Using a catch-all domain is a mistake (opens in new tab)

I'm using catch all since forever. I regret nothing.

Two stories:

I don't use mails like facebook@domain uber@domain - that's too obvious. And knowing that may often disclose that I actually have an account registered on given page. I don't want that, so I go full random, using few words I have in mind, current few words from the song I'm listening too, etc. So password manager helps me with e-mails too.

But Sometimes when a website annoys me (stupid rules for passwords, crippled UX for forms, because re-writing a select component in javascript is such a brilliant idea, etc) I tend to insult the company I'm registering with using my e-mail or password, I mean mail: this.freaking.store.is.dumb@domain.com and pass: goDieInPain1312323$$$$. Once I registered account for a supermarket loyality card with some very little insult towards the supermarket. Later I got some huge amount of the points collected and their system crashed and I had to contact the support (the bonus was too high for me to give up on that). First via e-mail then via phone, when they were confirming my address. They helped me and said nothing about the name I was using.

Another story:

When I started with catch-all I was actually using mails like companyname@mydomain, and when I once contacted them via phone the person talking with me was not very into tech I think and were accusing me of... I don't really know exactly, but she told me something about me using their stuff without their acceptance, when I tried to explain that's my own domain she told me I cannot use their name, because that's a copyright infringement. Weird.

I've been doing this for close to a decade and sometimes salespeople and customer service people will ask to confirm, but that takes 5 seconds and isn't awkward (in my opinion.)

It has more benefits than knowing who leaked your email, it lets you easily filter your incoming email by who you gave the email to, and when your email is leaked it lets you shut off that email address. Of course you can also filter your email by the sender's domain, but that isn't as consistent, and doesn't help at all when your email address has been leaked.

It's true that you do have to set it up so that you can send email from the addresses to avoid not being able to reply by email, and you will want a password-manager or something to remember exactly what email you used, for convenience.

Personally I'm glad I've done this, it's made it much easier to organize my emails.

> The only benefit is that I'm able to tell when companies are breached before wider disclosures because I start getting spam emails sent to thatcompany@.

My big problem is that this is worse than useless.

I started doing unique-address-emails back in probably 2002 or 2003 and did it for around a decade before giving up.

A couple of times per year I would start getting spam or similar on an email address and would know exactly what had been breached and I would try to notify the companies involved. I'd probably spend an hour or two finding emails for key contacts and send a few paragraph email explaining how I knew they were breached etc...

90% of the time I got absolutely no reply whatsoever.

5% of the time I got a pleasant reply and someone said they were already aware or they would look into it.

5% of the time I got confused emails from a non-technical person that didn't understand how their PHP shopping cart software which hadn't been updated in 2 years got hacked, and didn't know what PHP or Linux or anything else was because the neighbor's kid had installed the site one time 2 years ago and now was too busy in college and why are you bothering us about this we have orders to ship!

5% of the time I got incredulous replies from technical people who insisted that I was wrong. That email address must have leaked some other way!

Then there was the last time I ever sent one of these emails. I guess I had found and emailed the owner of a company to email who had then added in his tech person. I explained why I had huge confidence something on their side was breached, but, couldn't explain to them what or how. They eventually got rather hostile about it, first accusing me of extorting them for the information (I never asked for money, but bounties weren't really even a thing back then like they are today). Eventually culminated in them adding in their lawyer with more threats and demands for my full name / address (presumably so they could actually sue me). I ignored them and fortunately the whole thing went away.

That was the last time I sent a report about one of my emails being compromised and shortly thereafter I stopped using tagged addresses entirely.

I try to disguise it a little to avoid the awkwardness, and also put the recipient into the subdomain instead of sender name. For example for grubhub I'd do:

me@grb.mydomain.com

No need to remember anything because it's all in a password manager. I've found this worthwhile, already blocked a couple spammers.

You could also go with something fully random, you still get the same benefit. It's easy to look in your email history and see what you originally used the email address for. Password manager obviously required though.

I've been doing this for over 20 years, and it hasn't really been a problem. During the occasional real-life interaction that requires someone to confirm my address and they express surprise, I just tell them that it's correct and I have advanced email needs. It never takes more than a few seconds -- nobody has ever said "please tell me all about your advanced email needs!" :)

> I use a password manager for passwords but I also need to use it to remember the associated emails.

I do this, too. It never occurred to me that you might not populate the email/username field -- it's kind of the password manager's job to keep track of that. :)

> The truth is no one really sells your email – at least no legitimate companies.

I think that on the whole, this is true. However, I have had a number of these addresses start receiving spam over the years. I think this is due to the companies' databases being compromised due to poor security. At the end of the day, the cause of the leak isn't greatly important, and I'm glad I can simply turn off those particular addresses.

Title says that using a catch all domain (whatever that is) is a mistake, but the bulk of the article about it being a mistake to use the other party's company name as the local part of a throwaway e-mail address which you use for communicating with that party. There is nothing about the catch all aspect being a mistake. You don't have to give a Hilton hotel an address like hilton@example.com; it could be bob-2022-05@example.com, right?

I use a throwaway e-mail system whose generated addresses look like this: 539-343-1293@example.com. The dashes can be replaced by underscores or periods: all are recognized, but not mixtures of them: basically three versions of the every alias is installed. (Why? I ran into a situation where I had to enter my e-mail address into a point-of-sale system that didn't accept dashes.)

There is no "catch all" mechanism at play. Each address is explicitly created, using a web-UI application that I wrote. The moment you create it, it goes live, as a local alias recognized by the mail server.

Each such address is associated with its creation date, and a memo field. If the memo field contains URL's, they get rendered into navigable form. They are editable. The memo field is what tells me who/what the address is associated with. I have a regex search box to filter the entries (quite a lot have accumulated).

The UI is like Web 1.5: you can checkbox these items and do bulk operations on them, like bulk delete, move to top, move to bottom and such.

When I delete an address, it immediately stops working. THAT is why "catch all" would be a bad idea; if you have a rule which routes any nonexistent local part to your inbox then you don't have any easy way to turn off an address which is being abused, other than going into the mail server rules and writing a rule to reject that address. That's not a fun UX, compared to a nice throwaway address management dashboard.

This system is called TAMARIND: Throw Away Mail Alias Randomization Is Not Defeatable. :) :)

Been using a catch all email domain since 2005. I've not had any major issues with it.

The entire "calling up and having to explain the username" thing is few and far between. Had that conversation in person and over the phone dozens of times, at most I get a little ask to verify I spoke correctly. Customer support doesn't care. They have people calling them up with an email address of "420hotcock69 at something dot tld". The entire "your company name at silly domain dot tld" generally doesn't phase them.

