New email aliasing tool - Quick Aliases on Skiff

Hello! We at Skiff launched a new email aliasing service today called Quick Aliases. Quick Aliases lets every user create a unique subdomain - for free - that allows adding unlimited aliases, online and offline. For more info, check out Skiff – Quick alias burner email address or a video here https://www.youtube.com/watch?v=_qbJ-83JOwU&ab_channel=Skiff

Let me know if you have feedback!

Threat model and security model: Skiff – Security Whitepaper - Read more

I also saw new guidelines for Reddit posting, but it seems like the subreddit still disables post requests. Let me know if I did something wrong.

I mean generally good move security wise I guess, but really privacy wise this isn’t yet the right approach. There have been quite some discussions in the past here about different options of creating aliases, this just isn’t the best possible way.

I, for one, do not think this will “Stop “data brokers” in their tracks.” if you give a unique subdomain to each user, it will be very easy to see that it is the same user. It would be quite foolish to think that data brokers will not step up their game now that aliasing has become much more common. Approaches that use completely random addresses are assigned are simply better so that would be my feedback, although I appreciate the effort.

We don’t agree with this, but we do think users should have options. Using completely random aliases on a single domain often leaves critical use cases out:

• When you’re not on your main, trusted, personal device and logged into your most sensitive accounts
• Anytime you’re offline (in the real world)
• Anytime you need to sign up for a service that blocks temporary domains, like DuckDuckGo/Relay/SimpleLogin domains. Subdomains give you much more powerful deliverability.

You can also create multiple subdomains, which mitigates this even further.

Another even bigger benefit is that you can always add unlimited custom domain aliases, including random ones, and create many @skiff.com aliases, including using dots and pluses.

Finally, we might add random aliases as well. But, we think subdomains are just much more useful and end up covering more use cases than the existing options.

Could you further explain these points as I honestly do not understand them?

I do however see that sometimes it can be beneficial to use a subdomain. That’s why most aliasing services allow bringing your own domain, and at least in the case of SimpleLogin you can also claim indeed also multiple subdomains on their end. But it should be clear this is far from ideal and more of an exceptional usage when options are limited.

To think that when using subdomains, you won’t be blocked as an alias is really wishful thinking in my eyes. I really hope it turns out like this, but of most of the projects blocking aliasing services will likely block your entire domain you use to generate subdomains under. If they allow for it, it’s only kind of a recognition that it is not as private as you would want it to be.

Yes, here are a couple examples -

• If you’re at a restaurant, you can’t generate akjhsf86@duck.com or jashd8g234@icloud.com via a simply random aliasing service. You could do restaurant@domain.maskmy.id, where a subdomain might help.
• On deliverability, automated deliverability systems tend to separate email subdomains for deliverability reputation. So, mail.site.com could have a different reputation than marketing.site.com. It is true that an entire domain could just be blocked, but it should be more resistant. You could check out The Basics of Subdomains and How To Use Them | Mailgun or Safeguarding Your Reputation With Email Subdomains | Braze for a bit more info on email subdomains and reputation. We will see if this pays off over a longer term.

I don’t think I have ever been in a restaurant where the waiter asked for an email address. I guess because I live in the EU? Sounds like a culture shock to me if someone did, but yeah sure for situations on the spot this can definitely be useful and better than anything else. I am just saying it isn’t a perfect solution, and I do not believe it will stop data brokers at all.

Surely reputations can be different, you are right. But projects who block the usages of aliases, which is far more of a problem, probably won’t make exceptions.

I think there are a lot of offline cases where you just might not be on your main device. Or, if you’re on a mobile device/tablet and don’t want to switch to another app or have a proper keyboard extension installed. Or, you’re in a different browser/browser session/incognito mode.

To be fair, I live in Europe too and there are plenty of restaurants that offer discounts if you use their app… I have never installed a single app like this but my wife did/does, long story short, now at least she is using aliases

And regarding the main topic, I think this kind of services are useful to reduce/avoid spam, not fingerprinting, well it could reduce it too depending on how you use it, but it is not the main goal of aliases (again, I think).

I hate to be negative about new products, but I have to agree with @ph00lt0 here. With per-user subdomains like this, it’s just a persistent identifier that can be used to track you. Data brokers might not be looking for subdomains now, but when this becomes common enough it will be handled no differently than plus-aliasing, which spammers and data brokers already know how to deal with:

There is simply no difference between identifier+alias@example.com and alias@identifier.example.com from a privacy perspective

The other problem—from a spam perspective—is that the non-randomized + subdomain alias approach doesn’t stop spammers from contacting you:

For example, if I give you my email as sarcastic_precook263@8alias.com, and then I disable that alias in SimpleLogin, there’s no possible way for you to email me. How could you know what another mailbox address of mine is given that information?

On the other hand, if I give you my email as restaurant@myname.maskmy.id and then disable that alias (is disabling aliases possible with your system in the first place?), a spammer can still easily reach my mailbox by replacing restaurant@ with any other arbitrary string.

