August 10, 2022

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.

What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.

Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.

Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.

Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.

“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”

According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.

Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.

Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.

That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.

But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.

“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”

HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.

While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.

What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.

Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.

What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.


143 thoughts on “The Security Pros and Cons of Using Email Aliases

  1. Ben

    For some reason, once I signed up with a + alias it will work, however then when I request password it wont work.
    It’s bound to happen a lot of problems like these sadly.

  2. RALi

    I have a domain set aside for such aliases; and have since about 2005.
    I actually set it up so that I could compare recipient RHS@ to sender @LHS. A match gets some “is this email spammy?” points knocked off, but if it gets my record stripped out of some stolen database, I’m hardly crying over it.

  3. k92AZABzgt

    I have been using 3-5 domains with gmail for many years and each domain for different purposes. (All kinds of things; official stuff; “device” accounts). And the usual throwaway accounts (or 10minutemail).

    Sometimes with alias, sometimes without (depending on my gut feeling). But somehow I never thought about the fact that you can simply remove the alias from an email list. But with many sites the aliases don’t work or cause problems and so far I’ve never had a case where the alias would have had an advantage.

    I’ve been using AnonAddy for a few weeks experimentally because it’s relatively easy to integrate into Bitwarden, but it’s still too recent to make any conclusions.

  4. Frank

    Like other commenters here, I have also been using my own domains for years with a “catch-all” account. A much more stealthy way of using aliases. So rather than bob+amazon@gmail.com, I use something like amzn382@mydomain. If I start receiving spam or other undesirable content, I can still identify where I used the alias and can cut off any future emails to it by simply defining the address and changing it to forward to a non-existent domain. There’s no way for anyone to easily tell the address is an alias, and even if they do, they still won’t have my primary email address.

  5. Doug+MKE

    0) While the more recent Requests For Comments (IETF RFCs) indeed allow the Plus Sign in the “local part” (mailbox) address, the 40-year old original RFC821 explicitly allowed only alphameric letters, numeic digits, the hyphen, or the dot. Moreover, since the “local part” may be tied to actual Operating System UserIDs (which frequently do not allow the Plus Sign as a valid character), it is easy to see why “plus aliases” may not be acceptable in many systems.

    1) I have found that mybest solution to the “compartmentalization of email addresses” problem is to own a domain name, set it up with a single Microsoft 365 Business Basic account, and then set up multiple “Shared Mailboxes” for each of the ‘alias’ names needed to communicate with various distinct entities, granting read and send-as rights to the basic user account.

    The Shared Boxes are set to Forward (but retain original copy) messages to the M365 user account. (Forwarding can _also_ be made to multiple addresses, including external domains–e.g. your phone address, by creating a Distribution List). Responses in the “alias” name are sent by merely opening the Shared Mailbox, or by using the Send As function. Nobody ever sees the true underlying User Mailbox name. And, “plus addressing” can still be used with any of the Shared Mailbox addresses.

    Yes, it costs $100 per year or so, and it takes a little getting your geek on; however, you get what you pay for. Isolating financial, healthcare, shopping, and other accounts from cross-threats is a worthwhile risk mitigation technique.

  6. sean

    Another user with my own domain. For over a decade now, rather than a catch-all account, I explicitly create a dedicated alias whenever I give out my address to an untrusted recipient. I also migrated to FastMail a year or two ago.

  7. Security Controls

    Aliases are great to have. They’re like having multiple usernames on email. business owners who use aliases so they can have additional email addresses to separate their personal and business emails. Although aliases can be handy, you also have to be careful as well. If you don’t know how to set up aliases properly, you can easily expose your email info and make it easier for hackers to access your email account. If you don’t know how to properly use aliases, it’s better to just stick to a regular email account to avoid any confusion.

  8. Paul

    The biggest annoyance is when you can subscribe to a site using an alias but then when you want to unsubscribe, the email address is flagged as “not a valid email address”

  9. paul

    Great article, as far as it goes, but what about covering aliasing as supplied by such services as Firefox Relay and Simplelogin? These allow you to create aliases that don’t expose your target email address at all, and allow you to easily blacklist aliases when senders to that address become abusive or compromised.

  10. valorphase

    Another useful technique if you use Gmail is to (mis)place a dot in the local-part of your email since “dots don’t matter.”

    Example: if your “normal” Gmail address is snarkykitten85@gmail.com you can place dots wherever you like, and keep them for different purposes.

    snarky.kitten.85 — untrusted site
    snarky.kitten85 — shopping
    snark.y.kitten.85 — mailing lists

    Dots don’t matter: https://support.google.com/mail/answer/7436150?hl=en
    Dots do matter: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/

  11. oslinux

    I prefer to use catchall with my domain. that way I don’t have to worry about the address existing and since most of the accounts don’t require I send email from that address it makes it easy. also since I run my own email server if ever needed I can create then send email from any address I need.

Comments are closed.