Huge! Well done to the Bitwarden team for this first class support of digital identity compartmentalization, although a bit more improvement to be made to reduce friction on the user side for plugging in alias providers (pop up to login to retrieve an API token behind the scenes vs the API token copy paste dance, with login creds Bitwarden might be storing already).
Edit: Is there a standard or API spec perhaps across email alias services for generating, listing, managing, and invalidating aliases?
(happy paying bitwarden customer, no other affiliation)
It's been like this for years. However, with one of my own domains and a catch all rule in the e-mail server. Why? From time to time, some services require that you send emails with exactly this e-mail address as the sender. And that doesn't just work with most services. Because in such a case, you have to turn exactly this e-mail address into a real account with a mailbox.
For me, the value of using aliases on my own domain isn't anonymity, it's provenance; I can tell where my email was obtained from based on the the prefix used. If I get an email sent to git@<domain>, I know that someone (or something) was looking at git logs to get it, if it's sent to resume@<domain>, I know someone got it from my resume, etc.
In principle, someone seeing heido15wkj6@yourraredomain.com, yua16ooaaj2@yourraredomain.com, and kqoq91inhi4@yourraredomain.com in a dump might be able to infer that all of these belong to the same user with a catchall address (especially if they can verify that the domain is unpopular via dns caching or other tricks). Using a common service adds another partial layer of anonymity between the email addresses, making one harder to track.
AFAIK Fastmail is the only service that allows you to respond from an arbitrary email address (of course, provided that you prove that you own the domain).
You can do it in Office 365 but it's tedious, you have to add the alias and then you can email from it.
Not necessarily. You can for example configure both Thunderbird and mailcow to allow you to reply from any address (of the domains you manage, of course), without having to create the mailbox.
That’s great, but there’s a caveat. When I normally create a random email with my own domain as a username, I am not tied to a specific service. I can always migrate to another one without having to take any action. However, if I used this with Fastmail, for example, the generated emails are with fastmail.com or similar domains that aren’t under my control. If I wanted to migrate in the future, I would have to redo all of these randomly generated emails.
It's an important consideration; email sovereignty is at odds with a domain hosting relay aliases where you can blend in with everyone else. Perhaps the solution is a mechanism where you can migrate aliases between services, creating new aliases and updating at each service, and invalidating old aliases, all programatically. Somewhat similar to token and secret rotation. It's just a string identifier that can be an email target.
As mentioned somewhere in this thread, using a custom domain poses other risks, in some cases more significant. All your aliases will be forever tied to your identity (and potentially de-anonymized by a single leak).
Ah, this is nice. It brings the Apple Hide My Email functionality (though not compatibility) to all platforms, which is something I do desire since using Hide My Email makes non-Apple platforms unusable for logins.
Why would using Apple's Hide My Email functionality make non-Apple platforms unusable for logins? If you're storing these credentials in a cross-platform password manager like Bitwarden, you should be able to enter your (fake) email address and password anywhere to sign in.
Oh this is funny to see. I just posted a blog post talking about Email Aliases an hour ago without knowing about the Bitwarden announcement.
I would love to see aliases being promoted more and more by companies. In the end most companies want to get in touch with you via e.g. a newsletter. So why do they need exactly your private email and not just an email alias. In the end they're reaching the same person.
They don't want to send you a newsletter. They want to get you to click a unique, personalized tracking link so they can drop a cookie in your browser and start tracking everything you do and tying it back to a single, named identity in their contacts database that they can then try to extract money from.
Is this really a problem people have? I personally just use some free mail account for all low-priority stuff without push notifications enabled in my client apps.
This seems to just generate a random string to go with whatever domain I have set. Personally I prefer my email aliases to be of the form `<business_name>@<my_domain>` or `<website_domain>@<my_domain>`. That way if you do start getting unsolicited email it is crystal clear who is spamming you (or has sold/leaked your data).
In fact, given it seems to just put a random string in front of a domain name you give it I'm a little curious as to why they need your API key at all - is it just to ensure that you are not creating duplicate email aliases?
