[mkenyon]

I love JMAP. It's what allowed me and my team (at 1Password) to easily add support for Masked Emails, where we randomly generate your email address in addition to your password.

Our own Madeline Hanley wrote about that experience, if you'd like to see what it's like to work with JMAP: https://blog.1password.com/making-masked-email-with-jmap/

[saberworks]

I use Fastmail and 1Password, and I do used the masked email functionality. There is a massive gap, though, that makes it very difficult to rely on masked email. When I sign up for a new account somewhere, I can choose to create a masked email. If I later need to email that company (not reply via an existing email message), I must first somehow look up what email I used for that company, go into fastmail settings and create a "sender identity", remember the email address again, and then when I compose, remember to choose the sender identity that is associated with the masked email address I created for that specific company. If I forget or mess up any of those steps, I end up sending from my primary account or some other masked email address associated with some other company. Multiply that by dozens or even a hundred companies!

It would be really nice if adding a masked email automatically created a "sending identity." Further, it would be nice if the masked email account had a nickname that included the domain I was on when I created the account. That way if I need to send an email to support@nike.com, I can use the filter and type "nike.com" and get the correct masked email address.

[SparkyMcUnicorn]

> It would be really nice if adding a masked email automatically created a "sending identity."

It does.

Just click "... Show all" when choosing a sender, and that will expand the list/search to include masked emails. It should also show you the domain/service it was set up for. And as you noted, the masked email will automatically be used as the sender when replying to an email that was sent to it as well.

Using 1Password makes it super easy to see which masked email was used for each service, so I can't really relate to your frustrations there either.

I think it's a pretty polished experience, and definitely beats everything else I've used in the past.

[saberworks]

> It does.

Only sort of. First, this is a new feature, there used to be a whole section on adding "sending identities" and describing how to do it in order to send from a masked email address. I have support emails from 1Password pointing me to those docs as well. That whole section has been removed and now there's a note in the docs saying why (no date, though, so I don't know how recent).

Second, your description glosses over the fact that if I click the "from" address dropdown, and then in the filter/search field, type the domain associated with the masked email address, nothing shows up except "Show All." Why wouldn't a filter/search find the address? I have to click "Show All" and then repeat the search.

However, if I search/filter for any of the dozens of "sending identities" I created previously, the search/filter works correctly. So the UI is completely broken. When I search/filter something, and nothing shows up except a "Show All" button, that's the UI telling me that there were no matches. Oh, but now I learn that there are matches, they're just hidden under "Show All" (which should be renamed to "show matching masked email addresses" or something!?).

[SparkyMcUnicorn]

> Only sort of.

What's missing? The old experience definitely sounds pretty frustrating.

Personally, I really like that masked emails are hidden by default. I've got 20 "real" sending identities, so when I'm searching I want a quick selection that doesn't include dozens of masked results. The amount of times I start a new email thread with a masked email would probably be a small handful of times per year.

Edit:

> I have to click "Show All" and then repeat the search.

Maybe that's a bug you can report for your browser? I don't need to retype anything and just hit enter when I get no results, then it expands the results to include masked items.

[kenbolton]

> (no date, though, so I don't know how recent).

This has been one of my biggest peeves about the WWW since 1993. Please include publication and/or change dates and/or include a changelog on your pages. Do not force your users to resort to reading metadata, the URL path, the Wayback Machine, or dark magic to figure out when and what changed. Diff is a solved problem; why can't I diff a generic web page?

[JimDabell]

> there used to be a whole section on adding "sending identities"

This still exists, by the way. They moved it to Settings => Migration => Import => Add alumni email forwarding address or non-SMTP sending identity, which makes absolutely no sense to me.

[mths]

> go into fastmail settings and create a "sender identity"

Not anymore, they've made it much simpler for you now by combining "aliases" and "sending identities" into "my email addresses". If you thought it was confusing before when you had to click "create new" under "sender identities" in settings, now all you need to do is:

1. Head to Settings → Migration → Import page.

2. Click on Add external sending address (SMTP) without importing emails.

3. Enter the email address and click Next.

4. On the following screen, skip the password prompt and click on Manually configure.

5. Disable the option - User authenticated SMTP when sending.

6. Save the changes.

And just like that you can start sending emails with your new address, easy peasy.

