Skip to content

Email Aliasing: How to Stop Handing Out Your Real Email Address

An email alias is a forwarding address you give to services so breaches, spam, and cross-site tracking can't follow your real email address everywhere you go.

πŸ“– The Basics

What It Is

An email alias is a forwarding address that routes email to your real inbox without exposing your real email address. When a service sends to the alias, you receive it normally in your actual inbox. When you reply, the alias appears as the sender. Your real address never appears in the exchange.

The practice of using aliases instead of your real email is called email aliasing. It's one of the most practical and underused privacy habits available, because the setup cost is low (a browser extension generating aliases in one click) while the protection compounds over time with every new signup.

How It Works

The Forwarding Chain

When you create an alias through a service like SimpleLogin or addy.io, you get an address like newsletter@simplelogin.com. You give this address to a service when signing up. That service now holds only the alias, not your real address. Email sent to the alias routes through the aliasing service and arrives in your real inbox. To the outside world, newsletter@simplelogin.com is your email address for that service, but your real address exists nowhere in the interaction.

Replies work through the same chain in reverse: your aliasing service rewrites the reply headers so your reply appears to come from the alias. The recipient never sees your real address.

graph LR
    A["πŸ›οΈ Shopping Site<br/>─────<br/>Sees: newsletter@<br/>simplelogin.com"] --> B["πŸ”€ Alias Service<br/>─────<br/>Rewrites headers<br/>Forwards to inbox"] --> C["πŸ“¬ Your Real Inbox<br/>─────<br/>you@proton.me"]

Diagram: A shopping site sends mail to your alias address. The alias service rewrites the headers and forwards it to your real inbox. Your actual email address is never revealed to the sender.

Why One Alias Per Service is Optimal

The goal is for every service to get a unique alias. Your streaming subscription gets one. Your tofu press gets another. The newsletter you subscribed to gets another. This does three things that a single shared alias or your real address can't:

  • Breach containment. When a service is breached and its user database is leaked, the email address exposed is associated only with that service. It can't be cross-referenced to find your other accounts. The breach is isolated to one alias you can immediately disable.
  • Spam source identification. If one alias starts receiving spam or marketing email you didn't sign up for, you know exactly which service sold or leaked it, because only one service had that address. You disable the alias. The spam stops. No unsubscribe links, no filtering rules.
  • Identity decoupling. Your real email addressβ€”the one linked to your name, your account recovery flows, your longest-standing digital relationshipsβ€”stays off the databases of services you sign up for.

While grouping services into a single alias (like all social media accounts under one alias) is still better than nothing, you may as well do the optimal 'one alias per account' given how easy aliasing is nowadays.

What Happens When an Alias is Compromised

You disable it. The alias stops forwarding. New email to that address goes nowhere. You create a new alias for that service if you want to keep using it. This takes seconds and requires no action from the breached service.

The Difference From Plus-Addressing

Many email providers support plus-addressing, where you append a tag after your username, like yourname+shopping@gmail.com. This looks like aliasing but provides fewer protections.

Many services and data brokers strip the plus tag entirely, normalizing yourname+shopping@gmail.com to yourname@gmail.com. Your real address is exposed and cross-referenceable across every service you used plus-addressing with. Additionally, the base address before the plus sign is visible to anyone who receives the email, so there's no obscurity. Plus-addressing might still be useful for Gmail inbox filtering, but as a privacy tool it doesn't hold up.

Catch-All Aliases vs. Per-Service Aliases

Some aliasing services let you set up a custom domain with a catch-all, so any email sent to anything@yourdomain.com arrives in your inbox. This gives you infinite unique addresses without logging in to create each one: just give amazon@yourdomain.com to Amazon, netflix@yourdomain.com to Netflix, and so on. The tradeoff is that catch-all addresses are predictable, so anyone who knows your domain can guess the pattern. Per-service generated aliases (random strings like k7x2m@simplelogin.com) are unpredictable and harder to enumerate. Both approaches are valid and which you use depends on your threat model.

The Major Aliasing Services

  • SimpleLogin: a full-featured dedicated aliasing service. Open source, self-hostable, works with any email provider regardless of which ecosystem you're in. Acquired by Proton in April 2022 and now part of the Proton ecosystem, but continues to operate independently and remains compatible with Gmail, Fastmail, or any other provider. Integrates natively into Proton Pass if you use that password manager.
  • addy.io (formerly AnonAddy): open source, self-hostable for full infrastructure control, generous free tier. Operates under Dutch jurisdiction. A strong option for users who want to self-host or want independence from any commercial ecosystem.
  • Apple Hide My Email: built into iCloud, auto-fills in Safari and iOS when creating accounts. Convenient within the Apple ecosystem, requires iCloud+ subscription, and not usable outside Apple platforms.
  • DuckDuckGo Email Protection: free, unlimited aliases on a @duck.com domain. Automatically strips email trackers before forwarding. No custom domain support, but zero cost and zero friction makes it a great entry point. Available through the DuckDuckGo browser or extension.
  • Firefox Relay: free tier offers 5 aliases; premium unlocks unlimited aliases, reply support, and tracker blocking. Integrated directly into Firefox. Best suited for Firefox users who want aliasing baked into their existing workflow.
  • Fastmail Masked Email: if Fastmail is already your email provider, Masked Email is built in. One-click alias generation via the Fastmail extension, with replies going out from the alias by default. Not a standalone service. This requires a Fastmail subscription.
  • IVPN Mailx: open-source email aliasing built and operated by the IVPN team. Currently available free to IVPN Pro subscribers with a year or more remaining on their account. Supports custom domains, wildcard aliases, multiple recipients, and PGP encryption. A natural fit if you're already an IVPN customer.

