Fastmail has a "masked email" feature, which will forward emails sent to (potentially temporary) email addresses to your regular email account.
So will SpamGourmet[2].
Of course the problem with all these services is that you're giving yet another third party access to your communication and giving up your privacy to them.
They are all, as far as I know, completely unaccountable regarding what they do with the information they get from your private communication.
No matter what they say in their privacy policies, press releases, or PR, there's no way (as far as I know) to reliably verify any of their claims.
That said, I'd still rather deal with a company which at least claims to respect privacy rather than one that (like Facebook or Google) either spit on it or make money off tracking me and datamining everything they can about me.
There is the fact that, at least in Fastmail's case, you're paying for the service so someone would need to pay a LOT for the data for it to be worth it to the company to risk losing paid customers.
unfortunately this is also a signal of a juicier target for monetization, not that fastmail is doing shady things like that, but that's what less scrupulous companies see
The biggest missing feature on Masked Email by Fastmail is they don't remove trackers, as far as I know.
Masked Email gives you more privacy (the identity behind the receiver is unknown) and with data breaches, there's is no login data leaked.
Duck's Email Protection does also remove trackers from the forwarded mails. So senders can't trace back whether you have opened the mail. I hope they also remove click trackers, but I am unsure how they would implement that technology with the referral codes in the URL.
In Fastmail you can choose to only display images for emails that are in your contacts. Proxy is just another layer of protection for when you actually want to see the images.
As long as you use it for potentially spammy website account, you can minimize your footprint. Don’t use it to mail friends or co workers for example. Use multiple services so no one service knows the whole picture.
I have been using SimpleLogin for some time with my own domain and they have an open source backend so I am planning to host it myself so I can even use it for personal emails.
Right. I use two other e-mail forwarding services, and neither one requires an app or a browser extension - they're controlled through simple web interfaces.
While I'm a happy user of DDG's search engine, their e-mail service is not something I'd use.
I am not aware of any waiting list for this service other than installing the DDG app and signing up for the waiting list via app settings. I had searched around. It seemed that was the only way. At least by DDG officially.
There's plenty of such solutions, both selfhosted and otherwise. of course as soon as your domain is listed on disposable email lists, you'll be denylisted from many sites but fortunately enough usually the sites who care about who you are are the least interesting ones, and it's still possible to register in many places using disposable inboxes
EDIT: I should also mention most disposable email domains get added to the denylist after much use/abuse. By multiplying the domains/IPs serving disposable mailboxes, we greatly reduce the chance of being listed at all.
That's a fair concern. I just went to sign up now (apparently my invite was ready but the app hadn't notified me yet), and there's a section that promises their privacy protections will not be weakened by an acquisition:
> We will not allow an ownership change to weaken these privacy guarantees.
DuckDuckGo (officially Duck Duck Go, Inc.) is a privately held, independent company, and has been since its founding in 2008. If we are ever acquired by another organization, or if another organization purchases this service, we will email you with details. However, we will not proceed with any deal that weakens these Privacy Guarantees.
As a (former) lawyer, I'd say that this provision is something I've considered necessary for a business to make a credible promise not to sell out at a later date. I have never seen such a provision before, and it makes me feel more confident that they've thought this stuff through and are willing to be held to their promises.
Well, once they get acquired with the promise that _privacy guarantees are not weakened_, what stops the acquirer from weakening them a year later? Just like Facebook and Oculus.
DDG would have to put teeth in their acquisition agreement such that doing so would result in an enormous surcharge or some such thing. They could also make a huge stink publicly, which would result in a mass exodus from their service, making such a move less lucrative for the acquirer.
But yeah, there's always a chance that these protections will go away. That's why it's important that they don't keep data right now, so if anything changes later you can just stop using the service (assuming you check HN daily so you'd know if anything was up!).
Is it possible to craft T&C that has a strong legally binding guarantee that future acquirers have to comply with, such as keep specific features or provisions? Something that would even stand in case of bankrupcy?
I don't think anything can be drafted that would be sure to survive bankruptcy. That's why it's important that they don't keep information in the meantime. If things go sideways, then you just stop using the service. They've committed to telling users if they're being acquired or whatnot.
They could setup a nonprofit ngo which had their user data keeping as it’s sole purpose, and privacy enshrined in it’s charter.
