[greengreengrass]

I, too, get so frustrated by + addresses not working that I’ve configured my MDA to rewrite —- (double hyphen) to plus, and use this in spite on sites that dislike the + variant. I’ve made it impossible to /not/ host my own mail delivery infrastructure now if I want every address I’ve ever given out to still work.

Although more recently I’ve moved to a catch all domain for throwaway, which is even better. It confuses agents on the phone though when I give my email address as {their company name}@mydomain.com

Yeah, most people don’t understand how the ownership and control varies before and after the @ symbol.

[picofarad]

What's the most common thing you hear when you do this? Usually its nothing, but the second most common thing is: "no, sir, your email address."

It gives me the fuzzies every time to explain I own the domain, and every email address on it is mine.

Since I have it on my phone, I can usually receive the email that they send very quickly and prove that everything's working fine.

I am wondering how hard it is to do this again today with a new domain though.

[greengreengrass]

The best one was when someone said they were going to give me excellent service because “you work for corporate”, confusing the company name before vs. after the @ sign. I forget which company it was now but the agent was convinced I must be someone important.

I was torn between explaining and letting them believe it :-)

Most of the time, folks just don’t understand why their company name is in the address and they think it’s a mistake.

To be honest, I do tend to avoid this for anything other than throwaways because it causes too much confusion when I have to phone up, and I’m not really doing it out of a misguided belief it helps with spam (at least, it doesn’t help any more than security by obscurity is unsuitable as a singular defence, but maybe has a tiny role when layered into a broader strategy…)

[FLHerne]

I find it's convenient for knowing which companies have immediately - and illegally, in this country - sold my details on to third-party spammers. Makes it easy not to do business with them.

[genewitch]

maybe i can write a whatthreewords style "email identity mapper" so you put in "walmart.com" and it spits out "busybee223@example.com" and "autozone rewards" yields "Horserider184@example.com"

then if you start getting spammed, you use the w3w style thing to reverse it and see what site/entity sold your email...

then all of the "this doesn't/won't work because they'll just spam the entire domain" arguments go away, the "no, your email address" style comments go away...

[greengreengrass]

Good thought experiment! Makes it hard to remember the correct address for each site, but meh, that's the job of my password manager anyway.

[genewitch]

one wouldn't have to remember. if the address you gave out using the w3w-style encoder starts getting spammed, you can reverse it with the w3w-style decoder.

you'd need an app or a mnemonic device of some sort if you wanted to give an email out in public as opposed to sitting at a computer. but ideally on the computer when you notice spam you just reverse the email address back to who you gave it to; "target.com", "kroger.com"

[kgwxd]

> as {their company name}@mydomain.com

People are still doing that? To prevent spam? To "catch" the company leaking/selling your address? Now the spammers know they can likely use anything@domain, and it'll get to your eyeballs in some capacity. Also, companies have no shame anymore, they don't care if you know.

[dredmorbius]

The practice also makes filtering more effective.

Rather than whitelisting simply on a given sender, you can rely on both the sender and the recipient address matching a known list. This needn't be a single sender address. If you have multiple contacts at a domain, or a given entity relies on several email services (e.g., direct personal email, vendor-based marketing emails, vendor-based support or notification services), you could add all of these to the "from" match set.

I'm thinking through phone comms presently and am considering a similar concept for mitigating ever-growing phone abuse. Running a VOIP/PBX system, having multiple internal, non-public "extensions", each of which is valid for only a small subset of caller numbers. The "extension" space could be large (6--9 digits, say, millons to billions of values), making exhaustive search / coincidental match infeasible.

(This is only one of a few approaches I'm thinking of, it happens to resemble the specific email practice being discussed.)

[greengreengrass]

I started doing it when so many sites had broken + aliasing stuff, which I use for filing mail to keep my inbox manageable and actionable, as it was easier to type than my double-hyphen hack described above.

I’m not concerned about the leaking as my address is out there anyway and Bayesian spam filtering is still decent enough, but as an aside, I have had two companies this year whose user databases must have been leaked on the basis of spam received at company-specific addresses. I reported it to their privacy people and pointed out it’s highly unlikely this “spam” originated as their (tiny company name) being chosen by chance by a spammer who figured out my catch all domain.

They never replied, and I probably should have followed up with the local information regulatory commission in each case. Hopefully, my note helped them identify they had a leak and to secure their systems.

[garaetjjte]

In practice they don't do that, apart from spamming few addresses like office@ or accounting@. If some address starts getting spam I reject everything sent to it. For addresses that are getting spam but needs to be public (like contact addresses on website) I do more aggressive filtering (eg. I noticed that enforcing that recipient is actually present in To/Cc header cuts down a lot of spam).

[kurttheviking]

I do but mostly for coordination and comms sharing with my spouse by using group aliases. Summer camp registration, school nurse contact info, car insurance, library holds...all super convenient to get joint notifications for things. And yeah, also to remember who we gave contact info to which we can drop if it gets spammy.

