I’ve recently started using a custom domain for my email and am wondering how everyone compartmentalizes different accounts (or if you do).
I’ve seen people recommend using the company name for the local part,
eg, bitwarden@example.com or privacyguides@example.com
but is this a good idea for all accounts? What i’m mainly worried about comes from another post where a user said their bank banned them because of their email as they said it looked like a phishing/impersonation attempt.
Not sure if the above is a reasonable concern or not? Has anyone else had it happen to them?
If not the above how do you recommend separating emails using a custom domain.
Also to be clear i’m mainly talking about accounts for Known Identities, eg. banking / anything else that has my real name attached.
I was also thinking of keeping it simple and just having a single inbox but worry about spam from potential data leaks.
No it’s not. I have had people ask if I worked there. It’s a bit silly but it never leads to issues as long as you don’t pretend to. You just tell them “this way I keep things organized”.
Besides that I would suggest to add some random part to it. Right now it will be easily enumerated. So f.x. bitwarden.ri5be4@example.com
In the event of a leak at your email aliasing service itself, you are handing whomever gets a hold of that data part of the login credentials on a silver platter.
Why not generate a unique username using your password manager and appending the domain? Given that you should already store said login credentials in a password manager anyway, and you likely don’t know the password to the service, why must you know by heart what the alias is tied to? It’ll just be a search away.
You will receive all mail in a single inbox and any leaks of the address by the service, you, a spouse or whomever, won’t tell a malicious actor where to dig.
In my experience, having the name of the service in the alias is usually fine ban-wise, as long as it isn’t routinely read by humans on the other end (in a bank for example). To the privacy illiterate, that can look suspect and manually flagged.
In my experience its extremely uncommon for an actual human to be involved in the process of verifying accounts/email. In the rare cases that a human is involved, you can adapt your strategy as needed, or provide a different email.
(I’ve go a few humourous-to-me aliases along the lines of “you-dont-need-my-email@domain.tld” and “that-is-personal@domain.tld” or “I-promise-this-is-a-real-email-address@domain.tld” or “please-dont-spam-me-with-donation-requests@domain.tld” that ill use specifically in situations where I think a human will have to transcribe it (such as a paper signup sheet at a political or charity event) or where I feel incredulous that I’m being asked for an email (e.g. the grocery store). I find it mildly amusing to watch reactions (usually some combination of amused and confused, rarely distrustful (most employees could care less)). Obviously I wouldn’t use something like this for my bank. But I’ve found in most cases, a one or two sentence explanation of how aliasing is an anti-spam and security strategy clears up any confusion or suspicion in cases where the person has a say in the matter, if its corporate policy, best to just use a non-aliased email address.
What is much much much more common than human review, or humans finding the first half of your email suspicious is automated systems finding the alias domain suspicious or outright blacklisting entire providers (e.g. @alias.tld suspicious as email aliasing often gets mistakenly grouped in with temporary and disposable email services or spam domains… More and more anti-spam/anti-abuse systems seem to be making assessments based on multiple factors in combination.
Personally for important semi-trusted accounts that are connected to my true identity (e.g. Banks, Insurance, etc) I have one fairly normal sounding alias I use for them as a group.
Thanks for the suggestions, I agree thinking about it now that I doubt it would be a problem to have the company name in the email and if I ever had to speak to someone I could just explain it.
That said, the more I think about it i’m not sure I want to have the company name in the email anymore, I already keep all my aliased addresses in my password manager, I think I will just generate a random two words for the local part of each email and use that instead. If it is just two normal random words I think it will sound fine saying to a human too.
I guess I did like the idea of not needing the password manager to know the email address itself but then if I can work it out then so could someone else in the case of a data leak.
I think that is a very valid approach. The only thing I’d add is that using service-name@alias-domain.tld can be mildly more phishing resistant, because it can make it easier to spot phishing emails. (e.g. if you start receiving spam/scam emails pretenting to be your bank, or a crypto exchange, or shipping company to “spotify@domain.tld” it is much more obviously that it is a phishing attempt than if you it is sent to 384hfuiowf@domail.tld. Its a minor consideration in the realm of things, but still worth considering.