Mispelled accounts? Rarely happens. Copy and paste the domain. Use a password manager. The only time I have trouble logging in is when I can't remember if I used social auth or created an account.

As for getting email accounts purged? Don't bother. Stop using it for whatever legit reason. Then set a filter to mark all email to that user@ to be sent to spam/deleted. Problem solved.

The ONL time I've had issues was a few random systems that had funky rules for verifying fake email addresses. Oddly they sometimes look for their own domain name in the email address. So I can't use the exact domain name at those.

> The truth is no one really sells your email – at least no legitimate companies. The one outlier is political campaigns: they'll share your email till the end of time. No matter what I do I can't get bernie@ purged from any lists. Every level of government has that email and they share it as widely as they can. I'm pretty sure I only gave him $20 a decade ago.

Interestingly, when I was in Texas this never happened. I voted, I attended rallies, etc... The Democratic and Libertarian parties there just never sold my information; moreover, they never added me to lists or texting campaigns.

Then, I moved to California and the flood gates opened. I was getting back to back text messages from "campaign organizers". Later, I found out these are just normal people texting me from a burner phone because I angrily replied to one of the texts. Why, in this day and age, the Democratic party would entrust my name and phone number (and who knows what else) to some random "volunteer" or "advocate" is beyond me. You don't need to spend more than five minutes on the internet to understand many people who use that title do so with misaligned intentions.

Nowadays, I report their numbers to Google and they automatically go to spam.

reminds me a bit of the family member who owns firstname@lastname.com and can't get random non technical people to believe that their email address domain really is lastname.com

"but don't you mean at gmail.co..."

no

For weeks our Shopify app was getting rejected because "you cannot use the Shopify name or trademark in your app". It wasn't... repeated requests for clarification just got back the same form response.

After a several frustrating back-and-forths, finally someone at Shopify said "check your email address".

The developer contact email address we had submitted, which was only used for shopify<->us communication and no customer would ever see, was shopify@ourdomain.com.

<facepalm>

One problem I have with catchall is passing my emailadresses between "rings of trust". Example: say I have an email for close friends and family: me@example.com. Everywhere else I use spam<random_number>@example.com. All's well, until some well wishing family member decides to give me a gift in a form of subscription, or something like that, and uses my email they know: me@example.com. And just like that the whole carefully built house of card collapses.

I wish there was a simple equivalent for phone numbers. Even if I had to pay <$1 / month per unique phone number it would still be worth it.

Too many services now need a phone number "for my security". I use my Google Voice whenever I can but there is no way to trace the leaker from that. Car dealerships appear to be a big source of leaks in my experience (significant uptick in spam calls and texts after I give a dealership my GV number).

I do this and my biggest regret is that I cannot easily check haveibeenpwned.com to find out if any of the accounts have been breached.

I strongly disagree. I've also been using a catch-all domain for more than a decade and giving each sign-up it's own name@mydomain.com. I can remember one small issue. Otherwise it's never been a problem. The problem has been getting marked as spam for running my own mailserver. But it's all worth it in the end.

I'm going to mirror most of the other commenters in saying - I've been doing this for nearly a decade and have basically never had an issue with it and have absolutely prevented some spam because of it. The "social awkwardness" problem of using "Company@example.com" can be solved by using "PineappleBanana@example.com" instead or random characters or my personal favorite throwaway "[Company]SentMeSpam@example.com". Yea, you might have to use a password manager to know which random string of nouns is tied to what account - but no more "social awkwardness" of using the company name in your email (can't say I've ever had that experience either...)

In fact the only issues I've ever had with a "non-standard" email address (aka: not @gmail, @yahoo, @hotmail, etc.) is that one of my domains is a .ru address and even before the modern-day issues surrounding Russia .ru addresses get blocked in many places. My fallback email is an email hosted by https://cock.li which being chan-adjacent also gets blocked so occasionally I simply have to accept that I am not wanted as a user because my email isn't good enough.

I've had sales and customer service ask me about this a handful of times and I simply said: 'It's a unique email address so that you guys can't sell my details or get hacked and lose my email.'

The only interaction that stick in my mind regarding this when one of the sales people asked me how they might set up their own version of catch-all domain. That's about it.

I don't buy it. The number of people on HN that say, "it takes non-zero effort, and it was hell to exert that little bit of effort, so you shouldn't do it."

That might be a worthwhile message for a hardware hacker site where putting effort in to email configurations might be different enough from the meat of what most people are doing, but for this site? No. Don't try to sell "hacking is slightly hard, so don't do it" to hackers, please and thanks.

I've been doing individual email addresses for ages, and I've forced more than one company to disclose breaches because I was able to show with certainty that an address couldn't have been lost any other possible way.

I agree that using per-company email address to sign up is not a good idea but I love my catch-all email address.

When I'm testing my software (professional or personal) I can "create" emails on the fly for new user accounts. Yes, with Gmail, you can do the base+anything@gmail.com trick but with my setup I never need to rely on that (or worry someone might block it), I just use anything@mydomain.com and I'm good to go.

Same for my LLC, I have a catchall so I can setup things like accounts@mydomain.com and get all those emails to my main josh@mydomain.com email address and then in the future if I need to turn that into a group or it's own email address it's super easy and forward compatible. Just like support@mydomain.com, right now I'm the only one that handles that but I can hand that off in the future if I need to without any issues at all.

Tangentially related: getting your own name as your domain name is really nice in more ways than you might think. Giving my email over the phone is a cake walk, I've normally just given them my name, then I just say "josh at joshstrange dot com" and I never have to worry about spelling or them hearing me perfectly since it's just a combination of the info I just gave them (my name). I get comments about it from time to time but buying that domain in high school was the best decision I ever made when it comes to tech/email. It's stayed the same for well over a decade and I never had to give out an embarrassing email or worry about "what email did I use to sign up for that account?".

I use catchall domain for... everything. Every account at every entity has its own unique address, since probably well before 2010. I have always more than happily accepted to have my address saved into marketing databases.

I can share the frustration sometimes with employees turned sudden internet experts and "teaching" me that my email address cannot start with their employer's name. I usually retaliate by withdrawing my consent to be registered into their database.

And that ends there, I disagree with everything else in the blog post.

1. Catchall facilitates blacklisting when it becomes necessary: whatever rotating address is used by the sender, I blacklist myself as the recipient.

