Email Aliasing Strategy Planning

Here’s a cleaned-up rewrite that keeps your meaning and structure largely the same, just clearer and smoother:

I’m planning to switch to a more secure email setup using the commonly recommended providers and tools. However, there are a few points I haven’t been able to find clear answers to in other forum posts or recommendations. I’ve listed them below.

Notes on my approach:

• I do not plan to use a custom domain anytime soon.

• I’d prefer to avoid subscribing to the full Proton suite; a SimpleLogin or Addy.io subscription is ideal.

• Proton will be my main email provider.

My questions:

1. The ideal setup seems to involve using a unique alias for each service. However, many aliases end up looking “messy.” If I need to give out an email address in person (for example, at a doctor’s office), what’s the best way to handle this? Should I just pull out my phone and write down an alias?

2. If I forward emails from my old email account to the new Proton account, should I forward them to an alias that then redirects to Proton, so the old provider doesn’t learn my actual Proton address?

3. What are the benefits of using an alias for accounts that already contain other personal information?

4. How bad is it to group multiple services under a single alias? This would avoid needing any subscriptions.

5. Slightly unrelated: Is it recommended to formally delete unused accounts, or is it fine to leave them inactive?

Thanks in advance for any help.

I suggest at least buying Proton Mail Plus with Proton Pass or at the very least Proton Pass (because you get SL Premium along with it and vice versa).

Yes

Why? How? All are stored in your SL account or within your Proton Pass.

There’s a feature within SL where you can set up a sub domain and then easily make email addresses on the go for whatever service/reason you want.

For example: doctorname@subdomain.simplelogin.com . Check out this feature.

If you make aliases on the fly, they will show up in your SL as any other so you don’t need to keep track necessarily.

Not needed. Do a simple forward. Your old provider knowing or not knowing your address doesn’t matter normally, unless you have a special reason why it does.

Benefit is forming good habits, improving your OPSEC, and not adding to the pile where some personal info may already be gone.

This would depend on how compartmentalized you want your email aliases with the services you use them you want it to be. I’d make one for each. Easy to manage and do what you want with that emai.

Really a personal preference. You can leave them be inactive or delete them if you’re sure you are not going to ever need it.

–

Hope this helps!

JG really hit the nail on the head, but I’ll add one note on this last point: poison the unused accounts. Change any PII you can - name, address, phone, birthday, etc - to random nonsense. This can/should/may make it harder for any hypothetical data broker to scrape data off this account & use it to build a profile linked to your IRL persona. I do this even before deleting accounts

It won’t be messy. Use site+randomsuffix@protondomain.tld combination for each site.

yes. SL or Proton Pass can generate aliases on the fly.

I suggest you change your accounts completely.

compartmentation and lowering your attack surface

if one of the services have breach or compromise, all of your accounts will be vulnerable.

it is best to request account deletion completely from the web site / service

Personally, I use MySudo if I need to give my e-mail address in person. Basically, just have another e-mail address for this purpose so that you don’t give out your Proton e-mail.

It’s not necessarily a bad thing to use one alias for one reason e.g. one alias for subscription services. IF you intend to use SimpleLogin for example, they only give you 10 free aliases, so you can only have so many e-mails for compartmentalization.

For security though, using unique aliases for each account is ideal, but I wouldn’t say it’s “bad” to group multiple services under one alias.

It is difficult (and time consuming) to delete all of your unused accounts, but try to at least target the ones that could contain any PII. I would say if you start deleting all unused accounts you can find, you will build up a habit of deleting unused accounts in the future, which could be necessary for your threat model.

Do you plan to in the future? If so, why not do it once and do it right?

A custom domain makes you independent of the email service provider you choose today as you can easily migrate to another in the future without changing your addresses. What happens if Proton gets bought and turns to shit in the future? A custom domain mitigates that risk at the cost of blending in with other users.

I have read some horror stories (example below) involving people accidentally wiping their entire pool of aliases with Proton Pass’s sync functionality, something I have done myself actually, but because I use a custom domain the Catch-All was able to trivially recreate each one.

I currently have one alias I use for medical practitioners. However, if I am emailing a doctor for the first time, and I don’t know if they will be my doctor because I am simply inquiring about their service, I use a different alias.

I have come across a lot of medical practitioners who use Gmail. As far as I can remember, I have never been a patient of one, but if I was, I would never email them with any medical information. I would either send an encrypted email, or password-protected PDF file. I would also ask them not to comment on my health on any medical treatment if they plan to email me.

But the reality is, if you email an oncologist doctor, and they use Gmail, it doesn’t matter if you don’t reveal anything personal about yourself, because a lot is already implied. If that doctor is local, I would simply call them. You can also email them anonymously if all you just want is to inquire about their service. That means using an alias and a fake name. I have done that before.

