You can change the forwarding provider when you sign into your account on the app, it’s under the account tab
I know this, I also use the service and I like it. Now try changing it to any new email. You will need confirmation code. The code is sent to old email. What happens if it is down? You can not receive a code. Try it.
i forgot where i got this information from but im fairly sure they said something along the lines of, in this scenario you can email them and they will change the emails for you.
but that’s a good point because i’m not sure how well that bodes for security - if someone knows your current forwarding address and personal duck address they can literally change the forwarding address to theirs
EDIT: here I’ve lost access to my forwarding address, how do I change it to my new one? | DuckDuckGo Help Pages
2 Likes
This is an extreme case, I don’t know any decent provided to blackout hours/days.
Even if this be the case, I always forward to my alias@mydomain, so in the extreme case, I would change the MX on the spot, if I really needed it.
But this is very far fetched
1 Like
I wrote user script 
Desktop User Agent
// ==UserScript==
// @name DuckDuckGo User Agent Changer
// @namespace http://tampermonkey.net/
// @version 0.1
// @description Change user agent to DuckDuckGo for all links on duckduckgo.com
// @author Defixy
// @match *://*.duckduckgo.com/*
// @grant none
// ==/UserScript==
(function() {
'use strict';
// Define the DuckDuckGo user agent string
const duckDuckGoUserAgent = 'Mozilla/5.0 (X11; Linux aarch64) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/120.0.6099.193 DuckDuckGo/18 Safari/537.36';
// Function to change the user agent
function changeUserAgent() {
// Get all links on the page
const links = document.querySelectorAll('a');
// Iterate over each link
links.forEach(link => {
// Check if the link is on duckduckgo.com domain
if (link.hostname === 'duckduckgo.com') {
// Change the user agent for this link
link.onclick = function() {
Object.defineProperty(navigator, 'userAgent', {
get: function () { return duckDuckGoUserAgent; }
});
};
}
});
}
// Run the function when the page loads
window.addEventListener('load', changeUserAgent);
})();
Mobile User Agent
// ==UserScript==
// @name DuckDuckGo User Agent Changer
// @namespace http://tampermonkey.net/
// @version 0.1
// @description Change user agent to DuckDuckGo for all links on duckduckgo.com
// @author Defixy
// @match *://*.duckduckgo.com/*
// @grant none
// ==/UserScript==
(function() {
'use strict';
// Define the DuckDuckGo user agent string
const duckDuckGoUserAgent = 'Mozilla/5.0 (Linux; Android 12) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/121.0.6167.165 Mobile DuckDuckGo/5 Safari/537.36';
// Function to change the user agent
function changeUserAgent() {
// Get all links on the page
const links = document.querySelectorAll('a');
// Iterate over each link
links.forEach(link => {
// Check if the link is on duckduckgo.com domain
if (link.hostname === 'duckduckgo.com') {
// Change the user agent for this link
link.onclick = function() {
Object.defineProperty(navigator, 'userAgent', {
get: function () { return duckDuckGoUserAgent; }
});
};
}
});
}
// Run the function when the page loads
window.addEventListener('load', changeUserAgent);
})();
3 Likes
Another small workaround I use to avoid having to use the app all the time is just to generate 10 aliases at once and store them in my password manager. The aliases don’t expire so i just use these until i’ve run out and then generate 10 more.
I definitely agree this is a workaround for an annoying app though, would much rather it wasn’t needed.
2 Likes
Why not just use Bitwarden?
(I don’t mean this to be aggressive, just genuinely curious)
2 Likes
I could do and I used to, but I don’t use bitwarden anymore for my password manager, I use keepass instead. It would mean having bitwarden installed just for creating aliases.
2 Likes
We definitely need a formal comparison, although it seems to me that the unlimited shared domain aliases is a big win for Duck Duck Go (DDG), whereas the nearest competitor has a mere 10. However, there are many more features to compare between the free versions of DDG and addy.io for example.