2. It helps detect who shares databases with whom. This is not necessarily about "selling" but more often it taught me which companies operate with which companies under the umbrella of that "and our partners" statement found in every privacy policy written by legal consulting firms.

3. It's a smoking gun for companies wbo get hacked without even knowing it. I have been informed several times of a compromise before the company itself knew it.

4. I also use suffixes on my catchall addresses, this allows me optimize my email filters.

5. It makes correlation more difficult across databases and anything that helps achieving this goal is a win for me.

6. I use a password manager, I use both the login and the password fields. The title of the entry always allowed me to find the account very efficiently.

I can probably find other reasons, I'd just conclude that after more than 10 years using a catchall domain, I still can't imagine sharing the same identifier across all my interactions.

I think they meant to say to avoid using email canaries named after the company one is emailing. I used to do this but it has been a problem as companies are catching on and blocking these addresses.

My most recent experience was with the Tractor Supply Company. They were upset I used an email canary so they called it "fraud" and cancelled my gift card. I've spent some of my retirement turning their customers away and might even put a few billboards up to warn residents of my state about their fraudulent behavior and lack of integrity.

Anyway since then I have been creating more realistic looking canaries that I can still tie back to the people I interact with, thus allowing me to notify them if their email databases have been compromised. I will never stop using canaries regardless of what ire and bad behavior it draws from corporations. It seems to be a good way to detect shady businesses now in addition to companies leaking or selling their contacts.

I had to stop using plus-addressing (me+brand@gmail.com) because of broken email address parsers/validators. If I was on the phone with a support agent, I would give them my plus-address and their system would reject it and they'd ask for another one. Stubbornly, I'd refuse to budge and insist that is my email address that they need to use. It got to the point where I'd either have to forfeit my healthcare/tax/flight/<whatever> account or give up on the plus-address. And if they asked about it, I'd explain honestly that it's because I don't trust them.

It did reveal some interesting data leaks sometimes including on npm [1], but the hassle wasn't worth it.

I now rely solely on spam controls again.

[1]: https://twitter.com/mholt6/status/1315743799335763968

I had the exact same experience! Almost verbatim. Nowadays, after one very long weekend spent changing my email address across dozens of different websites and services, I just use name@name.red instead of anything service-specific. Even now, though, the fact that it's a ".red" rather than a ".com" is too much for some people (e.g., my student loan servicer doesn't support .red domains at all). It's fun being special until it isn't.

I was purchasing a car at local Honda dealership and the salesman refused to believe that my email address was honda@mydomain.com. He just insisted that I should tell him my "real" email address. If it happens today, I would just walk away. But back then I was a new grad who just got a new job and really wanted a new car in a new city, so I said "fine, does mylastname@mydomain.com sound more legit?" He was ok with that. I brought the car back home, and set a new inbox rule that blocks all emails to mylastname@mydomain.com. Because I can't think of a reason to use mylastname@mydomain.com in any cases. I have never heard anything from Honda ever again.

I once got a text message from an agent after a dealership visit, he asked me why I just couldn't give him a good feedback since he worked so hard and I seemed to be happy with the result. I was like "sorry, but for some reason I can't receive emails from Honda, including after-visit survey".

> The truth is no one really sells your email – at least no legitimate companies.

Speaking of this, I actually did sometimes catch someone sold or leaked my email addresses. They usually came from spam emails with "Undisclosed recipients" that I had to dig into headers to find out which one of my addresses was leaked.

Most of addresses used in spams are the ones I shared with individual/small business and I would like to believe that they were not intentional.

The only legit, big company that sold/leaked my email was Docker. I applied for a new job with docker@mydomain.com and a year later a bunch of recruiting spams came to me via that address. Although it was possible that it's just that particular recruiter forgot to shred my resume after I rejected their interview invite.

For people who are having problem with the "hilton@domain.com" situation, consider using ROT13 or some other similar scheme (hilton becomes uvygba).

Other alternatives include:

1. shorten it so much that it's not revealing anymore (hil@domain.com)

2. use another language if you're multilingual (hiruton@domain.com for Japanese)

What’s weird is I’ve noticed some sites and apps don’t like their name in the account name and won’t validate.

For example, I tried signing up for the Chronometer app using chronometer@prepend.com and can’t make it through their sign up process.

I’ve always wondered what kind of programmer makes their domain name as email not work. I’m guessing it’s some testing or debug shortcut but won’t have closure.

I’ve probably noticed 6 sites over the years like this.

> The truth is no one really sells your email – at least no legitimate companies.

Yes, but legitimate companies leak data now and then. I get metric tons of spam to dropbox@, linkedin@, myspace@, moneybookers@, etc.

"The truth is no one really sells your email – at least no legitimate companies. "

Of course, because legitimate companies used to sell your cookies, which basically are going the convey the same information about your profile.

Now in the cookieless era of CDP platforms and identity stitching, having different email addresses may be more useful.

I don't understand the part about awkwardness with customer service people. How often does that really come up? And, if it is predictable, just spend a minute and think of some satisfying reply and then use that whenever it does come up.

"Oh, hilton@notcheckmark.com? You must be a big fan."

"Yep, cause of the great customer service."

Done.

Regarding shooting yourself in the foot by using nonstandard naming - seems an easy solution is to just use the entire SLD. If registering in person, I guess that's a bit harder, but either way make sure you save the login in your password manager.

I've been doing this for 5 years and while I agree that leaks are rare, it has been only smooth sailing.

I use thunderbird with an addon that automatically sets the responding email address, and have a script called "email" that generates a random address (no prefix or anything) and puts it in my clipboard. If I want to k ow what I used an email for, I can find it in my password manager or by checking from where that address first got mail.

Signing things up in person, I just use human-randomly generated strings.

In short: I have none of the problems the author has...

I did it for years, until someone started dictionary spam runs on my domain. That was a pain, so I whitelisted the ones I used, and went to email-company@domain. Works pretty well, I’ve black holed 20 or 30 over time, and it’s a decent second check on phishing emails.

Sadly, because I chose - instead of plus, I’m going to be hosting my own inbound email for the rest of this domains life. (And since it’s mylastname.net, that’s going to be a while)

I'm also doing this and see multiple benefits.

However I've recently been bitten by my catch-all, using a money transfer service with the email worldremit@mycatchall.com (guess the company). When they asked for additional documents to verify my account after many months, they never received my reply and I ended up banned. I could not login anymore. When I reached out from another email address, they refused to process the documents because they originated from another, unauthorized email address, and asked that I resent the original email from the registered email. I suspect their anti-phishing filters just ban any email containing "worldremit", so it never got through and despite multiple thorough explanations I could never get someone to listen or reinstate the account.

