> a website can silently drop the part after the plus sign and use your real email address instead.
I wonder if there are any documented cases of this? I suspect it would be hard to detect, other than in combination with a catch-all domain.
I've been doing the catch-all for almost 20 years now. My suggestion if you go this path: use a subdomain.
At least when I first enabled it, catch-all on a top-level domain gets a massive amount of dictionary-style spam with common names (admin@ john@ jane@ postmaster@ etc), and that was with a fresh domain where I was the first registrant ever. This doesn't happen with a subdomain.
I wonder if there are any documented cases of this? I suspect it would be hard to detect, other than in combination with a catch-all domain.
I've been doing the catch-all for almost 20 years now. My suggestion if you go this path: use a subdomain.
At least when I first enabled it, catch-all on a top-level domain gets a massive amount of dictionary-style spam with common names (admin@ john@ jane@ postmaster@ etc), and that was with a fresh domain where I was the first registrant ever. This doesn't happen with a subdomain.