Undercover Inbox
An attempt at identity management!
Welcome, if you’re reading this then most likely you have been given an email address from this domain and are curious about it. Let’s clear 1 thing up first!
This is NOT an anonymous or temporary/disposable email service!
This domain is owned and operated by a single user, and any email address you have recieved from this domain will go to me.
This is not anonymous because if you were given an email address from this domain, you either:
- Asked for my information in addition to my email and I would have provided it
- or, you did not gather that information when you were provided this email and thus I am already anonymous without the use of this domain
This is not temporary/disposable because all email addresses are valid for the entire lifetime of the domain and always go to the same recipient.
Now that that is cleared up we can move on to…
Why?
So why does this domain exist?
Security
Good security practice means you should have a unique password per service. This ensures that if your password is ever leaked from an insecure service, it can’t be used to gain access to more critical services.
However, your password is one of a two part combination of credentials. It stands to reason that if the username for each service was different as well, if your username is leaked from 1 service it could not be used to access other services.
Thus the desire for a way to have unique email usernames for each individual service.
This can be solved by a simple “plus address” which is supported by many email services. However, since plus addresses are so common, many services are able to explicitly disallow their usage and prevent + from being valid in emails despite plus addresses not being an email standard, and thus there can exist perfectly valid email addresses out there with a + character in them. So by using a full domain to create unique addresses I can create addresses in any format that would be deemed acceptable to any service.
The only way a service could prevent this would be to directly block this domain directly. Since this is a single user domain I am sure that is unlikely to happen. From any given services point of view they should only ever see 1 user with this domain, so it’s unlikely it will be tripping any automated spam prevention mechanisms. Most likely it would be someone who is aware of an address from this domain, and that is the point of this site you’re reading now.
Privacy
Now, since we have a unique email username per service, the next issue is privacy.
So with the ability to have unique addresses per service, it’s possible to implement address tracking. Most likely the address provided to you includes your own service’s name in the address in some manner. Doing this means that if spam email starts arriving to a given address it’s trivial to track it back to the service which leaked it. This allows for either taking precaution about that service being compromised (unintentionaly leaked the address) or notifying me about the service having sold my information and thus I can avoid them in the future.
Spam
Spam seems like an inevitable fact of life, it is never a question of if your email will end up on some list, but only a question of when. However, with a unique email per service, it makes it trivial to block any compromised addresses. Since each address is essentially single use only and given out to a single service. If that address is compromised it’s easy to deal with.
If the service leaked the address unintentionally, I can change my email for that service to a new address and block all mail addressed to the old address. This allows me to continue to get mail from the service while blocking any incoming spam from sources who should not have had the address.
If the service leaked the address intentionally, then I can simply stop using the less than scrupulous service and block the address.
Does it work?
Yes, I have a singular case study that I’d love to share. I made a purchase on Etsy from a small single user shop. I gave them a unique address. A couple of months later, I started getting spam to that address. Since I knew that the shop was run by a single user who was interested in building their reputation I was hesitant that they had purposefully sold my information so I reached out to them.
They were very sorry to hear that the email had been leaked and informed they did not intentionally sell my information. We then went back and forth and while the spam I was getting meant nothing to me, it turns out it was very obvious to the shop owner. The spam I was getting was for the invoice software the shop owner was using to manage their store. So it was a 3rd party who had stolen the address on behalf of this poor shop owner.
If my address were not directly traceable back to that individual shop owner there is no way that this would have been traced back to it’s source. That invoice software is probably in use by many different users. If you have a single address that you give out everywhere and that address ends up on a list somewhere and spam starts arriving, there is simply nothing you can do. Yet with this system there was something I could do and I believe that the shop owner no longer uses that invoice software any longer meaning that tracing this questionable business decision at least had some, while definitely minor, negative impact on the company. That alone makes this all worth it!