[oijaf888]

It keeps phishing attacks from being able to cross services (since if you get a citibank email to your coinbase email that would be a big flag) and it reduces the attack surface on other sites.

I use email.site@domain.com for this purpose and it makes it handy to see who has somehow lost/disclosed my email to third parties and not informed me (FreshDirect for example)

[claudius]

> It keeps phishing attacks from being able to cross services (since if you get a citibank email to your coinbase email that would be a big flag) and it reduces the attack surface on other sites.

Or, more importantly, it lets you authenticate the sender in some way. Citibank has to send you email to you.citibankiscool1253stuffonlyIknow@example.net and it is unlikely for a spammer to guess that exact wording (without also trying hundreds of others, which would give it away by filling your inbox).

[kisielk]

email.site@domain.com is at least a distinct email address, unlike using +. Especially if you use different passwords for each account, it means if one of the emails is compromised then the attacker can't use it to recover passwords of your other sites.

[oijaf888]

+ can be a distinct email address, just as . can be an alias. It really depends on how your email server is configured. Postfix makes it really easy to adjust what character you use.