Hi there!
Context: After the recent debacle with Proton I was finally pushed to look for other alternatives. I had already wanted to change services for a while so it was nice to get the final push. It’s still a good service, open-source and all. I personally just wanted to look for something else. However, I had not realised how deeply I was integrated into the email+alias feature they had, and how much work it is to change out of this, I have a fair amount of accounts.
I have now found a new email provider and bought a new domain. However I’ve got a few questions for those to who rock custom domains:
- Do you use random strings before the @ sign? Or do you use it like lemmy@example.com?
- Because I’m considering using this as a catch-all address, doesn’t this mean that anyone who wants (and knows the domain) and send spam on any random string before the @? Are you worried about this, and are there any counters to this?
- As far as I’ve understood the main benefit of using my own domain for email, is that it will make it a lot easier to change providers in the future, as I can just change the nameservers so traffic is directed elsewhere - correct?
Thanks for any input, experiences or thoughts about this.
Ps. My threatmodel isn’t that complex, I mainly want to stop spam from any potential services selling my email.
If you only ever use services that let you sign up with arbitrary addresses, then sure, you gain resilience against mail provider shenanigans at the expense of exposing a non-agile identifier — the domain name you bought — to any third party you provide with an address.
However, in a confused attempt to stamp out single-use mail services, some sites are rejecting mail addresses that don’t originate from one of the big mail providers, like Gmail, iCloud, Outlook. ‘Please provide your real mail address’, they’d say.
If you aren’t using any such service, you can use your own domain. Be wary of services that bounce messages to your “actual” inbox without rewriting the involved addresses (Cloudflare offers something like this, I don’t get why though), as that can lead to deliverability issues due to DMARC.
The IAB publishes some Gmail-specific guidance on how to ‘normalize’ plus-addresses to ‘real’ inboxes, so that’s something that doesn’t really do anything for you anymore. Out of the large mail services, iCloud is somewhat notable for offering single-use addresses under the same @icloud.com domain name they use for standard addresses, without having to register extra accounts or other annoying requirements. So websites that want to lock out single-use iCloud addresses would have to block iCloud addresses entirely, which is something they’ll most probably refrain from doing.
I really want to use the iCloud custom domain feature, but I’ve still got an old iCloud email account I’ve had for 15+ years receiving spam daily because they don’t validate DMARC/DKIM and SPF.
Right now the emails are simply deleted, but if I could figure out how to make it so that the original email is saved in its entirety (
.emlincluding headers) and that is sent to a report phishing email address I’d be happy.