I'm still getting the newsletter though, because unsubscribing requires logging in first... But then I can just ban this email address, so at least the anti-spam strategy works!

> I also have a bunch that I've misspelled. My GrubHub account is gruhub@. I use a password manager for passwords but I also need to use it to remember the associated emails.

I find that to be a strange complaint. What password manager is being used that doesn't support a username alongside a password in an entry?

I've been using a similar system, only that I additionally append a random 5 digit number, so that if e.g. hilton-68425@domain.org gets leaked, that doesn't automatically make hyatt-95813@domain.org easy to guess. Though it does sound like something that might be possible to brute force.

Also, they feed into different subfolders of the same main address.

It definitely has caused some issues, but nothing that would make me regret choosing this system. Obviously the email gets stored in the password manager. And even if not, I just look at the existing emails and check their destination address.

Honestly, the most annoying part is the setup of new addresses. I might look into a way to automate that.

Although it is true that I have not caught a single company giving the email away, but it still helps me keep the inbox organized.

Cringe take, but fair enough on the bank freaking out part.

My interaction with them went like this:

>staff: And what's your email address? >me: $BANK_NAME@$MY_DOMAIN >staff: chuckles

And on the next day I got my bank account flagged.

Edit: Turns out the restriction was not related to the email address. It was a red Canadian bank.

I would say large banks like Citibank, DBS or HSBC would never care to this since all external emails are written to have a huge 'EXTERNAL' in the subject and a disclaimer before the content.

I've had people try to guess my login with Company ABC once they learned of my CompanyXYZ@mydomain.com address. Avoiding the reuse of email addresses helps here, the same way avoiding the reuse of passwords does.

For blackhats, with catchalls you can create multiple accounts on sites that try to prevent it by assuming everyone only has 1 email address.

For me the biggest drawback is migrating ALL those emails if your provider decides to end support for catchalls (like Dreamhost).

I’ve also been doing this for more than a decade. Other than my spouse rolling her eyes when I give an email address over the phone, it hasn’t been hard and definitely has helped. I have put blocks on a few email addresses that were involved in data breaches and became spam spigots.

I've been using email aliases for over a decade and have never experienced the leading examples the author mentions. Although I already have email accounts setup for impromptu scenarios, setting up an email alias in one minute is easy enough.

Never had any trouble with catch-all. Except once in about twenty years have I met a pissed off restaurant owner at my table who thought I'd hacked his website. Only thing I do different since is that I sometimes use `base64@domain.com`.

For those of you using a catch-all domain - how do you keep track of it if you do not have a simple mnemonic like the name of the company you are getting emails from? Do you use a spreadsheet?

Are there any phone services that let you have multiple numbers so you could do something similar for phone stuff?

I used to have one of my domains configured to accept all mail, after spam filtering. The result was amusing. I had the domain in .com, and a school in the UK had the same domain name in .co.uk. So I'd get some misaddressed mail, usually at the beginning of the school term. Not that much.

One day I got a message "I am going to kill you tonight". It was from someone at the school, intended for someone else at the school. I wasn't sure what to do, especially since it was the middle of the night in the UK. Call the cops in the UK? Finally I found an emergency number on the school's web site, and ended up reaching the headmistress. She was at first annoyed at being awakened. Then she was fully awake and annoyed. Once she heard the name of the sender, she said "He's only 12". Some kid was in for a major chewing out, but the situation did not require police.

If that had happened in the US, there would be a SWAT team callout.

I've had some of the same experiences as the author. "Do you work for..." or "You must be a big fan..." And plenty of "How do you... "

A few sites actually check for and prevent you from putting their domain name in as email (probably something about having employees sign up... ?) so that's a bit annoying.

I think it's worth it. Among other things, if any one alias becomes tainted enough, I'll throw it on a burner account so those emails go into a black hole, instead of my spam folder. And I'm always using a password manager on a computer, rather than trying to remember email when I visit a retailer. (Often, these days, if I'm in person, I just make up some kind of abbreviation - instead of "Ollies@", "olbgo@" because I don't care too much and even if I forget where it came from, it's not a big deal.)

And there's a slight security benefit if one email + password leaks, though these days every password is unique too (was not always the case... ah the naivety of my internet youth.) I don't think email addresses get sold "a lot" but they sure do get breached a lot and end up in the hands of spammers. Cadillac@ actually got sold or breached quite quickly after I signed up for a free car brochure, about a decade ago.

With my current host (NameCheap) and Thunderbird, it's very easy to change my from address - it just works without any hassle.

Before Cloudflare, I built a company around this called Unspam. It wasn’t commercially very successful, but it allowed you a ton of power around routing/filtering emails on a per-email basis (e.g., require senders to certain emails to pass a Turing test, add a header to others, turn up or down spam filtering by the address). I haven’t had the problem the author references, but mostly because I preface conversations with: “This is going to sound weird, but my email is…”

There’s a security benefit in making your email not-the-same across services. Yes, perhaps many of mine are guessable if you know the pattern I use. But it defeats non-targeted scanning. People target me (I was just sanctioned by Russia along with Mark Zuckerberg and Marc Benioff! Woot!!) yet exactly zero people have targeted me this way.

I’m still one of the few remaining Unspam users. Works great to this day. (Impressive given I wrote the PERL that powers it.) Actually think someone could spend a week with Cloudflare + Workers + Email Routing + Area1 and replicate the functionality+++. I’d gladly pay $5/mo for that. Wouldn’t be a big business. But an example of a bootstrappable lifestyle business that could easily cash flow enough to healthily sustain a couple developers.

Let me know if you build it:

crazyhnidea@matthew.unspam.com

I agree with a lot of the other comments here. I've been using a catch-all for years without significant problems. I think the closest to an awkward moment was when a small web comic artist wrote to me a bit confused. I had used the name of her comic to subscribe to her newsletter. I explained what it was and we had a laugh - if anything it perhaps increased a bit of human connection between us that otherwise wouldn't have existed.

I feel as though the author is throwing away a lot of advantages because of some minor social awkwardness that can be worked through, or completely avoided by using a different naming pattern.

We're even starting to see one-off emails created for you automatically (iOS can do this) because of the number of advantages.

I have not encountered the author's 2nd issue because I use a password manager.

I have encountered their 1st issue (awkward encounters) and consider it a feature. I guess this depends on certain extro/intro-vert-ish human preferences, but it can be a nice talking point if you approach it right.

