Security and data protection advantages of a personal mail alias

Introduction

You’ve got one or more personal and professional mail addresses, and you probably want to keep that mail address safe from spammers, scammers or data theft.

Except for using mail to communicate (send/receive messages), many platforms also use mail registration as authentication method.

It’s not always the best option to use single sign-on with platforms like LinkedIn, Facebook, Microsoft Account, Google…

What’s the issue?

The main issue of single sign-on is: when 1 mail address is breached or hacked, the hacker can use the breached mailbox fairly easily to login to the linked platforms

And from a practical point of view, if you use that single personal mail address to subscribe to newsletters or you use that mail address for downloads protected by a “registration” wall, you’ll quickly experience a mailbox overload because of ‘spam’, eh. sorry commercial messages you didn’t ask for.

Another issue is, you usually have only 1 (one) personal mail address available on your mail platform, certainly for enterprise systems, you can’t create other alternative mail addresses at free will. Unless you own the domain name, of course, but that’s rather possible for personal use or small companies…

And except for the mail overload, you’ll notice that many companies sell your mail address to address brokers. And even with the GDPR in place, many of these address brokers have bad habits to scrape mail addresses from the internet, incl. public sources, government sources…

So, the question is, how do you manage this, to protect your personal data, to protect mailbox overload and abuse of your mail address?

The mail alias to the rescue!

Implementing the mail alias

What is a mail alias?

A mail alias is an alternative name for the master mailbox? Usually a mail alias is forwarding mail to the target mailbox.

In many cases that mail alias can also be setup or used as a temporary name for the target mailbox. It’s pretty cumbersome or difficult to switch a mailbox on or off when you need it.

Purchase a Custom domain name

The most interesting option is purchasing a custom domain name (by preference a short URL).

In most cases, local domain registrars can offer you a mail domain for a few bucks a year. It’s worth the money, I promise. Further explanation below.

Just a practical hint: make sure to use a domain registrar that offers unlimited mail aliases.

In this case, you can forward any mail alias of the custom domain to your mailbox (eg news@short.url to subscribe to newsletters and filter them in your mailbox in a subfolder for newsletters)

Use the “+” mail alias

If purchasing a custom domain is not an option, you can check with your mail platform or mail administrator to use an “+” alias.

That’s a format supported by the internet standards (RFC 5233: https://tools.ietf.org/html/rfc5233), which allows extending a master mail address with receiver suffixes (BEFORE the @ sign), that still deliver the mail to the receiver. Google calls it “task-based” variations of the mail address. You’ll generally find it back on the internet as “+” aliases.

Some examples: firstname.lastname+download@yourdomain.url, or name+news@yourdomain.url

See the references section at the end of the article, for details how this “+” alias works for the well known mail platforms…

Using dummy or temporary addresses against spam and registration walls

I don’t know how you do it, but it frequently happens to me that I need to download a “free” white paper, which only seems to be free if you ‘pay’ with your contact details.

In most of the cases, they force you to “consent” with the requirement to send you marketing,… in GDPR terms it’s not considered consent if it’s forced… But essentially they force you to submit your personal data.

If you don’t want to disclose your data, just for that single download, or … if you want to avoid getting too much spam, what do you do?

Your custom domain

An easier, but less cheap option, is to use your purchased custom domain (on the condition you can have multiple mailbox aliases).

The quick and dirty: create an alias like download@yourdomain.url, keep it disabled by default and only enable it when you need to receive a download link. Afterwards, disable it again.

Temporary mail (when using your custom domain)

In some cases, you literally need to have a mail address just once. Eg, when you want to download a “free” white paper, many companies harvest your mail, put it in a CRM system and keep spamming you afterwards. It’s fairly difficult to escape the forced consent or registration.

When you can use a temporary mail, you enable an alias or dummy address, register for the download with the alias/dummy, then disable the alternative mail address again. That way the address cannot be used for spam or marketing you don’t want. Easy.

Advantages

Keep your inbox clean: Mail filtering using simple mail rules

One of the most prominent advantages of using aliases is that most the mail clients can use the receiver address (or alias) to filter and manage incoming mail.

