Catch-All Email Addresses¶
Most people have an email address like
provider.com is an email provider. They have exactly this email
address and give it to every service where they sign up.
I use my domain
martin-ueding.de, and I can have virtually unlimited email
addresses on it. For a while now I have been using the concept of service email
addresses. So when I create an account for buying from the renowned widget
store.example, I would give them
as my email address.
This process has a couple of very nice advantages.
Legitimate emails that I get from them would likely be something like
email@example.com such that one could filter for them. But they might
also use some other domain to send emails from, or use a third-party sending
service that sends stuff on their behalf. Since I can just group by recipient
address, all these details do not matter.
Other people might try to impersonate some website and send phishing emails to me. But as they would only have some other email address, I would see that they are not directed to the correct recipient address to be legit. Say if I would get a mail from some payment service stating I urgently need to log into my account but would have received it to an address that I had given to some other service, I would know that it is a illegitimate mail.
Most of my junk email is sent to the mail address that I use with git. Some of the junk goes to addresses that have been made public in a data breach and are now used by spammers. This makes it easy to just block that recipient address and never get any of these mails any more. Also I can see whether a company actually had a breach or sold my address.
Some services allow a single person to have multiple accounts. Then having unlimited email addresses makes it rather easy to set up these accounts.
This is similar to the “plus syntax” that some email providers offer for
filtering. One would then use
firstname.lastname@example.org to have this same
filtering. My approach is non-standard and therefore people cannot easily
filter away everything after the plus sign. For all legitimate purposes the
plus syntax is fine, but it makes it too easy to deduce the main email address.
All in all this is a pretty nice setup, but there are a couple of downsides to
Foremost in the implementation I just use a catch-all mail account such that
all mail to
martin-ueding.de is delivered to my inbox. This opens up to
junk emails that is addressed to some random inbox on my domain, and there are
such drive-by events every now and then. To get around this I have a couple of
special mailboxes (my main one, the one I use in git) and then a special prefix
that I use for these service addresses. I could then block everything that is
neither a special mailbox nor starts with the prefix.
In the mail client one cannot simply reply to these mails, the sending address will always be the main one of your account. In some programs one can add additional identities, but this is a tad more work. This means that I cannot just click reply for some services unless I have the proper sending address set up.
If I bought from
store.example right away, I would use something like
store.example@ as my mail address. But when using the broker
broker.example to do my business, I would give
broker.example@ to that
service. The broker would give
broker.example@ to the shop but also a hotel
and other services. If the mail address
broker.example@ was then used for
spam, I could not be entirely sure that it was the broker or the shop or the
Also if I bought from the shop already with
shop.example.com@ it would not recognize the address that I
gave the broker. In the end I have two accounts and would have to work towards
merging them later on. This also bites me when I have contact with people over
these service addresses and I actually want them to use my main address
eventually. So when somebody asks me for my mail address, it is a little
trickier than just having a personal and work address.
Services merge or get bought. So I had different email addresses for Skype and Microsoft, but now they are one thing. Also Ubuntu’s Launchpad had a separate account, now I can log in with my Canonical account. This makes it a bit weird as my Launchpad email address has effectively changed now.
This setup also requires me to have a whole domain for mail, which is not particularly hard. But it means that I cannot just go for a mail provider which does not support such a catch-all setup.
I have a few addresses that were exposed in data breaches, and it helps to identify these and block the involved addresses. Additionally I have more confidence when it comes to phishing emails because I have an additional indicator. The logistics of having a different address for each service is manageable, but I’d prefer to do it without.