More Privacy and Better Security Through Email Diversification

by Elite Bulbe

In this article I will put forth some ideas I have been trying out for myself over the last year.

I won't claim that what I'm suggesting here has not been thought of before.  I do hope you will think about how you use your own email, and gain insight into how everyday tech-savvy folks can increase their privacy and improve their security by changing how they use their email.

My main goal has been to increase my privacy.  As it turns out, the method I have chosen can also improve my security as well.

My plan was to reserve a new domain name and then create a slew of new email addresses under this new domain.

For security purposes, I will probably end up creating five or six email addresses which will only be associated with one company or account apiece.  For example, if my credit card company gets hacked, the hackers only know the email address associated with my credit card, and not the ones for my bank or cloud storage.  On the privacy protection side, I will create a series of email addresses for different facets of my life.

All of these new email addresses will funnel all email into a single secret master email account, using something called an email alias.

Thus emails to jekyll@myprivateida.hu and hyde@myprivateida.hu would all end up in the inbox of secretsquirrel@myprivateida.hu.

Do not be fooled by the suggestion you may see on the Internet that one can use the "plus" method to create email aliases for this purpose.

With Gmail and several other email providers, you can add a plus sign and then concatenate letters/numbers after the plus to create a "different" email address which funnels into the original email address.  Thus email sent to example+porno@gmail.com and example+reborn@gmail.com both end up in the inbox for example@gmail.com.

Problem is, from a privacy and security perspective, this does not really create new email addresses that are unknown to your adversary.  The plus sign makes very clear what the root email address is.  Everybody in the business knows about this system, so marketers and spammers undoubtedly strip off anything after the plus when matching up email addresses from different locations, so there goes your privacy as well!

My Situation

I have owned a number of domain names over the decades, some of which are even being used.

I try to run most of my email through two email addresses split between two of these domains.

One email address and domain name is very publicly me.  It is has my business name, and this is the email address I give out to human beings I know.  The other email address is not used for personal stuff.  This one I use when I do business online, or almost anytime I need to register online for commercial or computer forums, Git, etc.

Oddly enough, the first email was supposedly going to be kept spam-free, and the second one was expected to develop quite a following among spammers.  Sadly, a dramatic reversal has occurred because of my procrastination.

I left my email and phone numbers up to be scrape-able by web-crawlers on the business website.  (Actually, I was not as stupid as that, but the spammers' web-crawlers are now presumably running JavaScript and obtaining my previously obfuscated email address.)

Every five years or so, I try to review and "level-up" my security and privacy.

For this "five year plan" level-up, I want to do several things:

• Add two-factor authentication to accounts which warrant it.  (I've already done it for most of my financial stuff, but not for some important web accounts, such as the cPanel account for my web hosting company, or for the DNS registrar I use.)
• Improve my security against random hacking.  My emphasis is not going to be to prevent a determined nation state level hacker from being able to read my email.  I only want to secure my "stuff" against hackers trying to take advantage of my digital online belongings or trying to get my money.  I am not an activist, and I am hopeful that the NSA and CIA have only slightly elevated interest in my doings.  Just cranking up Tor, subscribing to 2600, or opening a non-work-related VPN connection probably puts you on some sort of list.  I just hope it does not make them think they have to hack into my accounts (yet).
• Start to gain some control over my privacy against the Big Tech Five Eyes overlords and their ilk: Google, Facebook, Apple, Microsoft, and Amazon (as well as your ISP and DNS providers).
• Re-compartmentalize and reassign email addresses to specific purposes.
• See how hard this will make it for me when I add this extra overhead into my email use.

Considerations for Current Owners of Their Own Domain Names

I decided I would need a new domain name and a new hosting provider.

Owning your own domain name has both pluses and minuses.

To start off with some negatives: This will cost you money.

The DNS registration is going to run you at least $10 a year, and then you are going to have to pay a hosting company to host your email, which will be minimum $25 to $35 a year and can shoot up to $100 to $200 a year.

My goal was to keep it under $200 a year.  You are also supposed to give your registrar your real name and address.  If you do not, they could actually steal your domain name from you, if you had one worth stealing, and it might be very difficult to prove that you owned it.  I suppose the way to get around this would be to create a shell company and have it buy the name.