The nonprofit would be financed by ddg or whoever buys ddg, but the management of nonprofit would be forbidden from sharing the data regardless of how much anyone pays.
I mean -- in a similar way to Apple, it's how they want you to see their brand. So no guarantees but it would be shortsighted of them to sell the info somehow. Definitely possible but I'm optimistic that they wouldn't.
You should probably consider self hosting your disposable email service. Sending email from home is tricky (at least to gmail/microsoft) but receiving usually works perfectly.
Ah, I was hesitant to even picture spinning my own thing up because of the commonly discussed hurdles. If there's a significant difference in ease between receiving and sending, I could live with that. Sounds super fun actually.
According to some friends, receiving email even works fine on dynamic IPs updated via some kind of DYNDNS-like service. I should probably do that, too! :)
Nope consumer ISPs typically block sending stuff on port 25 whatsoever, and even if you get past your ISP Gmail/Outlook will block you even if your setup is perfect (reverse DNS, DKIM, etc): that's due to monopolistic behavior that's completely disconnected from reasonable expectations of spam protection.
Basically the invite to a fresh trendy email address (I'm trying to get a short username over here!) is bait to download the app, the app is not necessary to use the service
I just downloaded it and think I'll enjoy it if it doesn't have the browsing quirks of firefox, it has a great "inferno" animation when you hit the button to close all tabs and delete history. Works with my password manager, promises to block trackers, meh, why not?
DuckDuckGo for iOS or Android is not an email client, but a web browser. The "join the waitlist for a free protected email" thingy is just an item in the settings.
Shameless plug for my project: https://www.mailbox.my also offers email addresses that forward to your existing email. You can send emails from that address as well, not just replies. We have 150+ domains to choose from. Some nifty features coming up, too!
Let me know if there's anything you are missing from your existing email service, always looking for ways to improve!
> we are not willing to participate in any dispute resolution procedure before a consumer arbitration board since it binds too many resources, but we are happily willing to refund your payment in case you are not satisfied with our services.
If someone's mail is compromised, or they lose their primary email address, a refund would hardly make up for it. This basically reads as "you'll have to force us to participate by taking legal action"..
The dispute resolution would not cover any damages incurred, so it would be a refund anyway. That is my understanding.
Would you expect language that offers compensation for any damages incurred, for example due to a hack or the loss of an email? I do not believe any email provider has such provisions. Of course we are still liable for any misconduct as specified by law.
> we are still liable for any misconduct as specified by law
Would this not be a process of consumer arbitration?
For example, If I believe there is misconduct, a GDPR or privacy violation say, is the process not to open a dispute with the EU, and then maybe go to an arb? I'm not aware that other email providers say upfront that they wouldn't participate in such a process.
There are many companies who do not participate in this process. I did not want to spend lots of time setting this up and adding another middlemen when the alternative is much simpler (contact us and get a refund). I still do not believe this platform is meant to claim damages, that needs to be done in court.
But I will have another look and probably support it when I find some time.
Edit: It's fixed now, we support the process. But please just send en email to us it's much easier ;)
I have used such service for some 20 years. It's called sneakemail.com (paid service) It's great. I have several hundreds of addresses, and only a dozen or so I had to close because they started to produce spam. Interesting enough most of them pretty renowned businesses from the days when privacy policies did not exist.
The nasty thing is that an increasing number of businesses block such onetime addresses (there are lists on github). Linux Foundation a prominent offender. They send me their marketing BS, but I cannot unsubscribe because "my address is invalid". My bank is a recent addition. They still send me email, but several functions in my online banking don't work because I have to "confirm" my email first and the one they have on file and works is not accepted.
I hope such services would be widely used that no serious business can afford to block them.
I have also been a sneakemail user for probably 15 years and have accumulated over a thousand addresses. Two years ago I switched to using a catchall .com domain because the sneakemail domains are blocked so frequently. Domains from other services like 10minutemail.com and fakenamegenerator.com tend to
be blocked, too. Plus addressing is also hit or miss — sometimes a system will let you sign up with a plus addressed email but other parts of the system will reject it (ahem, banks).
15 years ago, a catchall email domain was unthinkable since spammers would try dictionaries of words against a domain in hopes of finding legitimate email addresses. However, this no longer seems to be a trend.
> I hope such services would be widely used that no serious business can afford to block them.
