://relay.firefox.com/
(Disclosure: I'm on the Relay team.)
sinatra
If relay gets popular, won’t some services simply start to block relay subdomain for registration to make it ineffective? Just like 10minutesemail etc are blocked in many places.
m-p-3
You can flag them to the Relay team and AFAIK they'll reach out to the domain that blacklisted them with the hope to make them change their mind.
A service that doesn't accept an email proxy during registration is not going to respect my privacy, so IMO not worth of using.
CryptoBanker
Sites already have started blocking the mozmail.com domain name. I'm considering moving over to fastmail given that their domain is already established for email purposes. I would imagine the same is true for icloud emails
withinboredom
I don't know how much I can trust Mozilla with my privacy. I know it's not Mozilla's fault, but 90% of my millions of DNS requests that leave my house go to Mozilla tracking services. It's kind of scary how much information Mozilla has on people, just based on what leaves my house (and no one uses Firefox). I have no idea if Mozilla does any aggregation on that data, but it's a bit worrying IMHO.
3np
Any thoughts on improving the situation on self-hosting? I've written about the situation for Firefox Accounts (FXA, a dependency of Relay if you don't want to use third-party hosted services) here before[0][1] and Relay looks kind of similar.
When comparing Relay with the other two, I get the impression that SimpleLogin/AnonAddy actually interact with the community and understand that self-hosting is something people want to do and provide approachable documentation and support for that, whereas Firefox Relay seems built only with a single global prod deployment in mind and is more like "well theoretically you could but you're on your own and who would do that anyway?". Even if it's public and under an open license, the intended audience is Mozilla internal, e.g. [2]
Like, if a user signs up for Relay today and in 2 years Mozilla sunsets it, the way things looks today I think it wouldn't be viable even for most seasoned self-hosters to migrate to their own deployment.
I do appreciate the work you guys are doing and I think the engineers seem to have good intentions, so don't want to be overly critical. But mentioning it as open source alongside SimpleLogin and AnonAddy comes with some major caveats IMO, and I'd wish that some more priority is put on keeping docs complete and up to date and making the stack realistically approachable for outsiders.
[0]: https://news.ycombinator.com/item?id=30727935
[1]: https://news.ycombinator.com/item?id=30315816
[2]: https://github.com/mozilla/fx-private-relay#optional-enable-...
Vinnl
I can only speak for myself, but my honest answer would be that indeed, self-hosting probably won't be easy to do any time soon. We're trying to get a less technical audience to benefit from privacy protections too, and I don't think there's a good approach to get them to self-host as well, so focusing our limited time on other things is probably more effective. But who knows, actual use and user research do influence our roadmap, so nothing's set in stone.
But you're absolutely right, the caveat is indeed that the reason you care about open source does matter. If you want to self-host, you're probably better off with another product. If you want to be able to see what code is running, or even be in control of the running code yourself (even if it's running on someone else's servers), then Relay might be interesting too.
smusamashah
I use mozmail and on the fly emails are great but so easy to exploit and spam.
For example, my custom domain is foo.mozmail.com. I enter my on the fly email address bar@foo.mozmail.com on attackers website. Voila. Now they know my custom domain name "foo" and can use it to send email to all possible on the fly addresses. e.g. 1@foo.mozmail.com 2@foo.mozmail.com so on and so forth.
Now my custom domain name as a whole is compromised but I can not change it anymore and lost all benefits of Firefox relay.
aorth
You don't have to use the custom @domain.mozmail.com address with Firefox Relay—you can use @mozmail.com with one of the auto-generated random aliases.
Your complaint is similar to using RFC 822 "me+site.com@domain.com" style emails and then worrying that sites are going to learn that your real email is "me@domain.com" by stripping off the part after the plus sign. Call me optimistic or naive, but I don't think that sites are doing that...
https://people.cs.rutgers.edu/~watrous/plus-signs-in-email-a...