On the plus side, having your own domain name will give you portability and long-term stability.

If I don't like my hosting company, I can take it elsewhere without having to re-notify everywhere I have registered it with.  It also makes you feel like you are beholden to no one.  It's your own little private Idaho, you can do things your way, but it's on you to pick your vendors well, and do your own due diligence security-wise, like security precautions that would be done for you, or that you could ignore if you were to use Gmail.

Domain name owners free themselves from the kind of privacy invasion we can all assume comes to those who depend on email, calendaring, address-book sharing, and messaging provided by the likes of Hotmail (and outlook.com, live.com, skype.com, etc., all Microsoft), Gmail, Yahoo!, Apple, or your ISP.

Now, why did I just not use one of the domain names I already owned?

It would be cheaper for one!  Less complicated as well.

Problem was, from the privacy angle, if I set up this new domain under my old account, it would share its IP address with existing domains with publicly facing links to my actual person.

Ten to 20 years ago, I started paying my current hosting company for a private IP address.  Typically, if you own a domain name through a hosting company, your domain is hosted on a shared host server along with hundreds of other folks or companies like yourself.  Usually each server host will be assigned its own IP address to be shared by all of the hosted accounts on that server.

Back then, it made sense for me to pay extra for my own IP address, and stop using the shared address that all of the other hosting customers on my server were using.

If you have a private IP address, you were supposed to get a better search engine ranking for your website.  In addition, your email was less likely to get tarnished by association if any of the other domains on the shared host ended up on a spam blacklist.  Even if all of the other domain name owners were legit, if any of their accounts got hijacked by spammers, it could negatively affect you because the domains for your email would share the IP address of a spammer and get assigned a bad SpamAssasin score, and thus end up in your receiver's spam folders instead of their inbox.

Now owning a series of domains which were associated with one another by a single IP address meant that it was relatively easy to crosslink my public-facing email addresses with the other addresses I had.

I checked with the hosting company I was using, and to move up to a plan that would allow me to assign a separate IP address to each domain would be too expensive.  On top of that, I prefer that my new domain name be on a shared host anyway, so that it shared the same IP address with hundreds of other random hosted domains.

This is one of the few advantages of using Gmail: it does allow you to disappear into a really big forest.  Unfortunately, then Google themselves gets their beak into your underwear.

If you own your own domain name and never paid for a private IP address, you are probably fairly isolated from a quick connection being drawn between one domain on the account and another, though if your life depends on it, don't go by my word on this!  I'm just a security and privacy enthusiast, not an expert.

So, How to Do This: Register Your Domain Name

First you must register your new domain name.

You will want to do this using a registrar that offers WHOIS privacy, which in my opinion should be free if you are already paying them for the domain.  A lot of registrars will practically double the yearly cost of registration just to provide this privacy.  With little knowledge about this, I suggest either Porkbun or Internet.BS.  I have not used Porkbun, but they are inexpensive, U.S.-based, and possibly more trustworthy than Internet.BS.

Internet.BS has the advantage of being based in the Bahamas, though who really knows where they store your account bits.

It looks like they use Google Analytics, so there is that, though I think it's unlikely that Google will have written custom code to capture the names of your domain(s) you have registered here along with your name and address collected elsewhere.

Note that Internet.BS in 2012 had a lot of shady business going on, being the registrar for one-third of all bogus pharma websites on the Internet.  I still have not figured out whether doing business with this sort of company means they will protect your identity from the muggles, or if it just means they're more likely to sell you out for little money.

It does mean that I have even less faith in the truth and accuracy of their privacy policy as opposed to other more well-known companies.  Internet.BS was bought by CentralNIC of London, and I assume that they would hand over your identity in a heartbeat if presented with a court order from any of the Five Eyes, since they literally provide an email address for law enforcement inquiries front and center on their website.

As a side note, I am baffled by the trust reviewers place on published privacy policies.

As if there is any real penalty for these companies to lie on their websites!  Come on!  Its a Wild Wild West out there that only a libertarian could love.  I think the wiser assumption is to assume that every company is completely untrustworthy, and then figure out how to work with that.