From a businesses point of view it's a tricky one because disposable addresses are widely used when someone's trying to abuse a service. Personally I find blocking email providers pretty gross, but you can see how someone facing a torrent of malicious traffic from accounts associated with disposable addresses could get annoyed enough to just block them.
Unlikely they would know provided you use realistic names/canaries and dont have dozens or hundreds of friends also using your domain with the same websites.
If the day comes that people can't use their own domains then companies will effectively cut off the very communication with their customers and prospects they desired to have in the first place.
I've been a spamgourmet user and fan for... must be 20 years now. Great service. I haven't run into any blockers like you describe, but I've long dreaded the day when I do.
+1! Sneakemail is fantastic and well worth the money.
I use it since 2007 but avoided mentioning it anywhere because of fear it could be banned by spammers; some already do. They probably will have to change their domain name one day.
I'm currently using Firefox Relay [1] and quite happy with it, especially with the plugin that makes it easy to create an e-mail on the website itself and Firefox will remember which website created which e-mail.
I have noticed that more websites are starting to block Mozmail but I am quite happy about the services so I will probably buy the subscription service and use a custom domain.
It's great to see all these services catching up to each other, though I've noticed that their privacy guarantees aren't always clear. For example, Firefox Relay just uses AWS SES to receive/send emails, whereas DuckDuckGo actually have their own mailing infrastructure!
I've been working on a similar project: https://shroud.email. It currently has basic tracker blocking like duck.com, but it's FLOSS and I'm working on docs for self-hosting.
According to the DDG browser I just downloaded to get in line for an invite, Hacker News gets a B+ in privacy, marked down for having "unknown privacy practices" -- what can a poor webmaster do to make their privacy practices known to gatekeepers such as this here duck?
Firefox Relay is a very similar service. I've been very impressed with it - does exactly what I need to protect my email. They don't do replies yet, though.
> For most Duck Addresses, replies just work. Simply reply to any email sent to one of your Duck Addresses as you normally would. We route your replies through duck.com so they're delivered from the Duck Address they were sent to. If your forwarding address is on a unique domain without an SPF record, replies sent from Duck Addresses aren't supported.
Does this work with gmail for anyone else? It definitely does not for me.
It is not working for me either. I have gmail as the hidden address behind duck. When I replied to a test message, the email did not "route" through duck.com. It went directly to the originator, where my gmail address was revealed.
UPDATE: It now works for me. I got an email from duck telling me about the feature, so I guess they are rolling this out slowly instead of to everyone at once.
This service is not ideal for spammers because it is not possible to initiate sending of emails using Duck at the moment. It's only for receiving and responding to incoming emails.
Worth mentioning that its back-end app[1] is also open source, not just their Android[2] and iOS[3] apps. So basically open source + custom domain = no lock in. But I'm not so sure how easy it is to set up your own back-end server (I imagine it's like setting up your own email server, which isn't trivial)
You might not get a notification when you get into the beta. That's what happened to me and someone else who told me about it. Check the DuckDuckGo app every once in a while to see if you're in.
I've been using the service for a couple months (got in on one of the first waves of beta invites). AFAIK, there is no sharing invites to others. I can't see anywhere where I can do something like that. I think you just have to wait until DDG sends out more invites themselves.
At the risk of adding heaps of low effort replies, I've been waiting for my @duck address since it came out. Can someone please forward me one if they have one spare?
There are a lot of reasons you should a custom domain instead. What happens if they shut down this service and all your important accounts are using the duck domain?
I'd primarily use a service like this for the heaps of non-important accounts/mailinglists, e.g. if you're planning to make just a single transaction with a service. The advantage of not using a custom domain is that your different email addresses can't be cross-referenced, spammers can't just guess additional emails with which to reach you, and that you avoid the risk of leaking personal information via the domain.
(Disclosure: I work on Firefox Relay and also use my own custom domain with a catchall.)
I meant use a custom domain with SimpleLogin or similar so you get the random email aliases but the same benefits of an anonymous email forwarder. You'd be surprised how many people think an account is not important until it is.
Yes, I do use that ("and also use my own custom domain"); I specifically mentioned a couple of benefits of an anonymous email forwarder with a shared domain that you do not get with your custom domain? To reiterate:
- different email addresses can't be cross-referenced
- spammers can't guess additional emails to reach you at
- no risk of leaking personal information via the domain
I appreciate that there's definitely a risk in adding a third party, but I think it's clear that there's also benefits of a shared domain, making it a trade-off?