Vinnl
Yes, it is recommended to use a completely random email by default, and only use your custom domain as a fallback when you can't use the random one (e.g. when you have to give up your email somewhere in-person). We're looking into ways to make that clearer, because people's intuition tells them to use their custom subdomains by default.
bertman
Huh, hadn't heard about Proton buying Simple Login. I'm not sure how to feel about that. I really like SimpleLogin, but Proton always felt kind of "icky" for lack of a better word. Guess we'll see.
Rebelgecko
I'm a big fan of SpamGourmet, but I've noticed a few websites have started to blacklist it
chrizel
Another advantage not mentioned is that '@icloud.com' is a generic domain that has been (and still is) used for a lot of real e-mail addresses for years. That means that most registration forms cannot just simply block '@icloud.com' because that would lock out a lot of real '@icloud.com' addresses.
Hide My Email is very good and I'm using it a lot.
paraxion
Hang on, though: doesn't this essentially hand Apple a big list of which domains you communicate with and how frequently? There's also nothing stopping them reading the emails on the way through. I know a lot of people trust Apple more than Google, but you're essentially signing up for a vendor-locked product that you're hoping Apple will continue to support, with no guarantee they won't collect - even at an aggregate level - your communication preferences.
They're even slightly pre-filtered for Apple's convenience, as the times you're likely to use Hide My Email are for shopping and social media - nice, ripe marketing targets.
spsful
If you use Gmail, there's also nothing stopping them reading the emails on the way through. If you use Outlook, there's also nothing stopping them reading the emails on the way through. If you use Yahoo, there's also nothing stopping them reading the emails on the way through.
If you use virtually any email provider this is true.
paraxion
Oh, absolutely that's true; even with privacy-focused, hosted systems like Proton or FastMail there's always that tiny shadow of doubt that they're doing what they're saying they do.
tpxl
Before, one entity could read your mails, and after, two entities can read your mails.
onethought
There is no lock in - you can login to "whatever app" and update your email to a new one anytime you like. It's just an email address in the end.
Also, unless you're encrypting your emails, can't everyone read your emails "on the way though" anyway?
spacedcowboy
With google, even if you’re encrypting. Gmail, even in the shiny incarnation, only supports server-hosted private keys. A private key that you must give to your service provider is about as useful as a chocolate teapot, imho.
ip26
If you are already on an @icloud.com address and/or using Apple Mail, what’s the difference?
gzer0
The only thing really holding me back from wanting to use iCloud mailing services is the current implementation of MFA on Apple services.
It would be fine if you were allowed to use normal MFA options, but no, that is not possible. Instead, you MUST confirm your logins via already signed in Apple-devices only. There is no other way. Cannot use phone number (for good reason, but that is besides the point), cannot have a secret key based TOTP.
kayodelycaon
Actually, Apple allows SMS and recovery keys as a fallback and there is an account recovery option if none of these work.
https://support.apple.com/en-us/HT204915
Google on the other hand… I’ve seen two people lose their Gmail accounts even they knew the password because google required verification from a mobile device that no longer existed. :|
criddell
I think Google also has recovery keys. I have a slip of paper with ten long strings on them that Google told me could be used to regain access to my account.
Gigachad
Google seems to have changed their MFA stragagry recently where normal TOTP apps are a backup measure while the already signed in device is the primary. It wouldn't shock me if they don't prompt you to set up the app or recovery keys anymore.
kayodelycaon
Said accounts did not have two-factor enabled.
eek2121
Google supports MFA apps. I use Microsoft's and I've been able to recover after switching to a brand-new phone without moving data over because Microsoft syncs with cloud services. (iCloud on iPhone)
Kwpolska
SMS is available as a fallback 2FA method for Apple ID.
m-p-3
I only wish they'd support standard TOTP as well, like everyone else.
sewsuiuldot
I wish they'd let users decide what they want to use as additional factors. I would like to ban phone calls, emails, SMS, and TOTP entirely from all my accounts, especially those that hold credentials for other services, and use only WebAuthn.