Needs your API key as it needs to access the email forwarding service which you want to use with it.
It's not just making up a bullshit address, it's generating a random localpart then going to the email forwarding service you've integrated and having that service create an email forward to your real address per whatever settings you have there.
Any email sent to the address it generates (signup confirmations, password resets etc) need to get to you, after all.
This design is completely different to using <business>@example.com. The latter is kind of useful for your use of 'who has sold my address' but has privacy drawbacks this design doesn't. e.g. if a spammer gets bestbuy@exmaple.com they know you prob also have twitter@exmaple.com, facebook@exmaple.com or whatever else and it's all just the same guy with the same inbox.
Truly 'random' addresses at generic forwarding services means that if Ashley Maddison gets breached again then your secret remains safe. sj4h3bd@forwarder.net could be anyone.
It depends on the alias service you use (this appears to just give you another frontend to your alias service, eg, Addy.io or Firefox Relay). I know with Addy.io, forwarded emails have a special "Reply-To" header which is an address that Addy.io monitors and will forward your response back to the original sender. So replying to email delivered to your alias isn't a problem, though I think initiating an email from an alias would be tricky.
It's not in the same category. You can use Firefox Relay as an alias generator within Bitwarden. It provides a convenient UI and an integration with the password manager.
toomuchtodo|1 year ago
Edit: Is there a standard or API spec perhaps across email alias services for generating, listing, managing, and invalidating aliases?
(happy paying bitwarden customer, no other affiliation)
Ringz|1 year ago
saghm|1 year ago
CaptainNegative|1 year ago
OptionOfT|1 year ago
You can do it in Office 365 but it's tedious, you have to add the alias and then you can email from it.
uselpa|1 year ago
subract|1 year ago
https://addy.io/faq/#how-do-i-send-email-from-an-alias
tamimio|1 year ago
toomuchtodo|1 year ago
dinglestepup|1 year ago
NoboruWataya|1 year ago
renewiltord|1 year ago
dublinben|1 year ago
joeyhage|1 year ago
[1] https://support.apple.com/guide/iphone/create-and-manage-hid...
niklasmtj|1 year ago
I would love to see aliases being promoted more and more by companies. In the end most companies want to get in touch with you via e.g. a newsletter. So why do they need exactly your private email and not just an email alias. In the end they're reaching the same person.
noman-land|1 year ago
rework|1 year ago
1) Prevent duplicate account creation
2) Users forget what email they used to signup (this happens ALLLLLL the time with + emails)
3) To sell your data, link you, and spam you.
lygten|1 year ago
dlkmp|1 year ago
DrBenCarson|1 year ago
This is the same idea but for their email identity.
jabroni_salad|1 year ago
The more places you use the same email address, the greater your exposure.
knowaveragejoe|1 year ago
eli|1 year ago
stranded22|1 year ago
NoboruWataya|1 year ago
In fact, given it seems to just put a random string in front of a domain name you give it I'm a little curious as to why they need your API key at all - is it just to ensure that you are not creating duplicate email aliases?
zfa|1 year ago
It's not just making up a bullshit address, it's generating a random localpart then going to the email forwarding service you've integrated and having that service create an email forward to your real address per whatever settings you have there.
Any email sent to the address it generates (signup confirmations, password resets etc) need to get to you, after all.
This design is completely different to using <business>@example.com. The latter is kind of useful for your use of 'who has sold my address' but has privacy drawbacks this design doesn't. e.g. if a spammer gets bestbuy@exmaple.com they know you prob also have twitter@exmaple.com, facebook@exmaple.com or whatever else and it's all just the same guy with the same inbox.
Truly 'random' addresses at generic forwarding services means that if Ashley Maddison gets breached again then your secret remains safe. sj4h3bd@forwarder.net could be anyone.
dumpHero2|1 year ago
NoboruWataya|1 year ago
amelius|1 year ago
dinglestepup|1 year ago
woldemariam|1 year ago
lygten|1 year ago