I realize that these two things are trade-offs for convenience, especially for offline alias creation situations, but that doesn’t stop them from being legitimate privacy concerns. I think users optionally need to be able to:

1. Disable catch-all functionality and only allow emails to pre-defined or generated aliases
2. Allow random unique aliases on the @maskmy.id domain without a subdomain identifier

It’s not that your subdomain approach is bad, it’s just that without these features, you’ve really only implemented half of the functionality of competing services like Addy.io and SimpleLogin. There are benefits to both approaches, which is why the aforementioned services provide both options.

Can you create unlimited subdomains?

r/PrivacyGuides remains permanently closed to new posts, but if it makes you feel any better this forum already receives a similar level of traffic from search engines and other sources to what the subreddit used to receive

I support @amilich
My use cases for quick alias is:

1. If my email is breached from a company and I get spam mails. I can understand where the data was breached from.
2. Using different email for every login gives me an extra layer of security. They have to not only guess my password but also my email ID.
3. I don’t live in EU, Almost every single area I am forced to use my email ID. Especially in college events. Writing on a paper form that randomly generated email is difficult. I would use eventofCSE@shield.maskmy.id. it’s easy to remember.
   (Recently a breach happened in college, almost 11k students email, phone number, CGPA , name etc… was released in an excel sheet. Most of those people reuse the same email everywhere even bank accounts)
4. Using username+service@skiff.com is not useful for me, since if that email starts getting spam, I have no option to stop it . It happens a lot here. No one cares about email privacy or anything. Having quick alias to solve the issue by disabling it.

Just pointing out that other services, including Relay and SimpleLogin, offer this service but on a paid plan. We chose to make it free and more powerful. Also, if you want random identifiers, you can still create extra @skiff.com addresses.

AND you can even buy a domain through Skiff - without sharing any WHOIS info. We built that service because it’s truly the first of its kind (I’m not aware of anything like this at all).

So, we just felt like the random identifier aliases have been beaten to death by other services and there isn’t a competitive advantages. Don’t the best privacy services innovate with better or easier to use options?

We’ve just found that tons of people who use Skiff benefit a lot from having a private, unidentifiable domain. I get the threat model on paper but you can already have multiple domains, don’t need to be giving out a real name or personal info, and can use @skiff.com or custom domain aliases.

Well you can have up to 3 Quick Alias domains (and 15 @skiff.com aliases) according to your pricing which would provide fairly rudimentary protection against the threats I mentioned.

It’s like I said, your approach is valid for some use cases like the ones you’ve mentioned, and it’s not valid for other use cases like the ones brought up in this thread, which means your approach is not better, it’s merely different.

What you’re doing is forcing Skiff customers who are looking for a fully-randomized email address which they can disable on-demand to purchase a solution from a separate company like SimpleLogin, because you simply don’t offer that service. That’s fine if you want to do that, but I think people see value in all-in-one solutions and you’d have a real selling point if you were able to cater to those customers with this product too.

Just consider unlimited randomized @maskmy.id aliases in addition to this latest offering and you’d probably have the most feature-complete solution on the market at the moment.

Especially if you could integrate the aliases into Skiff Mail in a clean way too, which Proton still fails to do themselves over a year after acquiring SL

(I don’t know what these existing aliases look like in Skiff Mail yet because when I log in there’s a “temporary connectivity issue”) could be lockdown mode on macOS, I’ll try a browser that has WebAssembly support.

I like the idea. Will give it a try. I am honestly very sick of having so many extensions. And SimpleLogin does not work very well for mobile browsing, which is half of my browsing time now

Hi, for me, one of the requirements of using alias is being able to make them quickly. I usually prefer to do it through the Bitwarden extension. On iOS, I use Siri Shortcuts to quickly generate them (through the REST API).

Do you have an API which allows generating an alias quickly?

Honestly, I dont know under which circumstance I would give an email address to a restaurant, seems pretty dystopian. Here in Portugal email is heavily used in business communications but outside of that, in their personal lives, most people just have it to receive utility and tax bills, as well as to sign up for online services. Those are usually not circumstances where you have to generate aliases in a hurry…

Having said that, I have a skiff account and have been tracking its progress. Right now a deal breaker for me is the lack of email backup options. Proton at least has proton bridge, it would be great if skiff could come up with some backup solution

I don’t think it’s uncommon in many parts of the world to be asked your email address. If asked, very commonly a simple “No” is a sufficient answer.

The existing backup seems sufficient. You can simply export your email files and they can be opened in Thunderbird. Spinning up and maintaining codebase of a dedicated application “bridge” for this purpose seems like an odd amount of effort when the Skiff team is likely working on marketable features rather than, imo, duplicative features.

Even in Portugal (where I’m also from) there are exceptions.
Last month, I went into an event where they were offering an interesting book, but they want you to sign up for their newsletter (if you’re not paying for the product… ). My quick solution was to generate a quick DDG aliás email.

Fast forward a month I receive some spam in the Alias folder (I have inbox rules to not mix normal aliás with garbage alias) and I spent some time figuring out which service was that. In fact, if I was able to tag it from the beginning, it would be helpful.

But like I said: it’s an exception, not the rule.

What about a full inbox export option? Building a full bridge for backup is a big project.

that would suffice. Any plans for interface language options?

W
Just fully switched from Proton to Skiff