Also, the @duck.com domain is totally fun, I have taken the opportunity to get myself some cheeky email address using this domain, because DDG allows you to make one completely custom email address per account (can you see where this is going).
One feature that DDG seems to exclusively provide is email address filtering, however, this seems to be redundant (although maybe DDG could filter things Proton misses) since I believe that Proton Mail (the free version) also does this.
Consequently, the free version of DDG is similar to the paid version of addy.io.
There are no privacy trade offs with using DDG either, because the service is so simple, i.e., not unnecessarily complex, you can reap the benefits of the service by installing their extension once, and then setting DDG up on Bitwarden, before uninstalling their browser extension.
Another feature I forgot to mention is that there is no signup involved, you only need to provide DDG your email address.
With DDG you can not track your aliases, but this is intentional, aliases along with the ‘trackers blocked’ statistic, are shown within banners in the emails themselves, when these aliases receive emails, in your non-alias inbox.
DDG also provides unlimited replies and the ability to send emails from your aliases for free! Tracking these statistics seems to have no purpose, although addy.io provides you with this ability for some reason.
I am currently using addy.io, would everyone agree that the most optimal solution (as a free user) is to use the DDG aliasing service via Bitwarden?
Below are definitions of standard versus shared domain name aliases for reference (from addy.io’s help page):
Standard Aliases - Standard aliases use a domain that is unique only to you, all aliases for your custom domains are classed as standard aliases. Standard aliases can be created automatically when they receive their first email (if catch-all is enabled for the domain). If you signed up with a username of johndoe and gave out the following alias - hello@johndoe.anonaddy.com then this would be a standard alias.
Shared Domain Aliases - A shared domain alias is any alias that has a domain name that is also shared with other users. For example anyone can generate an alias with the @anonaddy.me domain. Aliases with shared domain names must be pre-generated and cannot be created on-the-fly like standard aliases.
After reading this you should be able to see why standard domains are much easier to track across sites (because they are completely unique to you), and why this is a huge benefit that DDG has over addy.io.
If an army of @duck.com domains flood online internet services with the randomised email address (quack!), for example: 4kt6cil9@duck.com, it will be hard to determine you are the same person on one website compared to another, where you and others would have the same domains, but different addresses, across different services. I.e., you would generate another random address for another service and fit amongst other DDG users. To make matters more complicated for adversaries, duck email addresses always have the same number of characters (8) for each randomised alias.
This is a kind of unclear explanation, if someone can explain this in more detail be my guest.
5 Likes
Privacyguides.org has a policy of multi-platform tools, so unless Duck browser is available in Apple OSes, Android, Windows and most Linux distros, then this is a problem.
I’m not sure they are interested in decoupling this from the browser, as the goal is to atract people to their browser
I have tested it, and the way it works is : 1)Open Duck browser 2)go to mail at DuckDuckGo 3)accept the clear privacy policy 4)create your @duck.com mail adress 5)put your normal mail adress 6) receive a passphrase by mail 7)enter it. 8)account is created.
To use the one-time alliasses, just go to the website you want to sign up, and a duck logo will appear on the email field. Click on it and select either your permanent duck adress, or a unique duck allias. And you are set
Importantly, there is no list of all your alliases.
1 Like
Does it? PrivacyGuides has actually many tools listed that don’t have an official app available for every platform. Examples include Safari, Proton Drive, Aegis, Strongbox, etc.
DDG has its browser available for iOS, Android, Windows, and Mac, and the browser extension is also an option.
You can use your password manager to keep track of these. Not really a deal breaker, in my opinion. Of course, if a tool doesn’t work with your workflow, you can always choose an alternative that may suit your needs better. This is one reason PrivacyGuides recommends multiple tools in different categories.
1 Like
Safari is only recommended as iOS Browser, since it is de facto the only browser available on iOS (Apple mandates webkit). Furthermore locally-run tools don’t need to be cross-platform (useless).
For Proton, I believe it is available in web browser so it’s available on all platforms.
From the standard criteria guidelines :
“Cross-Platform: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in.”
