Your email address is the most reused identifier you own. You hand it to retailers, newsletters, government portals, medical providers, and every app that asks. Each one stores it. Most of them protect it poorly. The ITRC's 2024 Annual Data Breach Report tracked 3,158 data compromises last year alone, generating more than 1.7 billion victim notices. Every breach that includes your email address is another copy of it in circulation — and your real address, once out, stays out.
Email aliases break the loop.
What an email alias actually does
An alias is a forwarding address. You give a site [email protected]. Mail sent to that address lands in your real inbox, unchanged. If you reply, your email client sends it back through the alias service, which strips your real address and substitutes the alias — the recipient never sees where the message actually came from.
That's it. No separate inbox to check. No new account to manage. Everything flows into your existing email address, and the site you signed up with never learns what it is.
When that alias starts receiving spam — because the site got breached, or sold its list, or both — you disable it with one click. The spam stops immediately. You create a new alias for that service, update your account, and continue. Your real address is untouched.
Why the alternatives don't hold up
Gmail's plus-sign trick ([email protected]) is widely known and widely blocked. Many sign-up forms strip everything after the plus sign, exposing your real address. Even when it works, it doesn't hide your actual Gmail account — it just tags the message. Not useful.
Temporary email services (Guerrilla Mail and similar) delete your inbox after minutes or hours. You lose access to verification emails, account recovery links, and anything time-sensitive. You also have no idea who runs the service or what they do with the messages before deletion. The tradeoff makes sense for throwaway registrations where you genuinely never want to hear from a site again. For anything you actually need to maintain access to, they're a liability.
Catch-all email on a custom domain is a step up — any address @yourdomain.com lands in your inbox without pre-setup. The problem is that all those addresses point back to you. If your domain is johndoe.com, then [email protected] and [email protected] are trivially connected. Useful for organization. Not much for privacy.
Alias services handle what none of these do: they give you genuinely unlinkable forwarding addresses across multiple domains, with two-way reply capability, that you can create instantly and kill individually.
SimpleLogin and Addy.io
These are the two services worth using. Both are open-source, run no ads, don't store your emails (they redirect them), and don't sell data.
SimpleLogin was acquired by Proton in April 2022 and moved its legal entity to Switzerland in January 2024 — data requests from law enforcement now go through the Swiss system, which has a meaningfully higher threshold than most EU countries. The free tier gives you 10 aliases with full two-way reply capability. Premium is $4/month or $36/year, and it now bundles Proton Pass Premium — a password manager and 2FA authenticator in the same subscription. If you're already paying for a password manager, the math is worth running.
Addy.io (formerly AnonAddy) is the better pick if you want more control at a lower price. Lite is $1/month billed annually, which gives you unlimited active aliases, 50 anonymous replies per day, and a custom domain with catch-all. PGP encryption is available on the free tier — SimpleLogin charges Premium for that. The free tier has a 10MB/month bandwidth cap, which is tight. Addy.io is also fully self-hostable if that matters to you.
One practical difference: SimpleLogin free tier lets you reply through the alias at no cost. Addy.io's free tier has zero anonymous sends per day. If you plan to reply to anything through your aliases — support tickets, vendor correspondence, anything two-way — either pay for Addy.io Lite or use SimpleLogin free. The full setup for both is covered in the SimpleLogin and Addy.io setup guide.
What aliases tell you that a shared inbox doesn't
Compartmentalization isn't just about spam control. When an alias registered only to one service starts receiving phishing emails, you know exactly which provider leaked or sold your address. That's actionable. A single inbox gives you no signal — you just experience the downstream effects without being able to trace them.
This is the part most alias guides skip. Aliases aren't just a firewall. They're a monitoring system. Data brokers operate separately — they pull from public records, not your inbox — but alias monitoring tells you which companies are treating your data carelessly, which ones share with third parties, and which ones you should stop trusting.
The broader strategy — how to structure aliases by risk category, which email provider to use, how to actually send and receive email anonymously when you need to — is in the practical email privacy guide. The alias services themselves are the right place to start.
The one thing that matters most
The services are easy. The habit is harder. For aliases to work at scale, you need to generate a new alias every time you register somewhere — not most of the time, every time. After two or three weeks of doing it through a browser extension, it becomes automatic. Before that, it's friction.
The browser extensions for both SimpleLogin and Addy.io insert an alias creation button directly into email fields across any site. One click, alias created, pasted into the field. There's no context-switching to a dashboard. Set that up on day one and the habit costs almost nothing.