The author's argument can be generalised to an appeal to normativity - doing ANYTHING that isn't common practice will garner awkward interactions. It's also a necessary early-adopter stage of anything eventually becoming common practice (and catch-all domains are becoming an automatically supported feature in many services now so here's hoping it does).

So it turns out using a catch-all domain wasn't a mistake.

Confusing companies by using THEIR name, being completely disorganized with the names and not even saving them in a file, was a mistake.

Have to say, disagree with every single point. It also feels poorly argued. The example about not being able to log into grubhub stuck out to me within 20 seconds of reading. He says he uses a password manager, then says he has to navigate many accounts while trying to login. Any sane password manager is not simply a list of emails and passwords, but also the SITES they BELONG to. This can't have happened the way he describes it.

Also, in particular, I can't understand the social awkwardness. I don't see how the interactions he has described are awkward in any way. OK, once in a while you have to explain yourself. Sometimes you might have a laugh about it. 95% of the time you just repeat yourself and move on. There's nothing awkward here. Unless he's using a different definition of awkward, as well as social.

Using a catch-all domain _was a mistake for me_ would be a more appropriate title here.

I’ve been using a catch all for years now and have had nothing but amusing and fun interactions and discussions with folks about my email addresses. People often understand pretty quickly and think the concept is actually cool (even if they aren’t running out to buy their own domain).

I’m far annoyed by my weird, hard-to-say/spell house street name but that’s harder to change (:

Just to provide a counterpoint, I've been doing the same thing for 6 years now and I haven't found the same issues to be a problem. Even as someone with pretty intense social anxiety, I haven't encountered any awkwardness, and don't find it particularly inconvenient to have to look up the correct email in my password manager.

The only actual issue I can remember encountering was a weird glitch with Crashplan that wouldn't let me register with crashplan@[myfullname].com, so I ended up using backups@ instead. Also, my full name is tedious to have to spell out, so I switched to using [firstname].cloud as my email domain instead.

In my case, while I haven't caught any notable email sharing/selling, I've still found unique per-service emails useful for filtering and organizing messages. Many orgs these days don't bother to use a consistent From email, so if I want to find everything from XYZ corp, it's easier to search for everything sent to xyz@name.cloud than everything from no-reply@xyz.com and orders@xyz.com and info@xyz.net and email-list-123@xyz.email and so on and so forth.

I also used to use catch all domains for all kind of registrations and my form was <domain>@mydomain.at (e.g. ycombinator.com@mydomain.at). That most of the time solves the management aspect, except for some special cases where several domains share a unified login (e.g. Google or Stack Exchange).

Anyway, I’ve changed to iCloud’s Hide My Email some months ago, as this is much easier to use and you have easier control on all used emails. You can even add a comment to each address in the moment of creation. Also disabling (blocking) single addresses works like a charm.

The only issue I've had was with that real estate data website that rhymes with Willow. They have a strict policy against usernames that contain their branding and my first support ticket resulted in them demanding I change my E-mail address.

I find a catch all is a spam magnet, but a little finesse with regular expressions can work wonders. On Google Workspace for example I have a rule for prefix_(.*)@domain.com that way the automated spam attempts fail because they usually just use lists of names.

I then sign up, for example as prefix_netflix@domain.com

But yes, I've often been accused of stealing the domain, even though it's not their domain. Also some companies don't send outbound email that matches their domain no matter where it matches, for example I couldn't do prefix_amex@domain.com I just never received the emails. As soon as I changed it to prefix_chargecard@domain.com the emails came through.

Why not just use regex/wildcard addresses which makes it less "akward".

Like "mail-recruiter@foo.bar", "mail-hilton.com@foo.bar", etc.

It's easy to configure, makes it more clear that you are in fact not trying to impersonate others and you circumvent the problem of receiving automated mailes to "sales@foo.bar", "hr@foo.bar", etc.

BTW: I've been using my solution for more than five years and only had one "awkward" moment when a recruiter was a bit sore I gave them my mail address specific for cold call recruiters.

I do this and haven't had nearly as many problems as the author for a couple of reasons. First, I refuse to give out my email in most of the situations he complains about. I almost never want or need to link my physical retail purchases to an email address, and in the cases where I do, it is usually faster and easier to ask for a loyalty packet and sign up online than to dictate all the information to a clerk.

Second, I'm not strict about it, and use a generic address (my-formal-name@example.com) in situations where I do need to give an email verbally (like contractors asking where to send a quote). And I also have my-nick-name@example.com which I give to friends and family.

Since I only use the catch-all emails for things I do online, they are all stored in a password manager so I don't have any problem forgetting them.

With these more relaxed rules, I still end up using a catchall email the vast majority of the time, with a fraction of the annoyances. The only time it really comes up is for telephone support calls with accounts I created online, and it isn't a big deal.

The benefit is that I can block 90% of spam using nothing but a black list of address that have been compromised. And the novelty of knowing who has shitty security with my information.

I would add that once you start using catch-all, you are forever limited to self-hosting or using an email provider that supports it, unless and until you want to leave behind all the individual addresses or go around updating your info everywhere.

I did catch-all for decades. I honestly wasn’t getting any benefit from it that I couldn’t get in some other way, better.

It doesn’t solve spam, so I still need anti-spam tools. Spam still comes to my main address anyway, so it doesn’t keep spam out of that account. Smart mailboxes give me more powerful tools for organizing things according to more refined criteria than just “to.” Knowing when sites leak my address isn’t especially valuable to me personally. In the end, the address I give out is sort of irrelevant. I may as well just be using my main address for everything. Which is what I’ve started doing.

Yet I’m still saddled with all these catch-all-dependent email addresses. I have a huge Swiss-cheese email perimeter, more or less forever.

It won’t be easy or fun to unwind all that, and I’m not sure I’d ever be able to do so completely. It’s the worst of both worlds.

If I could go back in time, I would tell myself the only way to win is not to play.

I use a catch-all eMail account, but only for two reasons:

1. To catch legitimate misspellings. A property deal nearly fell through for my father because his realtor had misspelled his eMail username but gotten the domain correct.

2. To fuck with people who use bogus eMail addresses under my domains to sign up for services. That includes eBay and PayPal accounts. I mean, if you’re going to bullshit with my domain name, bend over and bite the pillow!

bitwarden has a feature that fixes this issue.

https://i.imgur.com/eQe2Cq6.png

More generally. Just coming up with a random word and assigning it rather than a specific name, and looking that word up in your password manager, should suffice.