Since DuckDuckGo browser isn’t PG-recommended*, and that this is in fact pushing for vendor lock-in I would avoid it. Extensions make you more fingerprintable.
To be fair, this duck project is great. Duck is building a privacy ecosystem. However, I think of PG as conservative, and we shouldn’t include project without a necessity or that don’t meet the criterias.
*Their desktop app is still in beta, and on privacytests.org (Nightly section) it fails to block many trackers.
You don’t need an extension to take advantage of DDG’s email aliases.
I think the DDG alias project exceeds all the other aliasing services from my superficial understanding.
I disagree with some things you said, I think just because a company has one bad product, that doesn’t mean we should automatically dismiss their other product(s).
On the other hand I agree, I also don’t like how DDG is pushing for vendor lock-in, but fortunately for us, in this case we can use Bitwarden. The beauty of the DDG alias service is that it is so simple, so you are not missing out on anything from the extension aside from autofill (which is probably annoying for most people).
1 Like
I think the DDG alias project exceeds all the other aliasing services from my superficial understanding.
it really doesn’t. saying the FREE plan is the most generous would be a better way to put it. because compared to paid alternatives ddg is in no way the best. to name a few, it doesn’t offer PGP encryption, doesn’t offer a way to list aliases you have created, doesn’t offer catch-all domains. yes, those features aren’t too massive but it does mean ddg isn’t the best when counting paid alternatives
2 Likes
DDG provides unlimited aliases. Why do you need list of aliases? They are totally unlimited, without limits to bandwidth.
Most alias providers (like Addy) limits aliases on shared domains and/or bandwidth.
DDG is best solution for regular users that want just aliases.
Sending - free, unlimited forwarding, unlimited aliases. What do you need more?
And it doesn’t have “PaY mE pLeAsE” or “We HaVe PrrrrrrEmIuM PlAaaaN”.
1 Like
And it doesn’t have “PaY mE pLeAsE” or “We HaVe PrrrrrrEmIuM PlAaaaN”.
what’s wrong with that? yes, ddg’s service is nice, but the lack of a premium plan is probably much more worrying than if they had one. not sure why this is mocked, services need money to exist. not doing so often leads to privacy invading services as companies need to get money whether or not you pay them. if we want things to last, we should challenge the mentality that we should not pay for anything we use
how do they plan to sustain this service? off search ads alone? that’s probably why they attempt to force you to use their extension/app which forces their search engine to generate aliases.
i would not be surprised if they at least heavily nerf their free plan in the future, or introduce some sort of paid plan themselves. it would be much better than shutting down, that is for sure
1 Like
Correct me if I am wrong (I have no knowledge in computer science), but is PGP basically unusable when using aliases, since you are signing up for services which send you automated registration emails (unless the website had an option to add your PGP key to them beforehand, and a preference for encrypted emails, which unfortunately no website has)?
From my understanding, PGP offered by email aliasing services is useful to encrypt info from your alias to your personal email, but not from the mailer to your alias. I am not sure why encrypting the contents of an email from your alias to your real email inbox is useful, since you already trust the two services with your emails (stored in the two inboxes) anyway. I don’t know if email aliasing services store your emails in an inbox, but assume they would have to temporarily before relaying it to your real email address.
PGP could used when sending emails from an alias I assume.
I am hoping DDG make enough money from their search engine, browser and other products, and offer services like aliases using their generosity. But, I disagree with you, I think having no premium plan is the optimal situation, because I think DDG knows that they can hook people onto their ecosystem by using the aliases as a lure, kind of thing. So basically i reckon they are using their alias service as a way to incentivise people to use their other services or at least increase their chances of people using their services. Just like how bing chat is free, but costs money to run, microsoft wants more people to use their browser and search engine.
Pgp public keys are added to the aliasing service, not the website you use aliases on. when the service receives the email from the website, they encrypt it with your public key before forwarding to you and you decrypt with your corresponding private key.
we shall see how this goes. if this service still remains as is in 5 years time, then i will be wrong
1 Like