I'd love to use Apple's keychain for credentials for convenience but it can quickly become the weakest link, when it should be the strongest.
gzer0
Unfortunately, only one phone number is allowed per Apple ID. And I do not have multiple phone numbers to expend for an SMS only 2fa option here.
bmarquez
You can have multiple accounts on one "trusted phone number". Trusted phone number is where Apple sends the SMS 2FA code. I have several Apple ID's on 1 phone number.
This is different than "Reachable at" phone number which must be unique and is used for iMessage and Facetime, and if it's blank other people can only reach you via iCloud account email.
(It makes sense if you think about it, parents setting up iCloud accounts for their children's iPads who might not have their own phone).
JimDabell
This is not correct. Go to https://appleid.apple.com/account/manage and you will see that you can add multiple trusted phone numbers under Account Security.
thetinguy
As long as you add a trusted phone number you can do Mfa over sms. Not ideal but it is an option.
pram
Huge fan of this, started using it for practically every signup. I've already had the opportunity to shitcan an alias because it obviously got dumped to some advertisement list.
Now I just need to work on untangling 15 years of other services from my main account.
FabHK
A useful feature the article doesn't mention:
In macOS Mail and iOS Mail, when you reply to an email or send a new one, you can choose the "From" address: The options are the usual accounts you have set up, plus, now, a "Hide my Email" proxy generated on-the-fly. I've found it very handy on several occasions.
treesknees
Great, I didn’t realize this was an option. It feels less useful for replies but new emails I could definitely see myself using this.
FabHK
Cases where I've used it for replies:
* accidental semi-spam (people sending emails to someone at one of the domains I own, mistakenly) where I wish to notify them that they got the wrong email, but don't want to divulge my main email (and name).
* support emails from services that I signed up with using "Hide my email". When replying, the "From" defaults to my main email, but again, I can switch to "Hide my email".
mlapida
Thanks for sharing! I totally missed this.
DIVx0
I don't use Safari but I still use this feature a lot even though I have to do a few extra steps because it does not integrate with anything other than Safari, its that useful for me.
Some sites have never worked properly with the email+tag@gmail.com thing and some have even become wise to it and wont accept addresses like that (car dealers are the worst).
I hope someday apple allows 3rd party integration with this feature.
newaccount74
I don't get the email+tag. Spammers can just drop the plus tag and get your real email address?
stu2b50
They could, but they don't. Spammers cast a wide net and usually aren't concerned about the crumbs that fall through. Not to mention the people that do the plus or dot tricks are going to be extremely low value spam targets.
stingraycharles
Yup, but assuming these spammers want to keep their lists of leaked emails fresh, it’s kind of silly that they’re so unconcerned about it: they’re very much helping to expose their suppliers. I feel that they must realize that can’t be good, but maybe I overestimate them.
cormacrelf
If it makes it into a leak database, you know who to blame.
treesknees
Agreed. You can get to it through Settings > Apple ID > iCloud > Hide My Email, but it’s a pain to navigate.
I tend to use it when signing up for something IRL that wants an email address. I wish there was a way to use Shortcuts to generate a new email in one tap.
I’ve been keeping an eye out for a settings URI that will take you there directly https://github.com/FifiTheBulldog/ios-settings-urls/issues/1...
undefined
fiddlerwoaroof
One workaround is that gmail ignores dots in the local part too: so you can use unusual punctuation for marketing: e.mail@gmail.com
newaccount74
I've been using yopmail for years to avoid spam, but the problem is that a lot of services have blocked yopmail and other disposable email addresses.
The nice thing with "hide my email" and Fastmails "masked addresses" is that the two services use a popular domain, so sites can't easily block it.
ratww
Yep, I used to use Mailinator, sometimes others, but they eventually end up blocked in Marketing-hungry websites.
Even myname+random@gmail.com and similar can get blocked from registration on some websites now.
The difference here is the power of iCloud. Services can't afford to block it.
This is similar to Domain Fronting [1]. Maybe we should call this email fronting?
bb88
The "+" symbol is easy to detect.
