Hi there!
Context: After the recent debacle with Proton I was finally pushed to look for other alternatives. I had already wanted to change services for a while so it was nice to get the final push. It’s still a good service, open-source and all. I personally just wanted to look for something else. However, I had not realised how deeply I was integrated into the email+alias feature they had, and how much work it is to change out of this, I have a fair amount of accounts.
I have now found a new email provider and bought a new domain. However I’ve got a few questions for those to who rock custom domains:
- Do you use random strings before the @ sign? Or do you use it like [email protected]?
- Because I’m considering using this as a catch-all address, doesn’t this mean that anyone who wants (and knows the domain) and send spam on any random string before the @? Are you worried about this, and are there any counters to this?
- As far as I’ve understood the main benefit of using my own domain for email, is that it will make it a lot easier to change providers in the future, as I can just change the nameservers so traffic is directed elsewhere - correct?
Thanks for any input, experiences or thoughts about this.
Ps. My threatmodel isn’t that complex, I mainly want to stop spam from any potential services selling my email.
You must log in or # to comment.
In my book, it’s essential. I’ll never use email without a custom domain, because otherwise you’re completely beholden to whatever email provider you signed up with. I’ve migrated providers many times (probably 6 or 7 now) and never had to change my email address. I have:
- Work domain
- Personal domains (one for myself and family, one for my band, a few others)
- Domain for aliases / signups
I’m currently with Fastmail which can generate aliases on the fly with your custom domain of choice, and they allow a ridiculous number of domains (100?) on your account.
Do you use random strings before the @ sign? Or do you use it like [email protected]?
I use random strings when I sign up for an online service, but the emails I actually give to people are firstname@domain
Because I’m considering using this as a catch-all address, doesn’t this mean that anyone who wants (and knows the domain) and send spam on any random string before the @? Are you worried about this, and are there any counters to this?
The only counter I know of is to create specific aliases rather than use a wildcard. However, in practice, I only very rarely get emails at my wildcard domain (one a year, if even)
As far as I’ve understood the main benefit of using my own domain for email, is that it will make it a lot easier to change providers in the future, as I can just change the nameservers so traffic is directed elsewhere - correct?
Exactly, so there’s zero downtime and you don’t have to change your email everywhere. The only annoyances I’ve run into are migrating away from Proton because it’s encrypted and a huge PITA to get out of, and having to redo my automation filters when switching providers.
Thanks a lot! This was helpful and I too landed on Fastmail after hearing they’re supporting (and helping develop) open standards.
LOL, yeah, currently my main mailbox is Fastmail. I’ve been a happy customer for over ten years.
I saw they added the on-the-fly email addresses, but I am already used to my setup, so I haven’t tried theirs.
I have a domain specifically for email. It’s a catch-all and points to whichever email provider I feel like. I have
admin@…,info@…, etc. sent to:blackhole:to prevent most common random spam. I use[entity]@example.comand make up email addresses on the fly for each entity I interact with. If it ever starts receiving spam, I:blackhole:it.I use https://www.mxroute.com/ to manage my forwarders. This allows me to route certain aliases to multiple inboxes and uses cPanel so it’s a familiar interface if you’ve ever used it. I paid like for 10 years at once because it averaged out to being super-cheap yearly that way.
In the past my web hosting provider had catch-alls but they removed that feature.
This looks kinda interesting; it’s an email host that you can use across multiple domains? Does that make it easier to manage if some are little-used?
I don’t even use the email hosting. I just use it as alias forwarders. I do use it with multiple domains. Some are complex and some are simpler. Both are easy to manage.
I found it when it was recommended to me as I was researching running my own mail server. I may still do that, but I didn’t have enough time to learn all I needed to at the time.
Had no idea this was possible, very neat! Thanks for sharing 👍👍
If you only ever use services that let you sign up with arbitrary addresses, then sure, you gain resilience against mail provider shenanigans at the expense of exposing a non-agile identifier — the domain name you bought — to any third party you provide with an address.
However, in a confused attempt to stamp out single-use mail services, some sites are rejecting mail addresses that don’t originate from one of the big mail providers, like Gmail, iCloud, Outlook. ‘Please provide your real mail address’, they’d say.
If you aren’t using any such service, you can use your own domain. Be wary of services that bounce messages to your “actual” inbox without rewriting the involved addresses (Cloudflare offers something like this, I don’t get why though), as that can lead to deliverability issues due to DMARC.
The IAB publishes some Gmail-specific guidance on how to ‘normalize’ plus-addresses to ‘real’ inboxes, so that’s something that doesn’t really do anything for you anymore. Out of the large mail services, iCloud is somewhat notable for offering single-use addresses under the same @icloud.com domain name they use for standard addresses, without having to register extra accounts or other annoying requirements. So websites that want to lock out single-use iCloud addresses would have to block iCloud addresses entirely, which is something they’ll most probably refrain from doing.
I really want to use the iCloud custom domain feature, but I’ve still got an old iCloud email account I’ve had for 15+ years receiving spam daily because they don’t validate DMARC/DKIM and SPF.
Right now the emails are simply deleted, but if I could figure out how to make it so that the original email is saved in its entirety (
.emlincluding headers) and that is sent to a report phishing email address I’d be happy.
-
I often use “[name-of-service]@mydomain.com”. When I start getting spam to one of those addresses, it’s immediately obvious who is selling email addresses.
-
That was one of my concerns, but I haven’t really seen it happen. I rarely get mail to random addresses I’ve never used.
You will get spam for every address you widely publish, though, which can mean you get multiple copies of the same spam.
Ditto that, with the exception that I’ve had two addresses leaked from Scentbird of all places.
I guess their backend/database security is just trashed because they’ve shown up multiple times on haveibeenp3wned.
-
They are great.
Just be careful if paying a host. Their prices will go up. Sometimes a lot.
I started on a cheap plan, now I pay 12x. Not enough in actual dollars to self-host, but it is annoying. (Which is why they raised prices.)
You’re talking about the actual VPS hosts roght, and not the domain name merchant rent? If I buy the domain exampleblog.com from godaddy for example, will they raise the rent I have to pay them every year after a couple years, after I grow a following for my blog?
Yes, rent on the service not the domain name.
I use email masking services for signing up to things rather than giving out an email that is attached to it a domain. That seems far smarter to me than creating a point of interest that sticks out and can be used to correlate multiple data breaches to a single identity.
In addition, I lack the capabilities of a professional webmaster, and I am not an expert in security, and I can’t decide whether I would rather lie to a domain provider about my identity or hire a third party to obfuscate it on my behalf. That all sounds like a huge hassle to me.
