How many times to you give out your email address in a year? Looking through an old, now-abandoned gmail account, I can see the sign-up acknowledgements from instructables, Netflix, Hackaday, and around a dozen more.

There are personal emails from friends and relations; reminders of dental appointments and PTA meetings; digital receipts from shops where I foolishly opted for the paper-free option at checkout.

halfords offers digital receipts

Trading your privacy in the interests of environmentalism while shopping at Halfords - irony is off the charts.

And then there is the spam - a small portion of it is blatant phishing or spear-phishing, but the majority is marketing from companies trying to sell a product and which bought a list of email addresses from another source.

A valid email address is a powerful tool and it is the foundation on which many cyber-attacks are built.

A brief recap on why you should keep your email address secret

In almost all cases, the basic authentication method for online services is an email address and a password. I can use my email address and password combo for Amazon, for Netflix, for ebay, for social media, and for countless others. Naturally, as a security conscious individual, I have different passwords for each of these, but many people do not.

This represents a huge security risk - as even if the password for an account is unknown, even the knowledge that an account exists is of interest to hackers, as it can be used as a vector for convincing phishing attacks.

And then there is the fact that marketing emails and other types of spam are just plain annoying.

How to avoid giving your email account to anyone

Fortunately there are several ways you can avoid giving your real email address out unnecessarily, and which allow you varying degrees of control over your information.

Option 1: Free disposable public email

Temporary email protects your real address

If you need an email address for a one-time sign up, and you’re sure you will never need to use the address again, there are so-called public email addresses. These sites will give you access to a shared email address without a password, which can be accessed by anyone with a link.

The services can be used to receive one-time activation codes, or to gain access to a site which requires you to have an account.

The upside is that you don’t need to give out your genuine email address - bypassing email verification processes, but that downside is that anyone can see the emails you receive. The address may also receive email destined for other people, and you will not be able to send emails from this address.

One such service is temporarymail.com, which allows you to select from eight different domains, and although you are given a random name on arriving at the page, the site makes it easy to create the name of your choosing.

Option 2: Dynamic instant aliases for your current email

How did your email get onto a list of spam senders? In all likelihood, it was leaked, sold, or hacked - and if you use this tip it’s easy to find out where from.

Thanks to a convention which began in the early 2000s, most email providers allow users an easy way of creating aliases for incoming mail by ignoring the plus symbol (+) and everything after it in an incoming mail.

As an example, if your email address was johnsmith@example.com, it would be able to receive mail addressed to johnsmith+123456789@example.com.

You can use this trick to add details of who you gave your email address to, so when it is inevitably used to send you spam, you know who to blame.

For instance, if you use your johnsmith@example.com email address to sign up for a Walmart gift card, you could give your address as johnsmith+asdagiftcard@example.com. Emails from Asda would still arrive, and you would be able to tell if Asda had lost or sold your data.

This can have financial implications. Europe’s GDPR rules mean that if a company breaches data protection laws, you can take them to court and claim compensation. In the US, data theft and data misuse are routinely followed by lawsuits.

Option 3: Buy a domain with catch-all forwarding

The downside to dynamic aliasing using the plus symbol is that it’s easy for scammers to defeat. It’s trivial to create a script which will strip everything after the ‘+’ and up to the ‘@’ in order to reveal your true email address - the one you probably use for your most important online transactions.

But it’s possible for you to create unlimited email addresses at minimal cost if you buy your own domain name.

You can purchase a domain name from namecheap for $1. It should be obvious that I own at least one domain name - thecrow.uk.

To set up catch-all email forwarding from namecheap.com. Search for the domain name you want using the site’s search bar. and select a top level domain from the options presented. .com domains tend to be the most popular and can be expensive. Less well known top level domains, such as .xyz, .click, or .cyou can be much cheaper.

Once the purchase is complete, click on ‘Manage’, scroll down to the ‘Redirect Email’ section, and click ‘Add Catch-All’. In the ‘ Forward To’ field, add your own email address.

What this means is that I can now use any thecrow.uk address and emails sent to it will end up in my main email account inbox.

Setting up a catch-all email address is easy

I can use amazon@thecrow.uk for Amazon purchases, bp@thecrow.uk for my petrol station loyalty card, and lidl@thecrow.uk for lidl plus. It does not reveal my primary email address, and in the event my details are leaked, it’s easy to track down the culprit.

NB: The Crow does not participate in any loyalty schemes at all. These are merely examples.

Option 4: Use an email alias manager

Catch-all email aliasing is cheap, and super-easy to set up, but you can’t use it as a fully functional email address because it doesn’t allow you to send mail - only receive it.

Fortunately, there are services which allow you to deploy and manage email aliases easily, and from which you can send, as well as receive mail.

One such provider is AnonAddy. AnonAddy offers free and paid subscriptions (up to $4 per month). I signed up to the free plan which offers, unlimited standard aliases, two recipients and a meagre 10MB bandwidth.

The free plan allows you to pick a username which will be used as a subdomain. This means that if you pick the username thecrow, all of your email aliases will be at thecrow.anonaddy.com.

AnonAddy homepage screenshot

During account creation you will be asked for your real email address and to accept the privacy policy (I’ve read it and so should you).

Usage is simple, and to aliases are created as they are used. This means that if I were to give the address asda@thecrow.uk.anonaddy.com to my local asda, the email address would pop into existence as soon as the first email is sent to it.

You can also create an alias by clicking ‘Create new alias’. It is not possible to specify the alias this way if you are on the free plan.

By default, emails are forwarded to the main email address you specified during the signup process, but from the alias dashboard, you will be able to specify which aliases should be forwarded to which named recipient.

If you find that an alias is receiving a lot of spam, you can easily deactivate the alias by clicking on the toggle switch. Any emails sent to the alias when it has been deactivated, will show as ‘blocked’ on the dashboard.

Using your alias to reply to emails is simple. Just hit reply in the main email account. The reply will be sent to AnonAddy, which will then forward the email to the intended recipient, and it will appear as if it is coming from the alias.

Sending an email is a little more complicated and requires special formatting.

If I want to send an email to david@example.com using my private@thecrow.uk.anonaddy.com address, I would need to put the following into the ‘to’ field.

private+david=example.com@thecrow.uk.anonaddy.com

Subscribing to either the Lite or the Pro plan allows you to use your own custom domain names rather than anonaddy subdomains.

Option 5: Host your own email alias manager

AnonAddy is a great service, but to use it to its full potential you need to pay, and to use it at all, you need to consent to your activity being logged and potentially shared with law enforcement.

The software itself is open source - meaning that you can modify it, contribute to the main project or deploy it yourself, wither on your on hardware at home or on a VPS - which can be rented for as little as $10 per year.

Setup is fairly straightforward, although time consuming, and grants you unrestricted usage - allowing you to create and manage as many email aliases as you like.

Option 6: BitWarden

BitWarden is an all-singing, all dancing FOSS password manager and comes in both hosted and self-hosted flavours. It has only recently come to my attention, and if you’re interested (and the type of person who still buys print magazines), you can read my thoughts about in in next month’s (I think) Linux Format magazine.

In a nutshell, BitWarden helps you to generate and manage passwords for different sites. One recently-added feature is the ability to create and manage email aliases on the fly to log into different sites. Combined this with a catch-all mailbox and you’re golden.

Be aware though that the self-hosted version of BitWarden requires 4GB RAM to run and is not ARM compatible, so a Raspberry Pi won’t run it. A 4GB VPS from Digital Ocean will set you back $20 per month. Alternatively, if you have any old X86 machines lying around, use one of them as a server.