[kazinator]

What you're describing sounds hokey.

A "Sender identity" should just be a different From: mail header; it shouldn't involve disabling SMTP authentication. The SMTP envelope address and authentication are unaffected.

[echelon]

Instead of generating a unique email per relationship, it'd be better if the email provider generated a unique key when the relationship is established that the customer or end user can revoke.

Email me at my well known identity "whoever@whatever.com" -> my provider gives you a key that you must store and continue to use for the duration of our relationship. I can terminate it if I want. If you lose the key, you must ask for a new one. If you ask too many times, I can silence you forever. You'll have to provide your own identity when asking.

For noisy environments, I can choose to give you the key upfront and only allow for that style of relationship.

I could imagine encoding the concept of entity or organization type into the keys as well so that we can distinguish individuals from companies. Professionals, academics, official employees, etc.

If you delegate your key to another party, I can choose to pre-authorize it, manually approve it, or outright deny it. Extend it haphazardly or without my consent and you may be blocked.

I'd like that type of system.

Emails shouldn't have to change. The protocol should. Getting parties onboard might be hard unless a key stakeholder (eg. Google) decides to implement this, but they're in a position to unilaterally dictate.

[KyeRussell]

OK. Sure. It’d be better, for you, a technologically savvy receiver of email. I can’t see anyone else in the equation that stands to benefit from this. I can’t see non-tech-savvy email receivers caring much about this at all, or any of its effects, until it has near-universal adoption. Part of solution engineering is coming up with something that people actually want to use.

So I don’t really see it as better. I see it as pie-in-the-sky fan-fiction to address part of what masked emails aims to address. A significant portion of the time that I used masked email, it’s in service of increasing anonymity (to the organisation i am giving the email address to), not an anti-spam measure.

[kelnos]

While the protocol details would undoubtedly be somewhat complicated, the user-facing UX wouldn't necessarily have to be.

The only part I'm not quite sure how to do seamlessly is the initial exchange. You sign up with your email at a new website, and need to also give them the unique key that allows them to correspond with you. This would require browser support, and a standardized protocol for letting the browser request a new key from your email provider. Also means your browser would need your email credentials (well, an OAuth grant, more likely). And the problem here is that, until all browsers (or whatever) support it, you'd have to run the system in a default-allow state.

Another option for the initial per-contact setup is a sort of trust-on-first-use kind of thing. First email from a new recipient is allowed through, but at that point your email client will ask if you want further emails to be allowed (and if you do, it'll send the key to the sender behind the scenes). Problem there is that spammers could just burn through new email addresses to keep contacting you.

Anyway, I'm sure there are solutions to these problems, even if I can't think of them in the 12 seconds I've allowed myself to do so. I expect this would be something that would remain disabled for a while, until all the infrastructure and client support is in place.

[brongondwana]

Also, every website would have to have a way to do this. That's a massive bootstrapping effort that, you can't change every website in the world very easily, there'd have to be a very massive advantage for them. I don't see the evolutionary pathway to get your suggestion implemented.

Besides, this already exists anyway, it's basically:

brong+secretkey@fastmail.com

Or if you have fastmail style subaddressing:

secretkey@brong.fastmail.com

[echelon]

`+secretkey` is easy to remove.

I don't think changes are hard to push forward. Soon every website will require SSL. Tech giants can move the needle on adoption of new standards.

Wanting to stay in contact with your customer is a pretty big forcing function for adoption.

[echelon]

The users don't have to interact with any piece of this. It can be 100% a backend implementation detail.

If you did want to surface it, the controls could be as simple as "block sender", "opt out of 3rd party contacts", "sender X wants you to connect with sender Y - allow?", etc. Very coarse grained, very easy and intuitive.