In my opinion. This is a good idea. I don’t think I have ever emailed my Gmail account with my Proton address or vice versa. Admittedly, I’ve used Proton Mail for years, and I have never used my default address because I don’t want it to be exposed to spam.

You mean like using an alias for Facebook when they know your real name and DOB? At the very least, it’s one less data point to cross-reference. Same for your insurance company. Also, from a security standpoint, it makes you harder to hack. If someone has access to your email, they can potentially reset and as a result access a lot of your online accounts. That’s why using unique aliases and passphrases combined with 2FA via authenticator app is extremely useful.

How does it avoid needing multiple subscriptions? Can yo uexplain?

In general, it’s a good idea, yes. Especially if you haven’t used them in years. There are of course exceptions. As a general rule, if I am switching password managers, I will wait at least a year before deleting my old account. This is with the understanding that when I change password managers, I change all the passwords for my accounts, including the password for my old password manager. So even if somehow someone hacked my old password manager account, none of the passwords would work.

I do exactly this yes. Copy the alias into a field fullscreen so that it’s properly readable.
I can recommend Addy, it is much better in terms of UX (I tried both). Also their latest release makes the whole sharing process even smoother.

Every time I do create a new alias I do add a quick description so that it’s easier to find down the road.

Very much yes!

In case of a data leak, you can know where it comes from if you do have 1 alias per 1 account and never reuse an existing alias for anything else. Also allows you to quickly disable it in case of the service spamming you with promo emails or sorts. Probably other advanced things you could benefit from but definitely not on anonymous part yeah.

I think it is quite bad and should be avoided to compartmentalize properly.
I do recommend a yearly gift card, it is not crazy expensive (if you can allow it) and can change someone’s life if being honest^[1].

Also you don’t really blend into an anonymous mass if you do reuse the same alias.

More effort to delete them for sure. Go incremental and try your best, it will be cumbersome…
Also, you will never have proof that it is actually deleted but you can at least hope that your account might be deleted. Also, helps with cleaning up your account in case you left sensitive/personal stuff related to it.

Besides that yes, Addy → Proton is cool and no need for a custom domain.

Yes but it kinda defeats the purpose of being truly anonymous. Also not sure how the people from the doctor’s office would react sending an email to the alias with the doctor name in it rather than the patient’s name.
I stopped doing that myself. I also have a fun time reading the generated alias every time.

If you can, you could indeed start fully fresh. Use a VPN and some different browser to maybe make it less obvious that you’re the same person under a different alias.

Not available everywhere + not an unlimited amount of aliases.

Most people do use aliasing to blend-in tho.
Having first.lastname@company.com is the last thing people want to do I’d say.
Addy doesn’t have that scary sync issue either and the author kinda thought of the bus problem but yes, updating all addresses away from the alias would be a chore. Not everything is perfect I guess.
And if you have an easy export tied to the name of the service using it, it might also be easier to do.

Best would be a link to a place where they could read the file X times or until X date, with NO possibility to download it, password protected of course too so that way they won’t just leave it in their database or computer.
They could of course always take a screenshot with their phone but eh, very much breaching their own medical laws there.
Best thing would also be to come see them in person, show them the file, then leave with the file (and not letting them scan it or alike).

Good call yes!

Free tiers of Addy/SL allow for only a limited amount of aliases.

1. peace of mind of not being constantly spammed by emails because you can turn them off anytime is a blessing ↩︎

I know, which I why I followed with “basically, just have another e-mail address for this purpose”. If I’m finding a new job for example, I have a work e-mail with a professional username. And I have a third e-mail for spam.

I hadn’t taken you to be obtuse…

First, what?! Anonymity should not be a concern/issue, privacy should be. You’re dealing with your doctor. There’s only so much you can do. There are far greater issues than this for your privacy and anonymity when getting medical care. This barely qualifies as being a real issue. Thinking of anonymity when getting professional medical care is silly to say the least. Yes, you should try and maintain your privacy and not provide info that can leak if you can help it. This doesn’t mean you try to maintain or be anonymous here. By your logic, the doctor or their office should not even know your name of medical history before helping you. That doesn’t make sense if you’re looking at this from anonymity POV.

Second, that was an example. I didn’t mean to imply that it’s the only way you can or should name add the doctors name for the alias you’re trying to make on the go. Geez. I thought this was clear.

Third,

Since when does this matter when you’re trying to ensure optimal OPSEC? Yes, it may and will be odd but that’s a legitimate email address they can use for email for you to receive anything they send. Why even think or consider this as a concern.