I did this for about 20 years, and have basically stopped because I wasn't really seeing an advantage to make it worth the bother.

After the dotcom bust, it was sometimes the user information which was the only thing left to sell off (even when they promised not to.) Spam was more of a problem back then, or maybe just being able to avoid it was more of a problem. So catch all email like this was actually beneficial but it became obvious only a few years later, to me at least, that no one was selling email addresses anymore and all that management was unnecessary overhead. I'd say about by 2006 it had definitely sorted itself out.

I now route mail by context and only deal with maybe a half dozen accounts regularly.

I’ve been using this style of catch-all address for years. I’ve never had to explain, and have only once had an issue with it, last year when I scheduled an appointment with a business that I’ll call Alpha Beta Gamma, and they rang me a few minutes later saying they couldn’t confirm the appointment properly because their system was objecting to the email address I’d provided, which was alphabetagamma@, and maybe that was because of their business name being in it, so could we try something else, like abg@ (yes, they made the suggestion), and that worked.

I've been using a catchall domain for 25+ years. Caught some companies leaking or selling my email addresses, too (the one I was most irritated with was Godaddy).

Including the company's name in the salted address is usually confusing to support staff, so I just use its initials or something memorable. Some places also seem to have dirty and suspicious word filters (for instance, mail to my child's school will just silently get dropped because of my domain name, and I have to use a gmail account instead).

The author is really saying “using the other party’s recognisable name as the localpart of your own email address is a mistake.”

I agree with that. As a catch all user of twenty years, I too found this out pretty quickly. The solution is you pretend your catchall domain is some free email service, and then make up an account name that sounds plausible.

jjsamson844 if it’s April 4th 2008. john1713@example.com if it’s January 3rd 2017. daphne.van.hampton@example.com if you want something more creative for your train journey free wifi sign up.

Most of these sign ups get a row in your password database. Remembering them isn’t a problem.

Why bother doing all of this? Because it’s not just spammers that spam you. It’s the companies themselves. Never again do you have to ask someone nicely to unsubscribe / never email you again and hope they’ll comply. You can trivially (procmail + a script) shadow ban them to another imap folder.

(Personally, I move their email to Dead/Match and then my mail filter moves all subsequent emails from them to Dead/Follow, so I can do it all just by moving messages to the right place on my iPhone.)

For the 10 times a year I have to actually email one of these people, yes, it’s a pain to configure my mail client to use the weird address. In the grand scheme of annoying many things, 5 clicks with copy and paste once every few weeks is no big deal.

> Clerk: Do you...do you work for Hilton?

If you don't feel bad about doing this, then the answer here may be "do you have an employee discount available?" (This is quite often the reason they ask you that question)

But yeah, I'm another happy user of a catch-all. No issue with sharing the accounts between domains - a password manager does this for me. And even if something like gap/banana happened - who cares, I'd just create a new account.

I've been doing this for well over a decade and while I had similar experiences sometimes, I don't see how this was a mistake by any means. Yep, not many companies sell or leak your email, but some do. And let's not forget that 10+ years ago we had much worse spam filters. (Though we had less spam as well.) And using a unique email for each provider and company it's pretty easy to block them when they start spamming you or when they give away your address.

In theory, one could use generated addresses in some cases. E.g. for throw away ones or when you have to give it in person. The problem is that then you'd have to keep track which one you gave to whom.

It also helps with filtering as services may change the from address or use multiple from addresses while you may want to label all email from them the same.

Then in some cases, where you do want to make your email public still you want to know how people found you. I think this one would be called "role based addresses". E.g. I think it's pretty nice to have your paypal address as paypal@yourdomain.com (when people were still using them for a lack of alternatives), same for github, etc.

I have a variation that I use for online sign-ups only. I have to explicitly declare the alias before using it. So it’s relatively easy to check which ones I have used in the past (and the name tells me which site I used it for) and I can easily “revoke” by removing the alias. I can’t really use it when asked for an email address at a store, for example - but it doesn’t happen that often (going to real stores, I mean :) )

My HN account email is sleepy.home9993@[mydomain]. My email provider (FastMail) creates these "masked emails" at the click of a button, with a Description field so I can identify the purpose. Each email address consists of two random words plus a 4 digit number. Then I just store the information in my password manager.

I'm not wasting time trying to fix the breaches. I can just nuke that email forever.

I do the unique Email for each service thing but not with catch all.

I use https://smplelogin.io (self hosted), there is also https://abonaddy.com, and just create a random email from random words on sign up, most of the time the usernames are fine.

I have 2 alias domains, The first one wqs a bit dark, So if I want to use aliases seriously I needed something more professional, so I bought another one with a good name.

Other than that my main domain name is never used for any normal service, only for things that are sensitive to hidden emails like hosting providers, or for professional contact.

And since bitwarden now supports mail alais integration, this is going be even better.(1)

1. https://bitwarden.com/blog/add-privacy-and-security-using-em...

I’m another long-time catch-all email address user.

1. That is how I knew that Dropbox had been hacked; I had a couple temp/throwaway Dropbox accounts and the otherwise-unused email addresses associated with them started getting lots of spam.

2. Yes, sometimes it is slightly awkward when a rep cannot comprehend companyname-at-mydomain, but not enough to make me regret anything. Smile. Say "it will reach me!" or "I own my own dot-com!" It’s fine.

3. "Did I use BR or bananarepublic before the at sign?" That’s why we use a password manager :-) The author says he uses one, but then suggests he needs to guess the email before the password manager will tell him the password? Sounds messed up. Use 1Password. Be happy.

4. The most interesting 'downside' is that sometimes I get spam for addresses that have never been used. Why? Because there are spammers out there who have scraped my website for anything resembling a human name (e.g. John Smith) and then sent emails to my domain that fit the typical pattern (jsmith@mydomain.tld). So, I blocked a number of these addresses. Had I not set up a catch-all, they would have otherwise been bounced.

5. "Every so often I need to email a company from one of these emails" -- The "from" problem of catch-alls is a bit tricky at times, but using Fastmail + PHP I can easily send "from" any address at my domain when needed.

6. I am a big fan of the Fastmail + 1Password 'masked email' solution! It’s so great! Sign up at a website, get a brand-new email address that seamlessly forwards to you, it gets stored in your password manager, and you can kill it whenever it starts getting spammed. The random username generation even avoids that problem of telling the Hilton rep that your email is Hilton@hacker.tld. Using masked emails instead of a catch-all would also avoid the minor problems of #4 and #5. Shout-out to iCloud's somewhat similar solution, but Fastmail+1Password really is top-tier!

