When a service won't accept your addy.io or simplelogin email, what do you use?

More and more services reject an addy.io/simplelogin domain. This includes their related domains like mailer.me, 4wrd.cc and others.

In those instances, what email do you use? Not wanting to use my proton aliases if possible.

I always use a unique address under my own domain names.

I have an e-mail provider that allows many aliases. I keep a handful of addresses on hand to use when services won’t accept aliases, or for cases where I want the address to read like a traditional e-mail address (something@somewhere.tld)

I use DuckDuckGo’s email aliasing with the very nice domain name of duck.com. Very good service and integrates with Bitwarden well.

May I ask you what is the email provider in question?

I use it too as long as it is only to receive emails. As far I as know you cannot send email from a duck address

Boy do I have some news for you.

apple relay emails

or

Super! Thanks!

Thanks a lot!

When the service doesn’t accept Proton Pass or SimpleLogin, then I don’t use that service.

I like a lot Adguard temp mail!

Firstly, are you 100% sure that it’s the third party website that is rejecting your alias, and not your alias provider that prevented you from using it on that website?

I say this because I have experienced the latter recently, and I’m planning to write a post about it because I think that how my alias provider is handling it is wrong and problematic from both a security and privacy standpoint, but also from a practical one.

SOLUTIONS TO YOUR PROBLEM

That said, I have used aliases for many years, and have encountered the issue that you are raising many times.

1) Change / Switch Domains

From my experience, alias providers have multiple domains precisely to counter this scenario. And they should give you, the user, the option to easily switch domains.

However, switching domains doesn’t always work. The more domains an alias provider has, the better. Some alias providers have a default domain, and require that you contact/alert them if you want to switch to a different one for a specific website.

Usually, if enough people alert them for the same website, you won’t have to contact them because generating an alias for that website will automatically be from a different domain.

2) Change / Switch Alias Providers

If none of the domains from your alias provider works, your best bet is trying a different alias provider. That’s what I did, and that usually works (e.g. Duck.com).

THE RISK OF EXISTING ALIASES THAT STOP WORKING

Even if the solutions I suggested work, there are still risks. As I’ve said, I’ve used aliases for many years, and one common problem you run into is existing aliases that stop working.

You get locked out of your account

When an alias stops working, you can get locked out of your own accounts, even if you have other methods of verifying your identity.

Exhibit A:

I once had an online account, for which I used an alias. One random day, I’m asked to verify my identity. It was probably because I was using a VPN and didn’t have MFA enabled. They send me a verification code via e-mail, and of course I never received it. I never received because they blocked the domain of my alias provider.

The only way I could verify my identity to retrieve my account was to send them a picture of my ID, which I was never going to do.

I have read accounts of people experiencing the same thing with various websites, including popular social media websites/apps.

A partial solution to this specific risk is that if you have MFA on, websites are far less likely to ask you to verify your identity via e-mail or some other channel, but they can still do it, and have. And if your alias is blocked, you’re screwed.

Exhibit B:

I just recently tried to change the password for an account via web, on a service popular to the privacy community. I couldn’t receive the confirmation code via e-mail. I’ve used an alias for that account since the beginning, and I’ve had it for years. I immediately guessed that it was because the company for my account had blocked my alias because I had experience this issue before.

I was very lucky that I was able to change my email address for that account on their app, where I had been logged in for months. I used an alias from a different alias provider. But my account is still, clearly, at risk.

Can’t Change E-Mails: The Design Flaws of Some Security Protocols

There is also a big security problem that people do not realize.

When you want to change your e-mail address for an online account, certain websites will require a verification code that they send you via e-mail.

Suppose the e-mail for one of your accounts is:

A) sandy.cheeks@addy.io

and you want to change it to

B) patrick.star@alias.com

Although many websites will send you your confirmation code to the new e-mail address that you gave them (B), some websites will send it to the current one (A).

That means that you can use an alias for an account for years (A), and at some point, it gets blocked, and you notice it. But because of the security protocol of the company behind your account, you can’t update your e-mail because you cannot receive the confirmation code, which was sent to your current e-mail address (A), instead of your new one (B).

Even if you can verify your ID via MFA, a password, and a security key, you won’t be able to update your email.

And this problem mostly affects aliases, but not always.

Exhibit C: Skiff & Filen

As some of you know, Skiff, an end-to-end encrypted (E2EE) e-mail provider, recently shut down. I had a Skiff e-mail address and used it as a login for a few of my online accounts.

Thanks to outrage, Skiff gave their users many months to get their affairs in order. But I waited the last week before shutdown to update the accounts for which I use my skiff address. One of them was for Filen.io, an E2EE cloud service.

I’ve had MFA enabled on my Filen account since I created it. That doesn’t alter the fact that when you update your e-mail with Filen, they send you your confirmation code to your current address, not the new one.

|If I had missed the deadline of Skiff’s shutdown, I would have never been able to change my Filen e-mail even if I had access to my account and my MFA tokens.

Exhibit D: Website Deletes My Account

There was another website for which I used an alias that stopped working, as I had stopped receiving e-mail notifications. I decided to change alias domains. Everything worked fine, until I logged in with my new alias for the first time. I got a pop-up message that my account didn’t exist and had been deleted.

When I emailed the website, they told me that they don’t accept that e-mail provider and that my account and all of its data was automatically deleted. This decision had been made by a bot, not a person. This was not a reputable website, but still it’s alarming.

CONCLUSION / TL ; DR:

Using aliases always involve risks because websites that once allowed them can decide to block them, and you may only find out after it’s too late.

But switching providers won’t necessarily last because at any point, a website can block the domain(s) of that provider.

Once an alias domain is blocked, you can get locked out of your accounts if you can only receive verification codes via e-mail. This can happen even if you can verify yourself via MFA because of how the security protocol for that website was designed.

I apologize for the epic novel. I had a lot to say.

This is the best answer IMO.

In case you want to avoid this you can also use your own domain with simple login.

Not with Bitwarden android app.

It’s the exact same process. You just add the DuckDuckGo API key to the Bitwarden username generator and you’re good to go.

Thanks a lot.

If none of the domains of Simplelogin work I’ll ask myself if I really want this service. If the answer is ‘yes’ I’ll make an alias with Proton if I have an empty spot or an unused one.

What about forums that don’t accept simple login? Do you just say sod it, or do you use a backup email address? Such as backupemail@proton instead of xyz@simplelogin