–

Sorry, don’t mean to sound harsh but I only say this as I feel my comment based on your response to it was taken and inferred incorrectly.

I think most people use aliasing for compartmentalisation (spam filtering as it lets you easily torch the alias and security as you use different login details for every service). It’s not meant to provide you with anonymity, or even privacy, and you would blend in the most with gmail if that was the priority.

That’s not the use case of a custom domain for aliasing, the trick is to set up catch-all and use it in conjunction with a pattern that you control. The custom domain could be generic sounding (guidesmail.com is free), and the pattern could be anything you want (I randomise a string of consonants and vowels).

This gives you options: you can still use SL-generated aliases for one-time purchases or to receive that e-book from that blogger, and custom domain aliases for persistent accounts.

It also empowers your email management. For instance, you can even think of suffixes in your pattern such as CVCVCVsh@guidesmail.com which would be caught by a Filter that routes emails where the recipient ends in sh@guidesmail.com to a “Shopping” folder.

I saw it yes but I am more of a “applying to 50 job places with 50 unique aliases” kind of person especially when companies consider you as cannon fodder (and MySudo doesn’t allow for that unfortunately).

Both sentences are separate here and not related.
Was mostly talking about the idea of adding a prefix in general and not specifically to the doctor situation.

As for my recommendation of not giving too many documents to doctors it comes from that news where a girl couldn’t opt out from his doctor oversharing while she explicitly said no.^[1]
Anyway, not saying it’s prio #1 but mostly recommending to not give away your entire life to doctor that might not care/leak it (especially if totally unrelated to a given illness).
Maybe it’s me being bitter with dutch doctors treating people here like shit idk, more distrustful as of recently for sure.

Privacy is more prio in this case yes, you misunderstood the quoted sentence from me in your response.

For second, I do agree but somebody new to aliasing might not know better.
Anyway, not sure if it is fitting to set something custom by yourself, I personally always leave it with a random word because it doesn’t matter anyway.

For third, I just thought it would be more confusing than a random word, that’s all.
Not a concern in itself, more of a QoL for everybody to not bother with figuring out something on the go and let the random generator handle it.

You are anonymous because you don’t subscribe to a newsletter with hi@kissu.io but rather cute.sunflower32@addy.io and there is no way to trace that subscription to me directly.
Doesn’t apply to public facing accounts like a Facebook but it’s still fine and an alias can still be used there.
At least, this is how I do it for things where I don’t want my domain to be tied to any company/service. Otherwise, I can also use a regular conference@kissu.io or alike.

Given my previous paragraph, it makes sense from an anonymity POV.
If you want to build a business brand identity, sure go on and use a catch-all on a domain name.
Both are very different use cases.

Moreover, even if a catch-all is cool, you don’t really need an aliasing service for that, especially if people can just spam with gibbeish@guidesmail.com or hellothere@guidesmail.com and that all of those will land into your emailbox. This is (personally) the last thing I wanna have because you can’t really stop it no more after (and don’t recommend blocking with a regex later on ).

It comes down to need/preference tho, nothing wrong with that approach.

But even if I don’t want to be anonymous, I honestly don’t want to have to figure out something random like facebook@guidesmail.com, I just use a random thing to keep it simple.
I’ll just add a quick description on it down the road when I have some spare time, Addy makes it very nice with its UI unlike SL…

I don’t really see the need to have a persistent account in case of a shared alias (ending in *.addy.io).
In case of a personal domain name, why not.
My personal approach is to never give anything personal tied to my domain name.
I communicate with a freelance client using a random-generated word from SL, they never had any issue with that, they don’t even care.
And I even convinced them to move to Signal to avoid any passwords to be sent in plaintext.
Works for me just right.

There are very rare cases that I could see justifying using a custom domain while sending an email somewhere tbh. But that’s my personal approach as of today (not interacting with humans no more by email, just using it for notifications/newsletters/etc) since otherwise sensitive info will leak.
Email’s UX is quite awful to begin with anyway.

I do that on my email client’s side already yes as mentioned here thanks to folders, filters and labels.
I mostly just add the alias manually to a filter, don’t want to risk it with a regex pattern. Also I don’t have 60 different places that I shop from anyway, trying to be more mindful of my footprint.

1. can’t find the link to that one no more, happened somewhere in Scandinavia I think ↩︎

I think you’re over-complicating things than they need to be, based on what OP is asking.

Also, any “misunderstandings” or misunderstandings here likely stem from reading and understanding the English language from our own societal & cultural POV, it would appear. Or at least that’s what it seems like when corresponding some people here.