Sign Up With a Hosting Company

Once you have got a domain name nailed down, you have to get it hosted somewhere.

I do not recommend using the registrar for hosting, though many of them will offer the service.

This is where I went into analysis paralysis.

I needed a hosting plan only for mail.

It was O.K. if they offered web hosting, I just was not going to use it.  I wanted the ability to have 30-40 email addresses all alias or funnel into a single email account.  I wanted to be able to also use the hosting company's own generic domain name for "burner" email addresses that I could leave behind if I changed hosting companies, but would be even more private.  That would be where you put accounts for your embarrassing prawn habit or your communications with bare-chested guys with face paint and wearing buffalo heads.

I did not need a lot of storage space, as most or all of these email addresses were going to below-traffic, and require almost no long-term storage.

Finally, I decided that I wanted the hosting company to provide a mobile app-based method of accessing my admin controls and email.  It was a nice-to-have to also have email-client access using IMAP/POP and SMTP, but not required.  (I changed my mind on this later after signing up with my final choice.)

In addition, unlike many folks in this magazine, I did not require or even want email encryption.  Honestly, I couldn't care less if someone at the hosting company could read my emails.  Too boring!  On the other hand, if you are an activist or person of interest, this may be the single most important factor in selecting a hosting company.

Lets revisit the whole question of app vs. email client vs. web-based email methods.

It's probably just me, but I hate web-based email.

I like using an email client, in my case, Mac Mail.  Unless I am on vacation, I tend to avoid reading email through a client on my phone.  Just be aware that if you are like me, and you like using a client, you have to be very careful to not leak your home or mobile IP address when you are sending email.

Here is where web-based email is better.

Web-based or a vendor-provided app is less likely to leak your IP address.

If you are using an email client, I think you had better be using a VPN, or you risk leaking your location.  Check for IP leakage by sending email from a free test account using the method you will be using before signing up for their paid tier of service.

You will find the IP address of the sender after the Received: from line in the header.

Look at each one - the email is usually forwarded several times.  It is the originating sender that will have your IP if it is leaking.

You can use a web-based email header analyzer such as www.gaijin.at/en/tools/e-mail-header-analyzer.

Just note that when you paste your email headers into that, there is the chance that gaijin.at themselves are recording the to and from addresses/IPs, so if you are super-paranoid, get there using a VPN and use a burner email address.

I am always worried when I am using a website through my phone that I will leak info unintentionally.

I just don't have as much knowledge about what is happening or control over my phone network-wise, so I decided that I would prefer to have a vendor-provided app instead of using their web-based interface.

In general, even being careful on my Mac is hard.  Even if I ever get around to using VPNs more regularly, I just find it's too easy to forget whether I am operating "in the open" or "in the pipe."

Final Hosting Related Steps

So once I had an email hosting vendor, what next?

I had to point the DNS MX record for my domain to the email hosting service.

Look on the email hosting website for the text strings needed to point to your domain, and then look on your registrar's website for instructions as to where to modify the DNS records with this info.

You can then start creating new alias accounts on the hosting site, and creating new accounts on the places on the web you do business with.

Just remember: if you already had an account with someone, you'll often want to create a brand new account if possible instead of changing your account profile's email address.

I don't know if anyone is tracking data at this level yet, but if you use the same phone number, address, name, or credit card number on the new account, that might also leave a trail of breadcrumbs leading back to the well-known digital persona in your previous incarnation.

Pick New Email Addresses

So the whole point of all of this was to get a whole bunch of new email addresses.

The ones for financial and important network accounts will be created one-per-destination.  If my credit card email address is discovered on IveBeenPwned, I can be secure in knowing that:

1. I don't have to be concerned that the adversary would have much luck guessing the email address for my bank account or my web-hosting cPanel.
2. When such a leak is discovered, I can take the more prudent action of just changing the email address used for the profile/recovery of such an account instead of just changing the password.

Since the email address is only used for this one account, it's no biggie to allocate a new one for this one account, whereas in the old way of doing things, it would be way too much work to create a new email account and notify every place it got used with the new one.

Since the purpose is to make it difficult for an adversary to guess the email account name based on the leak of any one email address, you should choose wisely.