Based on the target receiver alias, you can set rules to move incoming mail from your inbox to another folder.

Basically a simple mailbox optimization technique to make your life easy.

Securing internet logins

Another major advantage of aliases is to use them as an alternative for single sign-on.

Instead of logging in to multiple platforms with the same mail address, you use 1 unique address per platform. Eg: linkedin@short.url for LinkedIn, facebook@short.url

Of course, it’s quite important to use different passwords or authentication methods too (incl. MFA).

The main reasoning behind this approach is: if 1 login is breached or leaked, the other accounts are not impacted.

If you don’t think you can manage this collection of passwords, there is one good tip: use a password manager to replace your memory.

Use a password manager anyway.

Detecting data breaches

When you use 1 mail address (alias) for every internet login, you can also trace very easily if a website is selling your data to partners, other companies, or personal data brokers.

You can simply see who sends mail if that source domain is correctly linked to your alias… or not.

If your login is used by the unauthorized party, you can initiate a GDPR subject data access request to track how it got there (against both the original data controller and the secondary party).

And when using a custom domain (or some “+” alias mail providers), you can simply disable or remove the mail alias, so it becomes useless for the perpetrators.

On/Off Temporary mail (when using your custom domain)

In some cases, you literally need to have a mail address just once. Eg, when you want to download a “free” white paper, many companies harvest your mail, put it in a CRM system, and keep spamming you afterward. It’s fairly difficult to escape the forced consent or registration.

When you can use a temporary mail, you enable an alias or dummy address, register for the download with the alias/dummy, then disable the alternative mail address again. That way the address cannot be used for spam or marketing you don’t want. Easy.

One time use temporary mail domains

First and easy option is to search the internet for “temp mail” or “temporary mail addresses”.

You use these addresses for quick use, one shot hit.

 

Disadvantages

Custom domain management

Managing your own custom domain might be cumbersome, depending on how user-friendly the management of aliases is. Certainly managing dynamic aliases for multiple users. is time-consuming.

But managing a custom domain for own use, for a few bucks a year, is really worth the time and money.

If you cannot disable “+” aliases …

… then you might be in trouble because you cannot stop the abuse. In many cases, you’ll need to unsubscribe or directly contact the platform owner and demand to remove your data.

Temporary mail domains

The major disadvantage is that a lot of spam (eh sorry), marketing websites publishing these ‘free’ downloads, will recognize these temporary mail domains (like mailinator, guerilla mail, temp mail, …).

In most cases, you’ll have to try a few options, as some of these temporary mail domains have alternative mail domain options, like dynamic domains not only hosting main on the master domain. And very important, whatever mailbox you use on these temporary domains, anyone can read or access these mailboxes, so make sure nothing important or private is sent to these mailboxes.

Bonus: the “oh shit rule”

While I’ve been focusing on the security & data protection features of the mail alias, I still want to mention an important principle to protect your reputation: the “oh shit rule”.

The principle is simple: delay the sent articles with one or more minutes before the emails are actually sent to the receiver. It gives you a bit of slack if you want to fix a mail, or in the worst-case scenario cancel the mail if you regret sending the mail, to avoid embarrassment or searching for a new job.

Some useful references

Below you’ll find some interesting articles on managing aliases on the well-known mail providers

Gmail 

• Gmail “+” alias: https://support.google.com/a/users/answer/9308648
• Gmail variations: Dots don’t matter in Gmail addresses

Microsoft Office 365 “+” alias

• Plus Addressing in Exchange Online
• Exchange Online PowerShell V2 module

Yahoo

• https://help.yahoo.com/kb/create-edit-delete-disposable-email-addresses-yahoo-mail-sln28338.html

Other providers

Other providers, like Protonmail, … also provide the alias “+” option, sometimes by default. Carefully check if you can remove the “+” alias or not.

Custom mail address RFC standard

• https://tools.ietf.org/html/rfc5233

Name: Peter GEELEN

Director & Managing Consultant @ Cyber Minute, Managing Consultant @ Quest For Security

Leuven, Belgium