TL;DR

This post is about getting more control over incoming email and having a simple way to spot who leaked or sold your address.

The trick is catch-all plus per-service addresses. Use your own domain with catch-all enabled, then hand out addresses like [email protected]. If spam shows up, you know exactly where it came from, and you can filter or blacklist that specific address.

If you want the setup steps, jump to “What you actually do (quick start)” below.

Intro

Email was completely redefined when Gmail hit the market. An inbox with a gigabyte of storage and Google’s famous minimalistic interface was a dream come true, assuming you could get an invite. The fact that it was marked as Beta for a decade was a running joke among us nerds.

Fast forward to today, and Google is looked at like a privacy-intruding bohemoth. They own the world, and the average user is just part of it. They collect data on everything we do, from talking to each other to driving, exercising, and even using our phones. I’ll be picking on Google specifically for this post, but that doesn’t mean they’re the only ones. There’s some real scary stuff happening behind the scenes at other popular companies, and you learn about it when you’ve been in the industry long enough. Apple gets a pass from their über-loyal user base, but they’re certainly not exempt.

How most people do it

Most people will sign up for email at one of a few major sites, like Gmail, Yahoo, or Microsoft. They’ll carry that address for their entire life and never consider changing their workflow. Most will create a second address for professional communications so their resume doesn’t have [email protected] as the first thing a recruiter sees. A few truly unique people will have as much as 10 email addresses they manage for various purposes: spam, family email, services and subscriptions, or one for a random login to a site they use once a year. No matter who you are or how you have your email set up, the method I’m going to lay out will address everyone’s needs.

What you actually do (quick start)

This is the 5-minute mental model of the setup. The details are different per provider, but it’s the same idea every time.

1. Buy a domain (or two) from a registrar.
   • I like Porkbun.
2. Pick an email provider that supports custom domains.
   • I like Tuta.
3. In your email provider, add your domain and follow their verification steps.
4. In your registrar’s DNS settings, add the records your email provider gives you.
5. Turn on catch-all if you want unlimited incoming addresses.
6. Start handing out addresses per company and per purpose.
   • With catch-all, there is no setup for incoming mail. You can just use amazon@{domain}.com and it will land in your inbox.

Official setup guides:

• Porkbun DNS basics (where you’ll paste records)
• Proton custom domain guide
• mailbox.org custom domains
• Tuta custom domain support

My DNS knowledge mostly tops out at running my own AdGuard instance and blocking ads (I wrote about that here). For email, I don’t do anything but copy/paste exactly what the provider tells me and verify it in their UI. Email isn’t something I care deeply about. Like phone numbers and my body, email is old and broken.

Difficulty level: low. The setup is mostly copy/paste, then waiting for DNS to propagate. Day-to-day use is zero effort, unless you want to reply from the exact same address you handed out.

The idea

I also recommend splitting domains by intent:

• One domain for personal/professional
  • This can be your name, your website, your “real” identity, whatever.
• One domain used primarily for email
  • This is your disposable address factory. It’s also the one you hand to random companies and sign up forms.

You can use the same exact methodology and privacy practices for both domains. Separating them just makes it easier to keep your public identity clean while still being aggressive with throwaway addresses.

What we need to do first is get a domain name. As mentioned before in many previous posts, I highly recommend Porkbun. Their domains are cheap and the site is simple. I was part of the crowd that jumped into buying domains at Google (again with them controlling everything), but I jumped ship when they transferred ownership over to Squarespace. Porkbun is a great domain registrar, and I’ve been with them for years.

Controlling your own domain provides quite a bit of freedom. You can pick any domain you want (like mcwain.net) and use that as the base for anything you want. Not only does mcwain.net host this website and email, but there are subdomains like files.mcwain.net that are used to share things with friends and family, or simply to host images for services. If your {last name} domain was available, you could own {first name}@{last name}.com and have that address be the face of your communication. It’ll instantly level up your cool factor by not having an @gmail.com email address.