Do not go off and create capitalone@MyPrivateIda.hu, because if it leaks, it will be easy for them to guess that mybankname@MyPrivateIda.hu is the email address for your bank.

It goes without saying that you will never use the email address which "owns" this account, and to which all of these aliases funnel down to.  That should stay secret.

Creating a separate email address per destination for run-of-the-mill non-secure accounts would be a lot of work, plus many of these mail hosting providers charge quite a bit of money for extra aliases.

So, for privacy-related use, I created basket accounts which would get shared for whole categories of accounts.

Thus I created one group account for each of: media, gaming, news reading, GPS/navigation, travel, retail/shopping, non-critical cloud services, health care, etc.

You make up your own set of categories.

For example my media email is given out to Netflix, music, and other related streaming accounts.

I imagine my medical/dental account will be used for everything including insurance.  I don't really care who knows what I've got.  If you do, you might want to split them up; just realize you could make things difficult for yourself when the hospital your doctor has admitting privs with tries to use the same email address for itself and your doctor.  The same is true for a bunch of other categories.  One address gets inherited or passed on to the next place.

Lots of IoT devices need an email address to register with as well.

This is one area where I think there are some serious privacy issues I've never seen discussed anywhere.  I'm thinking of my smart garage-door opener and my sleep number bed.  Just think about what you are giving away when you use those two.  Some corporation gets to keep track of when you come and go from your house, and when you are away on vacation.

With the bed, they can probably figure out what your sex life is like and a lot of other personal stuff.  This is not a stretch, since that sensor is sensitive enough to capture my heart and breath-rate, while it is measuring how much I toss and turn at night.  If it can tell when you are awake or asleep, don't you think they can figure out what sex position you are using with your partner?

Calendaring and Address Books

I almost forgot.

When you sign up for email hosting, you usually also get cloud-based calendaring and address booking.  (I don't even mention it in my criteria below for hosting companies.)

I cannot write this up yet as I have not gotten myself off of the big "G" for these two sources of privacy leakage.

Of the two, the address book privacy issue is the worst in my situation.  I've got 700+ people in my address book, often with a full first name and last, with phone number, email address, and snail mail address.  This is a huge privacy leak, and I need to write in the future about my experience of cutting this over as well.  I will say, I already create incomplete or obfuscated snail mail addresses for new entries.

Mail Hosting Companies to Consider (in Alphabetical Order)

The final list of vendors I came up with for email hosts is surprising (even to myself), but I think anyone reading will find a host that provides the right combination of cost and features you require.

This list spans a wide set of needs.

They all satisfy my desire to keep the yearly fees down.  If you could care less about usability, but want encryption security, there are several.  If you just want easy-to-use cheap mail hosting with possibly sub-optimal privacy and security, I got that too.  (By the way, I think there is a lot to be said for hiding in plain sight.  I think using Proton Mail, Tutanota, or CTemplar immediately puts you in some sort of category.)

CTemplar - This one was in the running until the end.  They responded right away when I asked for a referral code, they had a nice looking Android app, they are based in Iceland, they seem to be new, and, as a relatively new vendor in the market, I saw them as "the underdogs."  This sorta cuts both ways though, as it means that the forest of other clients to hide in is smaller - instead of having Proton Mail's ten million users, I suspect their user base is still well under one million.  I think my main problem in the end was subtle.  I found I could not grab an unmunged text version of the email headers from incoming email.  They had prettied it up, and made it impossible for me to select in a single cut to paste into a website I use to analyze email headers.  Although they do not allow IMAP, they do support email forwarding.

Fastmail - If you are a security/privacy nut, you are probably surprised to see these guys on my list.  They have the advantage of being large, and based in Australia.  Aside from that they are not likely to be trustworthy, either for privacy or security reasons.  Given the low-bar your average user in the real world (not you, of course) has for privacy and security, these guys will not lose any market share if it is reported that they get caught with an egregious privacy or security blowout.  But, they give you a pretty big forest to hide in.  They have a huge assortment of vanity domain names you can use when you are not using your own domain names.  If I were going to be looking for an inexpensive way to do this, I might go with these guys for a privacy-centric solution.  $36 a year and 600 aliases.  I wish Tutanota, CTemplar, Proton Mail, etc. would give out aliases that freely.  Not bad!