The other benefit for apple is that if a generated email address for Home Depot has non Home Depot content, it's easy to block, since it's clear it got sold to a email marketing company.
And then Apple can then threaten the corporations to not sell their mailing lists or risk being cut off from sending to icloud, or worse, having a header in the email from Apple saying that "Home Depot doesn't respect your privacy and sells your email address to 3rd party marketing companies. Here's a telephone number where you can complain."
Underphil
This raised a bigger question for me- How did the system get to a point where only big players can set up a service like this?
bb88
Email marketing ruined communication for everyone.
I once ran my own email server for several years off a domain from no-ip.org running from a local server in my home. Most places accepted email from it just fine, occasionally though some places had their mail server reject my IP because it was in a DNS black hole.
Then you had the spoofers pretend to be att.com/verizon.com so they had to implement SPF and DKIM.
Then you had to uphold your reputation and the security of your servers otherwise your address would get put on one of the DNS black hole blocks.
Worse was if your IP address was already used to send spam -- you somehow had to get the black hole lists to remove your IP.
At some point about 15 years ago, I gave up and moved to gmail, and I never really looked back on it again.
ratww
It's not really big players per se, but "domains with a lot of users that I can't block". Which of course means "big players" for regular people.
I agree with sibling that the problem is with Email marketing, but for different reasons.
Companies are so addicted to spamming users and selling user data that it becomes unacceptable that users might not want to give away their email.
Another problem is emails being required for signing up to accounts.
Honestly IMHO we gotta get rid of email for signups. I don't know what to replace it with. Hardware keys, maybe?
undefined
kingcharles
I still get sites from time to time that reject custom domains and want an address on yahoo.com, gmail.com etc, which is infuriating.
The worst thing is that so many sites have stupid email validation rules. Even cameo.com, which is a mid-size ecommerce site, doesn't accept a lot of TLDs created in the last 8 years, including mine.
yellow_postit
Love the service but nervous on the lock-in. Any guides for how to migrate off Apple after using lots of emails?
I’ve been happy with the Fastmail+1Password integration as that “feels” less painful to migrate off the in the future.
m0dest
This is the million dollar question that Apple hasn't answered. What happens to these forwarding addressses if you cancel iCloud+?
The result is bad either way. It's either A or B. (A) Canceling iCloud+ doesn't remove existing Hide My Email addresses - which makes it possible to abuse by creating tons of extra addresses before canceling. Or: (B) Canceling iCloud+ deletes all of your Hide My Email addresses, locking you out of dozens of services (e.g. anything that sends an email as a MFA).
I suspect that it is actually (A). Someone just needs to test this and report out.
adamhearn
Currently I forward all my iCloud mail to my protonmail. Not sure if the aliases will stick around after cancelling a subscription however.
SylvieLorxu
I see SimpleLogin mentioned in the replies several times, but I haven't seen anyone mention that you can use your own domain name with them to prevent vendor lock-in.
You can also export your setup through their API so you can very easily migrate to a self-hosted instance if ever necessary:
wget --header "Authentication: YOUR_API_KEY" https://app.simplelogin.io/api/export/aliases -o simplelogin-export-$(date +%s).csv
And given the author talks about Have I Been Pwned, I feel I should mention that SimpleLogin has built-in HIBP integration (contributed by me in https://github.com/simple-login/app/pull/472)
Get the top HN stories in your inbox every day.
I have a unique email address for every single service that I sign up for, similar to this, though selfhosted. I've been doing this for years and it works wonderfully. If someone misuses my email address, or gets annoying, I can simply turn off the address. Bam!
It's the easiest Postfix config in the universe, essentially just:
And then /etc/postfix/virtual looks like this: I also made a super simple web UI for myself to edit this file quickly.Gmail seems to be fine with this, emails do not usually end up in spam. Every full moon maybe, but usually it's alright.
It's not as shiny as Apple's thing, but it's 100% selfhosted and I own the domain.