Catch-All Email Addresses

Most people have an email address like firstname.lastname@provider.example where provider.com is an email provider. They have exactly this email address and give it to every service where they sign up.

I use my domain martin-ueding.de, and I can have virtually unlimited email addresses on it. For a while now I have been using the concept of service email addresses. So when I create an account for buying from the renowned widget store store.example, I would give them store.example@martin-ueding.de as my email address.

Advantages

This process has a couple of very nice advantages.

Legitimate emails that I get from them would likely be something like orders@store.example such that one could filter for them. But they might also use some other domain to send emails from, or use a third-party sending service that sends stuff on their behalf. Since I can just group by recipient address, all these details do not matter.

Other people might try to impersonate some website and send phishing emails to me. But as they would only have some other email address, I would see that they are not directed to the correct recipient address to be legit. Say if I would get a mail from some payment service stating I urgently need to log into my account but would have received it to an address that I had given to some other service, I would know that it is a illegitimate mail.

Most of my junk email is sent to the mail address that I use with git. Some of the junk goes to addresses that have been made public in a data breach and are now used by spammers. This makes it easy to just block that recipient address and never get any of these mails any more. Also I can see whether a company actually had a breach or sold my address.

Some services allow a single person to have multiple accounts. Then having unlimited email addresses makes it rather easy to set up these accounts.

This is similar to the “plus syntax” that some email providers offer for filtering. One would then use firstname.lastname+store.example@provider.example to have this same filtering. My approach is non-standard and therefore people cannot easily filter away everything after the plus sign. For all legitimate purposes the plus syntax is fine, but it makes it too easy to deduce the main email address.

Disadvantages

All in all this is a pretty nice setup, but there are a couple of downsides to

Foremost in the implementation I just use a catch-all mail account such that all mail to martin-ueding.de is delivered to my inbox. This opens up to junk emails that is addressed to some random inbox on my domain, and there are such drive-by events every now and then. To get around this I have a couple of special mailboxes (my main one, the one I use in git) and then a special prefix that I use for these service addresses. I could then block everything that is neither a special mailbox nor starts with the prefix.

In the mail client one cannot simply reply to these mails, the sending address will always be the main one of your account. In some programs one can add additional identities, but this is a tad more work. This means that I cannot just click reply for some services unless I have the proper sending address set up.

If I bought from store.example right away, I would use something like store.example@ as my mail address. But when using the broker broker.example to do my business, I would give broker.example@ to that service. The broker would give broker.example@ to the shop but also a hotel and other services. If the mail address broker.example@ was then used for spam, I could not be entirely sure that it was the broker or the shop or the hotel.

Also if I bought from the shop already with shop.example.com@ it would not recognize the address that I gave the broker. In the end I have two accounts and would have to work towards merging them later on. This also bites me when I have contact with people over these service addresses and I actually want them to use my main address eventually. So when somebody asks me for my mail address, it is a little trickier than just having a personal and work address.

Services merge or get bought. So I had different email addresses for Skype and Microsoft, but now they are one thing. Also Ubuntu’s Launchpad had a separate account, now I can log in with my Canonical account. This makes it a bit weird as my Launchpad email address has effectively changed now.

This setup also requires me to have a whole domain for mail, which is not particularly hard. But it means that I cannot just go for a mail provider which does not support such a catch-all setup.

Conclusions

I have a few addresses that were exposed in data breaches, and it helps to identify these and block the involved addresses. Additionally I have more confidence when it comes to phishing emails because I have an additional indicator. The logistics of having a different address for each service is manageable, but I’d prefer to do it without.