For the past week or so, I've been trying to remove my reliance on Google. Privacy has become a big concern and primary motivator for me, as well as eminent domain over my own data, and it's time I evaluated just in how few baskets my eggs lay.

Unfortunately, like so many others, my email address has landed up on haveibeenpwned.com over the years in numerous breaches, and there's nothing I can do about that. I have a GMail account that dates back many years, and a Hotmail¹ that dates back even more. These inboxes now contain so much spam that it's difficult to differentiate between legitimate and illegitimate emails.

The common (wrong) way to protect your email address

A solution I've heard a few times is to suffix your address with the service name, so if your email address is [email protected] then you might sign up to Netflix with [email protected]. Sure, most services support this. However the problem with this is if a spammer ever actually reads your email address, they're going to see that you're simply using a suffix. It's going to take little to no effort to just mentally yeet that +netflix from the end of the username and start berating your inbox at [email protected], now with no easy way to discern who it's coming from or which service leaked your data.

When you stop to think about it, it's really not that secure of a system. You're hiding in plain sight, for a very gracious definition of “hiding”.

The “okay” way to protect your email address

The way I circumvented this for many years was to set up a catch-all mail forwarder for my domain, such that anything sent to *@example.com is forwarded to GMail, and then I sign up to every service with their own address on the domain, so Netflix would get [email protected], Amazon would get [email protected]. I just give each service their own username, and it'll all forward to me. This way, if a specific address starts getting spam, I know which service sold my data (or was careless enough to have it leaked). For instance, started getting spam on [email protected]? Now I know Facebook sold my email address!

This solution was fine, and certainly worked, but it comes with a bit of a drawback. See, when you set up a catch-all like this, you'll start to realise that spammers generally try to brute-force emails to all manner of random addresses. I - no joke - started to get emails to usernames like bvvjviw@ and jw832kk@, because whatever system the spammers were using meant they were just trying to reach as many people as possible. And without a leak to know that an address exists, what better way to do that than to iterate through random strings until you find a match? “Aha! [email protected] didn't bounce back! Let's start sending more to that address!”

However it's not hard to create a spam rule to block this kind of thing. The real issue lies in what actually happens if a legitimate address gets leaked. In fact, just over a week ago, archive.org had a huge breach which resulted in millions of users having their information stolen. What are you supposed to do now? Your [email protected] address has to be destroyed, but you can't destroy it because of the catch-all set up on the domain.

So okay, maybe set up a dedicated inbox for it? But that still results in spammers knowing the address is valid and it's quickly going to fill up with junk. And what email are you supposed to change your account to now, [email protected]? What if it gets leaked again? All you're doing is moving the problem back.

And what if the spammer catches on to the idea that you're simply doing [email protected]? “Oh look, this guy used archive@ I wonder if there's also a banking@ or an instagram@ 🤔” - it's not going to take much time and effort on their part before your entire arsenal of email addresses is exposed.

But fear not, there is a workaround to all of this.

The best way to protect your email address

The way I've now set up my email is by removing the catch-all entirely, because clearly that wasn't the best strategy. My current system started off with each service still getting its own email address, but now that address is an actual distinct forwarder set up. So [email protected] would only work because I set up a forwarder for it, not because it was forwarded by the catch-all, which means emails sent to random strings like [email protected] no longer reach me, finally.

But what about that last point I made? What if the address is stolen or leaked and you need to change the email on your account? Easy. Just open up random.org and generate a random word and number pair to add to your forwarder! So instead of [email protected], you might have [email protected]. If that address is ever leaked, destroy that forwarder and set up a new one like [email protected]. This also makes it virtually impossible for a spammer/hacker to know which addresses you use for other services, because you're essentially using random passphrases as part of your forwarder username. [email protected] is valid but [email protected] isn't.

Leaving GMail

The last problem that remains it that all of these forwarders just go to my GMail - the true address behind which has been leaked for many years, so I still receive spam to not.telling.you@gmail.com. So the last step here is to create one final dedicated inbox (it doesn't matter what you call it, it could be [email protected] or [email protected] or [email protected], take your pick, or call it whatever you want I'm not your mother). This email address is kept absolutely private, at all times, no matter what. You do not expose this address to anyone. It's simply a centralised location to which all your other forwarders point. If a forwarder becomes breached, all you need to do is destroy it and set up a new one, keeping your centralised inbox free of spam entirely. For this, I set up a mail server using FOSS known as iRedMail. It's even available as a Docker image which means setting up a stack for it in Portainer was relatively straightforward.

Finally, doing this gives me one last satisfying sight that I have not seen for many years. A state that is ever-so-fleeting, but nevertheless a marvel when it happens. I won't get to enjoy it for long, but…

I saw Inbox Zero.