How to Use Email Aliases (Part 1)

There are two parts to every login: a user name and a password. We in the security community talk a lot about the password part. But that’s because we usually take the user name part for granted. Today, user names are almost always your email address. You probably only have one of those, maybe two. It’s a given, right? Not necessarily. You can have unique user names for every online account, too – and you don’t need to open dozens of email accounts to do it. How? Email aliases. I’m going to give you two ways to do this. Today, we’ll start with email aliasing services.

email aliases

What’s in a User Name?

In years past, we chose our own user names when signing up for online accounts. They had to be unique (within the service) and very quickly, all the “good ones” were taken. That’s why we ended up with user names like “joesmith1978” and “ilovehorses25”. Somewhere along the line, web services moved from user-chosen login names to email addresses. Not only were email addresses guaranteed to be globally unique, they could also be used to send you tons of marketing emails.

But there are two serious problems with using email addresses for user names. First off, this means that all your online credentials now have a single, common user name. Half of all your credentials are now well-known. And because people tend to reuse passwords, too, this means that if the bad guys get your login information for one site, they probably have your login information for several other sites, too. They use an attack technique called credential stuffing to try to break into your other accounts.

Second, there’s a privacy problem with using your email address as your user name. Yes, the site can send you lots of junk emails, and even sell your email address to others, which leads to more spam. But it’s worse than that. Because your email address is globally unique, data brokers can now use it to track you across the web – not just the online accounts where you used that email address as your user name, but anywhere you used that email address.

Using Email Aliases

All of the above issues could be fixed if we could just go back to having unique user names for each account. But if all these web sites require that we use our email address as our user name, wouldn’t that require opening up dozens of new email accounts? Even if they were all free accounts through Gmail or Yahoo or Outlook, that’s still way too many email accounts to manage.

What if you could have multiple email addresses that routed to a single email inbox? What if you could create dummy addresses that were just ‘pseudonyms’ for your real email address? You can – they’re called email aliases. You can generate them on the fly and hand them out like candy. The recipient will never know your actual email address. Even if you reply to an email sent to the alias address, the aliasing service will magically handle all the From/To stuff so that the other side will only ever see the email alias address.

Setting Up Email Aliases

The process of using email aliases is very simple. Each service works a little differently, but they all let you create new, randomly-generated email aliases with the click of a button. All emails sent to your aliases will be forwarded to your single, regular email inbox. When you reply to one of these forwarded emails, the email will route back through the aliasing service and they will handle manipulating the From and To addresses. The recipient will never see your real email address.

How you generate the aliases will differ depending on the service. Some have browser plugins that will recognize web forms requiring email addresses and give you a little button, right in the form, to generate a new alias. Others might require you to log in to the service or open the service app to generate an alias. Then you copy and paste the alias address into the form.

So… whenever you’re in a position to give out an email address, you can create a new email alias and give that out, instead. You can do this when signing up for an online account or filling out an online form that requires an email address. You can even give out email aliases when you’re out in the real world (say, at a checkout counter). You can either pre-generate a handful of aliases or generate them on the fly from your smartphone – either with the associated app or by logging in to the alias service’s website and generating one there. And here’s the really fun part… if someone starts abusing your email alias, you can simply turn it off. You can still log in with that address, you just won’t receive any more emails.

Downsides of Email Aliases

There are a couple downsides to using email aliases. First, some web forms and services specifically reject the use of aliasing services. The alias addresses will use the aliasing service’s domain name, which makes them pretty obvious. Because these sites want to track you, they may not allow you to sign up with an alias.

Second, all emails using your alias will be forwarded through the aliasing service. This means that, unless the email is encrypted, the contents will be visible to the aliasing service. Now, if the aliasing service is your email provider (see below), then you’re not introducing a new party – you’re already trusting them with your email.

Finally, and this is minor, but it will be impossible to remember these alias addresses. Let’s say you signed up with a department store online, but now you’re in the brick-and-mortar store. If you’re at the checkout counter and need to give them your alias address, you’re going to have to look it up.

Email Aliasing Services

There are several good email aliasing services available today: Apple’s Hide My Email, Firefox Relay and Fastmail’s Masked Email, to name just a few. If you love the idea of creating entire new virtual personas, you should check out services like MySudo. I actually use all of those, but I like using SimpleLogin for aliases. (I interviewed the founder, Son Nguyen Kim, shortly after they were acquired by Proton – we dive into this topic deeply.) It’s a great service, it’s simple to use, and you can now use it with Proton Mail – my favorite private email service. But you can also use it with any other email service.

In my next post, I’ll give you another interesting option for generating email aliases using your own web domain. Once it’s set up, it’s actually easier than using an aliasing service. And it has some other interesting benefits, as well.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top