(Oh, and to be fair, with a custom domain there's a relatively similar risk: it's relatively easy to lose control of a domain.)
You are not explaining how different email addresses can be cross-referenced with a custom domain or how spammers can guess additional emails to reach you. Use a subdomain then for your email aliases.
The risk of leaking personal information via a domain is the same risk as giving your real name when you signup for a service, or use your real name when you send emails. Most registrar solutions have a proxy WHOIS and if someone serves a court order to get your real name they are just as likely to get it from your registrar as they are a third-party company. Losing a custom domain is about as risky as picking a shady registrar, doing illegal things which will get you banned from an alias service if they are getting subpoenaed about your illegal stuff, or not paying your bill. I still think it is inherently better than an regular alias domain which is much more likely to get blacklisted than a custom domain.
> You are not explaining how different email addresses can be cross-referenced with a custom domain or how spammers can guess additional emails to reach you.
Oh sure, I can do that! So for me, one reason to use aliases is to be able to trace who leaked my email. However, it's pretty obvious if my email address is news.ycombinator.com@mydomain.com, that everything @mydomain.com is going to me. (And possibly, but I'm not an expert on this, if you use a service that handles that for you, it might even be automatically detectable via my MX records?)
And if you know that, you can both know that facebook.com@mydomain.com is also me, and that you can send me an email at whatever@mydomain.com to also reach me.
Whereas if my email address is, say, sd4k23@mozmail.com, then you can't know my other random aliases, while I'm still able to see who I gave that email address to via the relay.firefox.com dashboard.
> The risk of leaking personal information via a domain is the same risk as giving your real name when you signup for a service, or use your real name when you send emails.
Yep! I'm just saying that minimising the opportunities for me to make a mistake is a benefit.
Note that I'm not saying you should switch to a service like this; I'm just trying to show why I've started using both: my custom domain for sensitive services, and Relay for one-offs/few-offs (e.g. if I just want to get a coupon code or something).
> And if you know that, you can both know that facebook.com@mydomain.com is also me, and that you can send me an email at whatever@mydomain.com to also reach me.
SimpleLogin for a custom domain uses MX, SPF, DKIM, and DMARC records to help protect you. Yes, if someone does a reverse lookup they can detect that you are using the service, but if you are using an email forwarding service they can more easily detect the provider. I find it very rare for anyone to actually check the records. With their custom domain service you can also use a subdomain, so instead of polluting your bare domain, you can create a unique subdomain for email addresses. You can also use random aliases, so the addresses are not easily guessable (at all).
> Whereas if my email address is, say, sd4k23@mozmail.com, then you can't know my other random aliases, while I'm still able to see who I gave that email address to via the relay.firefox.com dashboard.
No, but then I know the entire mozmail domain is shared and so spammers will target it more frequently.
> Note that I'm not saying you should switch to a service like this; I'm just trying to show why I've started using both: my custom domain for sensitive services, and Relay for one-offs/few-offs (e.g. if I just want to get a coupon code or something).
I can agree there, if you are just creating temporary emails that you don't care if you lose then an alias-provider domain is fine. However, like most people the risk is that they either don't use an alias for other services that are more important or that they do and then the provider shuts down and they can't verify their account.
you can email duck.com to forward your address to another address. Would't that create a super easy MITM attack if someone stole your address and forwarded it to theirs??
As soon as a company signs up to facebook for a marketing campaign, yes, the first step is to upload a list of all the emails of all of your customers so that facebook can associate users with your emails and build look-alike audiences, advertising to people similar in one dimension or another to your existing customers
I don't know about GDPR, but usually a company has your email after you do business with them, so you probably implicitly agreed at some "continue" button to let them use your email as a part of marketing campaigns.
> Will replies from my Duck Addresses hide my forwarding address?
> The message will be sent from your Duck Address. Since DuckDuckGo doesn't create the message itself, we can't guarantee that it will not include your forwarding address or other identifiers.
> Get a free, personal @duck.com email address. Emails sent to it will forward to your regular inbox, with creepy email trackers removed.
Totally genius! I fear there will be a cat-and-mouse-game but hopefully DDG will keep relatively up to date.
[1] https://www.spreadprivacy.com/introducing-email-protection-b...