[joshring]

This was also an issue I had, but there is actually very good support for this hidden by an invisible feature. Simply add an `*@domain` as your email address identity. When you select that as your from address the fastmail UI gives you an input box to use whatever email you want, you don't need to make a new identity each time. For lookup, I just use my password manager.

[nemoniac]

Off the current topic but since you're promoting 1Password, I notice their cookie policy references EU legislation but chooses not to comply with it. Do you know if that's intentional?

[remram]

Indeed that is very awkward: "European Union (“EU”) legislation requires all website operators to inform website visitors about their usage of cookies"

Later: "first-party and third-party cookies are used on: 1password.com (...)

Stating that you need consent and not asking for it is extremely weird.

[Asooka]

AFAIK, certain classes of cookies do not require consent. For example, login cookies.

[speleding]

The legislation requires you to ask consent for non-essential (ie. tracking) cookies. So unless they put a tracking cookie on their site the behaviour is correct, and that text is simply incorrect.

[remram]

That's my bad for not quoting further, the very next paragraph is:

> First-party cookies are set by 1Password. They help calculate things like page views and visitors to the website. Third-party cookies are set by 1Password affiliates for commission and advertising purposes.

https://1password.com/legal/cookies/

They make it clear that they know consent is required, that they absolutely fall into that category, and then don't ask.

[matteason]

They do use nonessential cookies - Google Analytics, affiliate tracking cookies and more: https://1password.com/legal/cookies/#cookies-we-use-on-our-w...

[abhibeckert]

Not from 1Password, but refusing to comply with EU cookie legislation seems to be almost universal.

Is any company compliant?!

(I'm being facetious... my company is compliant or at least I think it is - not a lawyer... but it's very rare)

[kazinator]

I easily implemented throw-away mailing addresses over an IMAP/SMTP setup.

https://www.kylheku.com/cgit/tamarind/

This is a CGI-scripted web application without any kind of web framework, in an original programming language.

It authenticates you using IMAP or SASL: with direct socket work in a few lines of code. (That's the only integration with IMAP.)

It manages aliases in a standard aliases file. If configured, it can work with the master /etc/aliases file, in which cases it will carve out a section of the file for itself and respect the surrounding file when it adds or removes aliases. I run a separate aliases file, though.

[kazinator]

I do most of my mailing using the RoundCube webmail interface. I made some patches to it.

In connection with the throw-away mail aliases, the issue that comes up is that when you use them for sending, rather than just receiving mails, you want that to be available in the list of sender identities in the mail client.

While it isn't automatic, I put in a hack which at least makes it easier to identify the mail identities. In RoundCube, a mail identity has an "Organization" field: what org you belong to. There is a mail header for that, IIRC.

I changed the UI so that when you look at the identities list box, the Organization field is listed in parentheses (if it is non-blank). Then I use Organization to describe the purpose of the mail alias, e.g "Foo Mailing List" or "ABC Company".

Only a small subset of my throw-away mail aliases become sender identities; I do that manually.

[nilespotter]

I use catch all aliasing and sieve out the offenders. Seems easier.

[kazinator]

Yes; this is for the control freak that wants to shut down the offenders at the SMTP level.

Plus there are some other benefits.

Each one is associated with note field. URLs in the note field are rendered navigable. I use the note fields not only as a reminder about what the alias is for but also for PW management. Throwaway mail aliases often have throwaway passwords associated with them too.

The explicitly created aliases track their creation date, which can be informative from time to time.

UI has a regex search over the aliases (any field).

[ilyt]

How JMAP made that better ?

Last time we did something like that new email address was just "add entry to a Dovecot database", fully protocol agnostic

[calvinmorrison]

because the masked email API matches the rest of the JMAP API, so it's easy to extend and support. Also, 1Password isn't running Dovecot, Fastmail is. So they're asking a 3rd party is a fairly standards conformant way to go and create a new email alias

[Avamander]

Yet your 1password.eu DMARC is set to a very shameful p=none. Priorities...