Most aliasing services work similarly at their core, and many can be combined with the same inbox for users who want to mix approaches for different use cases.

🎯 Why It Matters

In January 2024, researchers published an analysis of what they called the "Mother of All Breaches", a compiled dataset of approximately 26 billion records across 12 terabytes. This data was drawn from thousands of previous data breaches from Twitter, Dropbox, LinkedIn, Adobe, Canva, and hundreds of others.

When people compile thousands of breach databases and cross-reference by email address, the email address becomes the key that reconstructs a profile of any person. What services they use, what password patterns they rely on, what accounts are linked to the same identity. Every service you've ever signed up for with the same real address contributes to the same profile.

Aliasing breaks this at the root. If every service gets a different alias, there's no persistent identifier to cross-reference. A breach at one service exposes an address that appears nowhere else.

There's also the question of what your real email address enables. Most account recovery flows rely on email. Your password reset links, your 2FA backup codes, your identity verification for banks and financial servicesβ€”these often route through your primary email. That email address is high-value, and it's worth protecting.

This is the preventative side of data privacy. The Data Brokers article covers the reactive side by removing information that's already out there. Aliasing is what you do so that future signups don't create the same exposure.

πŸ’‘ Common Misconceptions

"Aliasing is a power-user tool."

It looks complicated from the outside, but in 2026 the friction is mostly gone. Modern password managers like Proton Pass generate an alias inline with the username and password at signup. A browser extension and one click do the work. The hard part is forming the habit, not the technology.

"Plus-addressing (yourname+shopping@gmail.com) already covers this."

It looks like aliasing, but the underlying address is still your real address, and many data brokers and services strip the +tag automatically. Plus-addressing is fine for inbox filtering, but it does not isolate your identity the same way.

"You have to switch every account at once."

You don't. The protection compounds from your next signup onward. Start with low-stakes accounts you're creating today like newsletters, shopping, anything where a leak would be an annoyance rather than a crisis. The accounts you've held for ten years can stay where they are until you're ready to migrate them.

"There's one correct way to alias."

There isn't. A custom catch-all domain gives you portability and ownership. If your alias provider disappears tomorrow, you still receive every email you ever signed up for. A generic @simplelogin.com-style address gives you better anonymity and avoids the public link to a domain you own. Both work. Which fits depends on what you're optimizing for.

πŸ—£οΈ Henry's Take

In 2026, aliasing is one of those rare privacy practices that has almost no drawbacks. You get better breach containment, better spam isolation, an audit trail that tells you exactly which service leaked your address, and an inbox that gets easier to manage as you adopt it. The setup is a browser extension and a habit.

Back in the day (like before 2020) this was a nightmare of a problem to deal with. Email aliasing wasn't really a mature concept, and so the best advice was still 'create multiple email inboxes for different purposes'β€”I can still remember having to log in and out of all my email accounts on a daily basis...oh the horror.

I firmly believe email aliasing is the most impactful development in privacy tools of the last half-decade. It was never possible to generate a new email address for every account, but now it is. And now it can all forward to a single email inbox. I use SimpleLogin, but more specifically I use the Proton Pass integration so all of my aliases are generated automatically when I create my accounts.

One setup worth knowing about: you can bring a custom domain into SimpleLogin rather than just using it as a raw catch-all. Instead of accepting anything at @yourdomain.com, you create individual aliases on your own domain explicitly inside SimpleLoginβ€”amazon@yourdomain.com becomes a managed alias, not an open catch-all. SimpleLogin still handles all the forwarding and reply rewriting, but the addresses live on a domain you own. If you ever leave SimpleLogin, the domain comes with you. It's a middle path between the convenience of SimpleLogin's shared domains and the full ownership of a standalone catch-all.

If you're talking to a family member who's never aliased anything, the right starting point is low-stakes. Apple's Hide My Email covers an iPhone user with no extra software. SimpleLogin or addy.io covers anyone outside the Apple ecosystem with a browser extension. The first time spam shows up on an alias you can disable instead of on your real inbox is when the practice clicks.

βœ… Henry's Picks

SimpleLogin, integrated with Proton Pass: This is what I use. SimpleLogin is open source and works with any email provider, including Gmail and Fastmail. The Proton Pass integration generates an alias at the same moment the password manager generates the password, which is the lowest-friction setup I've found. SimpleLogin also runs fine standalone if you'd rather keep it separate from a password manager.

addy.io: open source, self-hostable, generous free tier, Dutch jurisdiction. The right pick for users who want infrastructure control or want to stay clear of any single commercial ecosystem.

Apple Hide My Email: the lowest-friction starter for anyone on iCloud+. Auto-fills in Safari and the iOS account creation flow with no extension required. Limited to Apple platforms and tied to the iCloud subscription, but a real privacy improvement with effectively zero learning curve.

See the broader recommendation set at Techlore's SPA Tools.

πŸ”— Go Deeper

Related wiki articles:

Techlore content:

  • Go Incognito v2, Lesson 3.6β€”Aliasing

External sources:

Found an error? Report it here β†’