My initial post is as simple as it can be to not overwhelm OP.
I explain more advanced use cases because people challenge my setup, doesn’t mean OP needs to replicate the same. But they could take inspiration and make something similar (maybe).
It is actually simpler and fits within their condition of not getting a custom domain.

My english is decent but not english-native perfect, I might misread or misinterpret some phrasing/words, sorry ahead of time if that happens. Hopefully, you can bear with me and not get offended.
But cultural POV is also definitely a thing yes.

Totally understandable.

I 1000% agree. Ideally, my default would be to share a link from a password protected note from Notesnook. However, Notesnook’s share links never change. Meaning that if a link for a note expires, and you share that note via link again, the URL will be identical to the previous one. I reported this issue on PG 2 years ago. Notesnook’s developer @thecodrr said they plan to address it, but they haven’t done anything about it yet.

I see. Yes, if you are on a free tier, you have to be economical on the number of aliases you use. If @CM2 plans to use the same alias for multiple services because they’re on a free tier, they might consider subscribing to Addy’s lowest paid tier, which is I believe $12/year. It allows 50 unique aliases, and unlimited aliases linked to the same unique subdomain. The latter isn’t best for privacy, but it’s better than using the same alias.

It depends on your situation, I recently wrote to a renowned international medical organization. I needed help with information and asked them to point me in the right direction. I was not writing to them as a patient. In this specific case, I disclosed that I was using a fake name for privacy. I also shared a lot of personal information about myself and my health. Their response was very compassionate, and they understood.

If you’re a patient, then it makes sense to share your name. But if you’re not, you don’t always have to. A hybrid strategy that I have used when emailing doctors who will treat me is that I only share my first name.

Suppose my real name is JORDAN GREEN.

I will use the first letter of my name (J) as the prefix to my random alias:

j.beaver123@passmail.com

And my display name will be JORDAN G.

The G stands for GREEN, which is my real last name.

However, I have noticed that even though my display name says JORDAN G., the people replying will assume my last name is BEAVER because of my alias.

Even if I sign my emails with my full name JORDAN GREEN, some recipients including companies and medical practitioners incorrectly address me as Jordan Beaver in their emails and invoices. I’ve had to correct them a few times.

Regardless of if you use Addy or ProtonPass or SimpleLogin, you can change your display name, and only include your first name in that display name. You have many options:

JORDAN
JORDAN G.
J. G.

It should be noted for OP as they are a beginner and is asking to be explained what they’re asking simply, there are no real rules on how to go about this. Follow the sound logic, ideas, principles people have mentioned in this thread and use it as you want to per your convenience ensuring of whatever you want to.

Some comments here are explaining it well but are also advanced for OP and could be overwhelming for them to follow and could also lead to analysis paralysis or indecisiveness.

(this comment is not particularly directed at you but saying it in general..)

Even if you share, then update the note?
Rough if it doesn’t change.

Not sure if calling out a webdev here is appropriate but I do hope that you have posted a github issue with it.

Tbh, 3€/m is not super crazy expensive either for the full unlimited experience and still less expensive than some other suites of ecosystems on discounts (if you take the best tools in the domain, they might be overall better and less expensive than a full package that is overall mid).

Nice to read some positivity here!

Very fair assumption I think.
Depending on the situation, I either:

• give all my first lastname
• just leave it as _ because you don’t always need to know who I am

Given the post time, OP is probably sleeping or busy right now.
Meanwhile some people on this forum are quite active and like to exchange their own tips/tricks, but I do not think it’s a bad thing overall because it can always be used as (advanced) ideas for them down the road.

It is quite fine hearing several opposing voices before making a decision and I don’t think that locking this thread or alike would serve any good because they can still be into analysis paralysis nonetheless.

Thanks all for the thoughtful replies (and sorry I couldn’t be more active). It has been very helpful reading through them all.

For now, I’m going to continue to think and make sure it’s right for me before I commit to anything (as switching is enough work, much less doubling back to undo anything I dislike).

As of now I am thinking the approach I go with would be the lowest tier addy.io subscription which would give me 50 aliases which should be plenty as I have previously deleted all the account I no longer used (and based on the responses here hope to continue to do so).

As for giving an email out in-person, I am leaning towards it being a non-issue that I was perhaps overstating. I think it’s probably fine to give a “clunky” address anyways, they shouldn’t really care. And it’s not like I’m unable to check what the alias is at any given time.

I don’t have a subscription (I don’t want to share my payment information), and here’s how I do it. I only connect serious services to SimpleLogin: I have aliases linked to just one service, and others for several. For less serious services, I use AliasVault (one alias per service, but it doesn’t yet have pixel tracking protection). Addy is a great service, but I avoid anything related to England (for me, it’s the most toxic jurisdiction).