Catch-all and per-service addresses

Let’s take that a step further. If you set up a wildcard (meaning you collect all emails that come into an address like *@{domain}.com), any and all emails coming into that domain will come into your inbox. Naturally, that sounds like a horrible idea, but stick with me for a second. This also means you can create an unlimited amount of incoming addresses for any purpose. Setting up your email like this is the key.

Now when we sign up for an account at something like Amazon, we’ll use amazon@{domain}.com rather than [email protected]. That way, we are in control.

All that email will come in under the amazon@... label. If Amazon starts spamming you from a bunch of different sender addresses, you can just spam-filter the entire amazon@{domain}.com address and be done with it.

If Amazon sells your email to a data broker (or leaks it), you’ll see amazon@{domain}.com show up from other senders. It’s a handy way to keep an eye on the trust you give companies when handing over personal info. When that trust is broken, I consider that a spam-worthy offense.

Also, replying from these addresses is optional. Most providers let you add a “reply from” (or “send as”) alias in seconds, and you can remove it just as fast. If you want to reply as amazon@..., create it. If you don’t care, reply from your main address and move on. I prefer to use spam@{spamdomain}. If a company address starts getting abused, send it straight to spam (or auto-delete it) and switch to a new one.

One more practical tip: do not use a catch-all domain as the email address you hand to real humans. Use it for companies, signups, and forms. For friends and family, give them a normal address you actually want to keep for years. The goal is to separate junk from what matters.

Of course I purchased the most ridiculous domain exclusively for email that I could find. Everyone comments on it, and not one person thinks it’s real. It took a long time searching through available domains and I landed on one that won’t be shared here. It’s along the lines of absolutelynotmyreal.email. The lady at Marriott laughed hysterically and said “this can’t be real. [email protected] can’t be your real email address.” I laughed while showing the receipt her system had just sent me. My dentist also couldn’t figure it out as they typed in [email protected]. Dental receptionists aren’t exactly hired for their understanding of particle physics.

Pick an email provider

There is a cost when it comes to hosting your own stuff, and email is no exception. Not only do we need our own custom domain name, but we also need a place to host email. I’ve been a Tuta.com user for many years now and I’m happy with it. They run for about ~$3.50/mo and it’s certainly worth it, in my opinion. It’s often said that when you’re not paying for a product, you’re the product. That’s definitely true for all the free services out there. Those services earn their money by shoving ads in your face, tracking everything you do, and selling all that information to data brokers around the world.

This doesn’t mean you shouldn’t shop around for alternatives like Proton or Mailbox.org to find one that fits your personal preferences. I landed on Tuta after watching bitcoin crypto thieves use it frequently to steal large amounts of BTC from unsuspecting institutions. If Tuta is strong enough to keep the thieves anonymous, then it’s certainly good enough for the nonsense that comes in my inbox.

Why this works

I mentioned that having your email set up like this gives you ultimate control over who can email you, and how. It can also serve as a way to know where an email is coming from without having to look too closely at the sender. There’s also the advantage of knowing if your email was leaked or sold. Here are a few examples where our own California state government neglected to respect my email privacy.

To be fair, maybe they were just concerned about my dead penis. That’s not something I want to be talking to the government about though. As you can see, I created an account at ca.gov, probably for renewing a driver’s license or looking for government employment. They’ve since sold it to spammers, or more likely lost it in an undisclosed data security breach (I’m shocked!). I’ve also had my email sold from other places like Black Rifle Coffee and local weed distributors. If they had my “main” email, my inbox would be flooded, requiring me to chase spam rules in hopes to organize a massive pile of crap.

Fin

If the idea is “I want control over my inbox and I want to know who leaked my email”, this nails it. It costs a few bucks a month and maybe an hour of setup time, but once it’s running it mostly stays out of your way. Then you can stop stressing over a disorganized inbox and just deal with the stuff that matters.