[scottmcmac]

Yeah, I do the same, but without the catchall for exactly that reason. If I start getting spam, the e-mail gets disabled.

[picofarad]

Smart, what server / service do you use?

[eks391]

Look up email alias service or something similar, if you aren't looking to self host. I can't recommend the service I use, because I'm grandfathered in to my plan, and their current plans for new customers suck, but there's enough providers out there that you should find something competitive.

If you want to 'self host' on a provider, I thing cheap/free options are available from cloudflare, Google, and similar enterprise companies.

If you want to truly self host, I don't have experience, but this guy who does gave a great thorough answer for those who are interested: https://news.ycombinator.com/item?id=48073510

[genewitch]

I'm paying $15/yr currently for a catchall, plus the domain. I think new customers get charged $50+ a year, maybe even closer to $100.

[volemo]

But the portion of us is so negligible that it’s not worth for the spammers to handle our edge case. :D

[gonzalohm]

How do you deal with sending emails? When I was self hosting my emails would be flagged by Gmail (or any other email providers) so I effectively only had a self hosted inbox, which sucks

[picofarad]

Dont use a random IP to host? I use fastmail, even though they're trying to convince me that I need to pay ~$45 now instead of $5/year.

And they sent me an email explaining how grateful I should be, that I'm grandfathered in to being able to use my own domain on a "plan" they dont even offer., in a plan that didn't offer custom domains.

Well how'd I get all that then? I signed up for fastmail explicitly because $5/yr for custom domains.

Anyhow if you pay a host you're probably fine. Or find someone with an old /24 thats had a /31 or /32 unused for a long while, and no other black marks against the /24. And use that IP, set up demarc and all the other new email DNS stuff.

[f_fmail]

I migrated from Fastmail to Runbox in 2017, having been a customer with the former for four years, after I filed a ticket and the Fastmail CEO responded with such obnoxious belligerence that I swore off doing business with Bron or his company ever again.

The ticket began with a question about whether they'd be willing to change the way their WebDAV server handles query strings (by just ignoring them—versus returning 404, as it was doing at the time). The CEO subtly reframed the conversation as if I was accusing them of not following the standards. I wasn't. Git utterly screwed up how it does content negotiation. The change on their end would have made it easier to upload content into the file storage/web hosting space included with all plans[1] using git instead of a dedicated, conventional WebDAV client or the flaky support built into nautilus. I explained that I had originally planned to write a blog post about another one of the benefits of a Fastmail account, but the smugness and passive aggression of Bron's subsequent response—"Oh good. We don't want that," and his likening the use of git to push your static site to Fastmail's web hosting as akin to abusing DNS to tunnel arbitrary IPv4 data (wat)—and the general intellectual dishonesty I'd run into over the years seeing them respond to criticism e.g. here on HN, along with the fact that my plan was up for renewal in a month made the choice not to renew (and to try to dissuade others from giving their money to jerks) an easy one.

I switched to a different provider the next month, ended up saving money, and have only ever been met with warmth and kindness in the interactions I've had since switching, which is now going on 10 years ago.

1. <https://www.fastmail.help/hc/en-us/articles/360060590933-How...>

[greengreengrass]

My setup is more complicated than it needs to be for $reasons (I like playing with networking protocols, have my own v6 prefix and ASN etc. and my mail and other important personal services are hosted across multiple sites for redundancy), but any competent VPS host that offers you a static IP - coupled with some DKIM, SPF and DMARC configuration that will take an afternoon - should solve the problem. I rarely touch my home setup and it works fine; mail doesn’t go to reputation black holes and it’s been like this (literally) for decades. I invest in architectural tweaks and improvements perhaps every 5 years.

I do run similar infrastructure professionally for a living, which probably helps with getting it right first time. Competent VPS hosts care about IP reputation for mail; e.g. Hetzner only allows outbound port 25 for “trusted” customers, which somewhat helps with abuse reports. Some hosting providers may even let you relay via their own outbound hosts if you have a VPS with them, which simplifies the operational aspect.

I rarely need to send from the catch all address, but Postfix can easily be configured to allow my user to send from other addresses, and then it’s just a case of adding as an alias in your mail user agent.

[mrighele]

Not OP, but I self host a few domains.

I was worried about not being able to send emails, but is seems that as long as you setup properly SPF/DKIM/DMARC you're fine. You may have problems if using a domestic address though.

For the configuration, the best bet is probably to use a product that makes it easy to configure the above three, there are a few alternatives around, like Stalwart [1] or docker-mailserver (which is little more that your postfix/dovecot/rspam combo packaged in a container) [2]

[1] https://github.com/stalwartlabs/stalwart

[2] https://github.com/docker-mailserver

[DarkUranium]

How did you manage to get Hotmail/Outlook to accept your email?

I got everything setup correctly, but Microsoft seems insistent on silently dropping my email.

[giancarlostoro]

Been wanting to do something similar my only hang up is coming up with a domain they wont butcher. When I got my passport I guess it must be OCR but they butchered my email completely.