I've been doing this for a while, I've only really gotten static about it once. A small online retailer, their fraud department cancelled my order after it had already been charged and shipped. It was interesting, I didn't realize they could even do that but they had the carrier recall it. The customer service rep said they thought it was fraud somehow, despite my card address matching the shipping address, because I was impersonating their business by using [buinessname]@[mydomain]. I pointed out I wasn't sending anything with that address, only receiving. She didn't seem to understand my point. Oh well. They resent it overnight and I haven't purchased anything from them since. I love this setup, that experience didn't deter me in the least.

I’ve done this for 30 years. I didn’t do it to catch people selling my info, but I do enjoy it when I do. I do it so they don’t send me email to my personal email address which I only give to people I want to email me. I can also blackhole someone that’s marketing to much and it is easy to search my email for any correspondence to and from that vendor.

It is awkward sometimes when I say It on the phone but I’m also in senior leadership at a big company so my skin is about as thick as it comes with regards to awkward situations. My entire career now is a series of awkward situations I’m asked to fix.

Also, I use a password manager (dude it’s 2022, if you’re not using a unique password already you ought to reconsider your life choices and once your password is unique who cares if your email is too?)

I don't use a catch-all domain, but do use custom tagging. I started-out tagging email with the '+' character, but a lot of places just reject that character; so I started using '0' instead. If you're running your own domain and use postfix, it's not difficult to setup a user-regex which will reject any email without a valid user prefix e.g. Joe0anything@mydomain.com works, but mailbot@mydomain.com is rejected. I've been using this for about ten years now and have had to blacklist about 50 email addresses. I agree it's awkward when you're telling a store clerk or phone support person your email address, but I've found that they either think it's funny or just don't care enough to even comment.

1. I disagree nothing, I use catch-all and never had awkward conversations like the author had. Who cares, it's an email. I repeat it twice.

2. Government has transparency laws, they didn't sell his email used to support "bernie" rather due to voting laws and donation laws, that information is public and is posted and given away for free that is why you should err to use your email address to communicate with federal or state bodies because they are required to follow state laws for transparency and federal laws.

Forging or creating an actual account/alias to then "send" from if the email doesn't exist is a trivial process, you can even do it from a shell even in Microsoft Exchange and PostFix.

I have a catch all domain and regret it. I have a four letter TLD (idoh.com naturally) and not a day goes by where I don't catch splash damage from someone who made a typo or plugged in a fake email address somewhere.

Twitter, for example, seems to allow people to make accounts with unverified email addresses, and lately I've been getting password reset requests from a twitter user who plugged in some-japanese-name@idoh.com as their email address for Twitter.

Sometimes I get emails from, e.g., a vet's office, or some local cubs scout group. I've tried telling people that they got the wrong email address, but no way of explanation succeeds in getting people to understand that someone put down the wrong email address.

If anyone wants a tool to further systemize this, it can be worth looking into self-hosting AnonAddy[0]. You get a decent UI for managing and creating aliases (named/random/subdomain), which is useful if you want to manually add them and track which alias was used for which service.

They also have a hosted service with free and paid tiers[1].

[0]: https://github.com/anonaddy/anonaddy#how-do-i-host-this-myse...

[1]: https://anonaddy.com/

I have been using email-per-account since forever. My personal scheme I recently settled upon is two letters to give me idea what is this for, plus two digits indicating when it was created. For example twitter would be tr25@domain, where 2 stands for last digit of 2022 and 5 for May. That is a must for me now. When some company I trusted my email with leaks it, I know instantly. There are cases when you MUST know. For example, a phishing mails started coming from email I gave to crypto wallet coinomi support. Would I rather not know? Hell no. You can lose a lot of money by not knowing such things

>> Especially since all these companies ask for and verify your cell phone number – which is way more static than any email address.

My domain is 27 years old, my oldest phone number is 5 years old (and it's a virtual phone number from textnow). Yes, I still receive spam to email addresses I gave out 20+ years ago. The thing is, I'm avid traveler, and phone numbers do not cross borders very well. Email does.

The biggest hurdle has been "For security purposes, write to us from your original email", which requires me spoofing the FROM line in my email client.

I use this method and experience a few of the same drawbacks, like remembering email + password per service - A password manager does make it doable. (Highly recommend KeepassXC[0])

However, contrary to OP I enjoy these somewhat awkward situations where someone doesn't quite understand my email address. I find it can naturally lead to a conversation about privacy and data protection and I'm happy to spread the awareness, if someone is interested.

[0]⋮ https://keepassxc.org/

I've been doing that for a very long time and never had such an interaction. Definitely not to the level of "It's been a decade of trouble and totally not worth it".

I’ve been using a catchall, same as in the article for ~20 years. I’ve had some support people confused. All I have to say is “I have a system that helps sort my emails”. People get it after that. I’ve caught 10’s of email leakers. I don’t fear signing up for a sales led webcast (or other unsavory types) that I know will sell my info. Interesting how the author didn’t have a similar experience. I must say that modern spam filter have made the utility of this less critical. I’d never go back to the old way.

Lots of me-too’s from folks using catch-all emails and/or “+” addressing, but surprised no one is mentioning unique hide my emails as available from iCloud, sneakemail, etc.

Someone could go just a little bit further and build an app that generates a random, but short and easy-to-say email address on demand from your domain and links it in a database to the company you want, when you created it, etc.

Instead of jcrew@yourdomain.com it would be ec5@yourdomain.com or mz2@yourdomain.com and an email client could replace the "to address" in your inbox with some description field linked to that email like "jcrew"

I've used VERPs¹ sometimes, even for individual mail. It's a pity that so few general-purpose email clients will generate them out of the box. You can make it happen with MTA configuration, which is one of many reasons I still run my own mail server.

[1] https://en.wikipedia.org/wiki/Variable_envelope_return_path

I don't know a single person who would legitimately infer the affiliation of a person based on the username part of an email address.

I've been using a catch all since forever, foremost to detect when shady companies illegally sell my data -- i.e. I register with shady-store@ci.ax and when I suddenly get unrelated spam to that email I immediately know who's responsible. (Or who got hacked without acknowledging it.)

I have stuff like "info@" "register@" or "support@" that I filter through in my inbox. The only problem I've had with catch-call email is getting a ton more spam from bots... for some reason they'll add randomname@ bc our name shows up with some other company name, some spam CRMs will confuse some other company's staff with our email address and send to that address

I use 33mail with a custom domain and I use it as a permanent actually working unsubscribe button. I’ll sign up with a service for whatever, as soon as they start sending me spam and I no longer need the account, instead of trusting their unsubscribe button, I disable the account and never think about them again, been doing this for about 2 years I must have over 100 disabled accounts at this point.