Proton Mail - The Ten Million User guerrilla in the room.  According to a digdeeper.neocities.org write-up on them, they are problematic.  Strangely, I finally decided against them because my password manager did not play nice with the way they encrypt my emails with a different key from the password I use to access my account.  Yeah, yeah, I've ended up with another provider who I do not even have the encryption turned on for!  I also was bewildered by their smorgasbord of plans add-ons.  It seems to me like many, they charge too much for extra aliases.  If you want to send secure encrypted emails to other folks, this is probably the one to use.  There are already tons of users on it, and when it comes to easily sending encrypted email, you can either spend a lot of time messing about with PGP, or you go with a vendor where you only send emails to other users of their service.  Even the creator of PGP no longer thinks PGP works well for email, and is looking for a better solution.  Proton Mail has some sort of Bridge app for paid users to use IMAP on some of the most popular email clients.  I don't think they allow auto-forwarding.

TheXYZ - A bit like Fastmail, but probably more secure.  They have an app.  They are based in Canada, aye?  They offer unlimited email aliases.  Inexpensive.

Tutanota - This was the one I kept coming back to.  Based in Germany, they have millions of users.  It seems like they got into the business for privacy protection as much as security.  Reasonably usable app, relatively inexpensive.  They charge more for the number of aliases I will need, but not that much more.  The cons are that they have a terrible name, IMHO.

If I were worried about nation state adversaries, I would probably pick Proton Mail or CTemplar.

The Runners Up

In the list of runners up, two looked like comers, but they require you get a referral from an existing long-term customer: CounterMail and Riseup.

CounterMail - They claim if you do not know anyone to get a referral code from, you can email them, but their emailer just kept bouncing my request.  Don't waste my time, you jerks!

Riseup - Did not give you a way to sign up if you did not know an existing customer.

CripText - Out of Miami, they look expensive.

EPrivo - Possibly based in Massachusetts, no storage.

Cotse.Net - This looks like a little mom-and-pop outfit with personal service.  I discovered them after I'd signed up with Tutanota, just as I was finishing up.  I'll probably look into them more.  They are from Worcester, Massachusetts.  That's "Wuhstah, Mass" to you non-New Englanders!

StayPrivate -

PrivateMail - No bring-your-own domain?

Experience Using Tutanota

I finally decided on Tutanota, but based on what I have found since paying them, I will not be renewing the service unless they add the ability to create an email account which can forward an incoming email (preferably to two different external accounts).  It's becoming clear to me that for the ease of use, a service that allows IMAP access should be a requirement.  My partner will put up with a certain amount of craziness on my part, but there is no way I could persuade her to use a special app just to read certain email messages.  My partner and I share access to an EasyPass account, and they only allow one email address to be used to send out notifications, etc.  I want to use a independent and unique email address which would forward to both my and my partner's accounts.  You can't do that with Tutanota.

As time wears on, I am finding it tiresome to have two different piles of mail to look through.

I have already twice spent minutes searching through Mac Mail before it finally dawned on me that it's in Tutanota.  I think IMAP should be a requirement if usability is at all important to you and you are like me, unwilling to completely jettison your old email addresses.

I should also mention that funneling all of my current email addresses through Tutanota might be one way to get all of my mail in one pile.  If I did this, I would probably create in my case two accounts, maybe even using Tutanota's own vanity domain name, so that if I do reply, I am not revealing my "main" domain name to users of my older domains.

From an ease-of-use perspective, creating a new alias seems to be a bit awkward too.

I think I counted eight taps from opening their app to being able to tap on the + to create a new alias.  This includes the craziness of selecting the right account of the two I have, then tapping on the "hamburger"/menu icon, tapping gear symbol, then tapping on the exact same "hamburger"/menu icon a second time, which then opens up a menu which exposes the "User Management" option, after which you will have to select between those two email accounts a second time, then scrolling down and having to "open" the alias list to finally see the + .

Clearly, being able to add aliases was not thought to be something a user might do frequently.  It's disconcerting to click on the gear symbol two different times, and have to select the right account twice too.

