How to Use Email Aliases (Part 2)

In my last article, I told you why using email aliases can both improve your security and protect your privacy. There are two main options for this today: an email aliasing service and using your own custom domain name. Today I’ll tell you about the latter. (If you haven’t read the previous article, definitely start there.)

domain name

Using Custom Domain Email Aliases

Using a custom domain name for creating email aliases is extremely easy, once you have it set up (which I’ll get to shortly). Once you own a domain name – let’s say, mydomain.com – then you now own every email address at that domain. You can make up whatever you want. Let’s say you’re at the Macy’s counter and you can get 20% off today by signing up for their newsletter. The clerk asks you for your email address. You say “sure – my address is macys@mydomain.com”. That may sound weird, and the clerk might look at you funny, but it will work. Any email sent to any user name at mydomain.com will all come to your inbox. So you can make up unique, valid email addresses off the top of your head.

This aliasing method addresses all three of the problems I identified with email aliasing services:

  1. Web forms won’t reject your email addresses because they won’t be from known aliasing services.
  2. Your emails won’t be forwarded through an aliasing service, so there are no privacy exposures.
  3. If you come up with a simple pattern for your user name choices, you will always remember what they are without having to look them up.

Setting Up Your Domain-Based Aliases

There are two main steps to setting up custom domain email aliases: buying your custom domain name and configuring your email provider service to use this new domain for email addresses. Anyone can buy (register) a web domain name. You simply find an authorized domain registrar like GoDaddy, Namecheap, or (my favorite) Hover, choose your domain name, and pay money.

The hardest part, honestly, is choosing your custom domain name. It can be almost anything – it just can’t be something that someone else has already registered. I would pick something relatively short, to save on typing (though domains shorter than 5 characters can be very expensive). You should also pick something easy to say – you don’t want to be constantly having to spell it out when you’re telling someone your email address. You can choose from dozens of top level domains (TLD’s), too. The most common ones are .com and .net, but there are many, many others. A typical .com domain will cost you about $15 per year. Others can cost a lot more, but the pricing is clear when you buy. Just know that there are sometimes discounts for the first year and then the cost goes up.

Configuring your email provider to use your custom domain can be a little tricky. But most popular email services support this now and they will have tutorials for setting this up (search their support site for “custom domains”). For example, here are the tutorials for Proton Mail, Fastmail and Apple’s iCloud. You’ll want to be sure to set up a catch-all address so that any user name will be accepted and routed to your inbox. (NOTE: To prevent emails from your domain being labeled as spam, you should set up DKIM, SPF and DMARC. Your email provider should be able to help with this. And the LearnDMARC.com site is a wonderful tool for checking these settings.)

Other Benefits to Custom Domains

The most popular use of a domain name is actually hosting a web site. You don’t have to do this, of course – you could just use it for email addresses. But you could use your new domain to host a blog, post your bio, or just display some images. Of course, this could undermine your privacy, too. If you’re using the aliases to try to be anonymous, you should make sure that you sign up for the WHOIS privacy option on your domain name registration. This may cost more money (but it’s free for all Hover domains, which is one reason I like them.)

But something you may not have considered is hosting your own web services. Many popular web apps are open source and have a self-hosted option, like custom URL shorteners, VPNs, wikis, web-based office apps, and much more. Now, this will mean finding a hosting service, setting up a virtual server, and doing some server administration. But there are a lot of fairly simple, turn-key options out there for less technically advanced users. Just be sure to secure the server with some form of authentication.

Downsides of Domain Aliases

I really like using custom email domains for aliasing, but there are some downsides. First, there’s the cost for maintaining the domain name registration. It will be $15 a year for basically the rest of your life. If you let the registration expire, then someone else could re-register your domain and then they will get all your emails.

Second, domain-based email aliases are only as private as your registered domain. If someone goes to the trouble of figuring out who owns the domain name, they will know who is associated with all the email addresses at that domain name. Domain names must have a registered owner with ICANN, which allows you to search the owner database. However, as I mentioned above, you can enable WHOIS privacy (sometimes for an added fee) with your domain registrar to mask your identity.

Similarly, all your email aliases will end with the same domain name. It’s conceivable that data brokers could take the time to figure that out. If so, then once again they will know that all email addresses at that domain correspond to the same person. But unless this privacy mechanism gets a lot more popular, I don’t think this risk is very high.

UPDATE (12/22/2023): I just ran into the first instance of a domain-based email being rejected. The site that rejected my email address pointed me to a service that explained why: Verifalia. It passed a wide battery of tests, but the tool was somehow was able to determine that the address I gave was a catch-all address: “Possibly risky email type: the external mail exchanger accepts fake and nonexistent email addresses. Therefore, the provided email address may not exist, and the existence of the individual mailbox cannot be verified.” I would argue with the characterization of “fake and nonexistent email addresses”, but unfortunately they aren’t asking my opinion. (My email address passed the tests for the other tool they metnioned: Emailable.) Let’s hope this isn’t a trend.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top