Seems like the compliant is having to relay the email address verbally...

in the last 10 years I could probably count on one hand the number of times I had to verbally give out my email,

Hell the Hilton example with their mobile app you do not even need to talk to the front desk person at all to check in..., even before this miracle of technology, I never had to give out my email...

So I will continue to use Catchall's thanks

My solution to this problem is, while continuing to use unique email addresses for each service, to just put a short random string of letters before the @ instead of the service's name (e.g. jcnclp@example.com instead of hilton@example.com). They're all just stored in my password manager, so I don't need to remember what address I used for what service.

I blacklisted a lot of my catch-all addresses because of spam.

Paypal/ebay is the worst offender, I had to start rotating that one,. Every 2nd oversea seller seems to sell your mail address.

joby.com (making these nice tentacle tripods) is one of the offenders who got breached, refused to reply to my inquiry about it and later blocked me on twitter when I tried to stir things up there.

I've been using a catch-all email routing setup for many years. I use unique breach canaries to maintain this list of companies that have sold or leaked my personal data to unauthorized parties: https://gist.github.com/eligrey/5084991

Unique email @<your burner domain> per website, so you only have to remember one password for everything.

Handy for places where you need to sign-up but otherwise you don't care. I don't use this approach on "meaningful" accounts where I'd care about a breach.

I think this person's mistake was not having a memorable system for the username aspect.

> The truth is no one really sells your email – at least no legitimate companies.

`xfinity2@mydomain.com` is the only email that I've ever caught being sold via my catch-all email. I get a decent amount of phishing, scams, malware, etc. to that address. But I guess the author is still correct, since Xfinity/Comcast are sometimes less than legitimate.

I have a very short email address, containing only five characters. It looks like: a@bc.de (But not that.)

I thought that a short email address would be convenient for typing into touch screens and it is, but it's much less convenient for reading out in person. No-one ever believes that it is real, even though it is.

Dunno if all these gripes are describing a "huge mistake". Some inconvenience, maybe not the best domain/confusion on the naming, and maybe the realizing down the road the threat might not be that big, but you still got to organize and manage your concern with only a few technical steps.

Certainly people's experiences might vary, but I have only had a couple companies threaten me for using their company name and way more success in just blocking addresses when I get spam-stormed. I agree it's rare, but so annoying when it happens, so it seems easier just to have a catchall.

hn@drewpalmer.com

How are users that do this not getting absolutely blasted with spam? I stopped using catch-alls years ago when mail servers were getting inundated with (random letters & numbers @ mydomain) types of emails. Are they added them to an allow list in Postfix or something similar?

Actually, it's not a mistake. This same method taught me that 50% of computer systems worldwide think '+' is an invalid character in an email address. Which was the final proof I needed that software development is an inherently stupid process.

This is a great idea that I had never thought of. Something that might help, if it does actually make a person feel awkward, is to use a numeric code. That way, you could be commercial301@mydomain.com and then 301 could equal Gap, or whatever you want.

I do this and it keeps my main inbox nice and clean.

In the case where I have to reply, Google allow you to set up a from email which you can use from your spam trap account. So if you need to send an email as banana@domain.com it's a few clicks away

I got unsolicited email from DHL just today addressed to a catch-all that I used with a retailed who shipped via DHL. I didn't sign up for a newsletter ... I still find it useful to use special addresses, as the author described.

For people looking for a service to do this for you, there's one at https://www.bulc.club/

Disclaimer: I am the founder's brother-in-law.

I’ve been doing this for 25 years and am happy. I’ve had stuff happen like OP and it’s fine with me.

It also has fun abilities to give out email addresses to friends who don’t understand how email works and that’s kind of fun.

I’ve recently began getting spam with random digits in front of @mydomain, and even a “wtfwtf@mydomain”.

I think the times of catch all domain working are over. Now I’m fully transitioning to SimpleLogin.

The obvious solution is some sort of lookup table/function for cross-referencing plausible usernames and signed-up services.

I also use a catch-all e-mail address, and I have no regrets.

I should say, though, that I've not yet caught any database leaks, yet.

This is kind of less about the mistake of using a catchall and more about the mistake of naming it so obviously.

It works great with a password manager.

BitWarden can generate random email for a catch-all domain for each service.

Those little interactions count as awkward? Jeez. Try having a weird last name and get back to me.

Embarrassment (really?), minor as it could be, seems like a really low bar for failure here.

Does anyone have advice for setting up a catch-all email without self hosting email?

I personally have no problems with catch-all. I even append random salt to email.

i use <companyname>-sub@mydomain.ext. makes it clear what it's supposed to be for.

lmao when u cant remember the email used, you should probably consider using a password safe

It depends what scheme you use to generate the addresses, for eg if you generate short XKCD style passwords and use those, then lots of those problems aren't an issue. Internally you then map those generated addresses to a single folder for each business.

https://xkcd.com/936/

I use "contact@" for when somebody who isn't a friend wants my email address. I have a separate, private address for people who actually matter to me. Everything addressed to "contact@" immediately gets marked as read and saved to a separate folder so it doesn't clutter my inbox.

I have not encountered any of the issues you said.

And what's wrong with "I use a password manager for passwords but I also need to use it to remember the associated emails."?

bulls*hit.

1)

It's true that trying to use a "pure" solution ("[source]@[yourdoma.in]" - e.g. "amazon@mydomain.com") causes a lot of problems (red flags being issued on the remote site).

On the other hand with a mixed solution ("[partial_source_mixed_with_something_else]@[yourdoma.in]" - e.g. "zeama@mydomain.com") I never had any problems (I anyway keep files/keepass-entries to track which userid&pwd&email I'm using for which URL).

2a)

My common&real email address gets quite some spam (no filtering applied) (but I admit that the amount during the last years was stable).

2b)

My custom email addresses almost never get spam (even the ones that I used for "weird" sites) => I assume that whoever gets in some way email addresses performs some kind of healthcheck on them to get rid of the ones that might identify the source (from where they were extracted).

2c)

The few spam emails that I got during the last years on my custom email addresses indicated that they originated from 1) the garage which I use to swap winter/summer tires and 2) my doctor (?!) => it was interesting (e.g. is my doctor's IT compromised + did the garage sell my email address because I didn't visit them during the last two years?) => anyway changing address (which got rid of the spam) was super easy in these cases :)