For those folks on the anti-government security end of the spectrum, here is another reason you might want to avoid Tutanota as well.

November 2020 news indicates the service is being forced by the German courts to decrypt email messages for an account used to blackmail an auto company.  Not a good look for a company depending on the promise that nobody will ever be able to read your emails.

Tricks Learned Along the Way

• I will pass on another interesting tip I've learned over time.  Do not use a single letter email address like z@myprivateida.hu.  Over time I've figured out that a surprising number of websites have bugs related to single letter email addresses.  These range from badly written regex expressions which prevent you from registering, using what is a perfectly legit email address, to stupid password security tools which prevent you from using your email address in your password (which might make sense for email addresses more than three characters long, but is just idiotic for shorter ones.  So it would not allow the password sQ123!%# if your email address was either s, q, 1, 2 or 3.  As a side note for you hackers and pen-testers out there, I suspect you can use single letter email addresses to break code as well.
• Yandex: You can register with the Russian search engine company for a free email address, and you do not have to provide a mobile number or another email address.  Just understand that this email address they give you for free is only good for a short time (probably two months) after which, without notice, they will require you to provide a mobile number for you to get back into your email.  This is pretty evil, since at the two month point, most people will have been pretty well settled into their email address, have given it out to lots of folks, and be unwilling to just ditch it without being able to log in one more time.
• You may be thinking that instead of using Yandex, you could just go with one of the well-known disposable email address outfits.  Most other major free email services will not accept an email address for "validation" from one of the well-known burner places.  (By burners, I mean guerrillamail.com, owlymail.com, gmailnator.com, tempmail.org, fakemailgenerator.com, 10minutemail.com, trashmail.com.)
• I live in the United States.  I found that I could buy a prepaid anonymous credit card for cash pretty easily at a local store.  Problem is, most (all?) of those cards available through brick-and-mortar retail are limited to use within the United States.  If you are trying to buy hosting services or DNS registration offshore, you are going to have to figure out how to use Bitcoin (I haven't) or do something shadier than I was willing to do.
• Even buying a TracFone with cash will make you leave a trail leading home.  As I recall, they required me to provide a real physical snail mail address and name during the registration.  I do not know what the legal ramifications are for providing false info.

Credit Cards and Burner Phones: Write Me!

This brings up some skills that I still have not mastered, namely what are the ins and outs of using burner credit cards and burner phone numbers if you want to do business online with your brand-spanking-new pseudo-anonymous email addresses?  I would appreciate emails from folks who know more about this.  Maybe I'll write an article on that next!

Lastly, let me emphasize this disclaimer: your author is not a security or privacy expert, just an enthusiast.

If you are a high-net-worth individual, or an activist which a nation state or large corporation has taken an interest in, this article was not written for you.  I did not cover the steps you need to take to properly protect you from determined adversaries.

References

• restoreprivacy.com/email/secure
• digdeeper.club/articles/email.xhtml
• github.com/ehloonion/onionmx  Onion mail delivery.
• Radical Servers
• Disposable Email Address

Sidebar: A Rant on "Free" and the Original Sin of the Internet

We all must stop with this idea, "Yeah, but xxx.com offers email for free.  Why would I pay for it?"

I mean, first of all, look at it this way: how important is email to you?  I mean, if you can give it up, great, but if you are like me, you depend upon it (and curse it) daily.  If you even pay $50 a year for something you care about (heat, food, water, electricity, and phone service), why would you think you are entitled to free email, social networking, or cloud storage?

If you are not paying them any money, then you are providing the company something else instead.  Most of the time, you are giving them access to the who, what, and where of your daily life.  If you don't mind faceless companies knowing who all of your friends and contacts are, and what gets said in the presence of Alexa and their phones, well, you are different than me.

The fact that the Internet as we know it today has no universally accepted and easily used method for making micro-payments is baked into the protocols and thought patterns of the original techno-elite who designed it.  This is the Internet's Original Sin.

Up until the year 2000 or so, everyone designing it pretended that they were these super libertarian do-gooders.

Heck no!

They were not paying for their newsgroups and email use, they were sponging off of their employers and the U.S.