There’s an old joke where two guys are hiking through woods when they come across an angry bear. The first guy drops his backpack, pulls out his running shoes, and quickly puts them on. The second guy says “What are you doing? You’ll never outrun a bear.” “I don’t need to outrun the bear”, the first guy says, “I just need to outrun you.”

We can apply the same principle to online privacy and security. If you’re a bit more difficult to target than average, you’re less likely to fall victim to scams.

This brings us to catch-all email addresses - an under-appreciated way to add a little privacy and reduce your online attack surface.

What are catch-all emails?

Catch-all emails allow you to create unique email addresses for every account you create online. When you create an account to buy 50 kilos of sugar-free gummy bears, instead of using your real email - john.realname@gmail.com - you use something like gummi.bear.madness@your-domain.com.

A common pattern is to use the name of the service - for example - amazon@your-domain.com or twitter@your-domain.com. The nice thing is you “create” the email at the time of registration, without extra steps.

Yeah but why should I?

There are several advantages:

  • If your account data is leaked (which happens all. the. time.) the attacker won’t know your main email address. This means they can’t turn around and try to gain access to that account, or use the address to try to gain access to other accounts.
  • You don’t leak personal information. Many services only require an email to sign up, but a lot of people use parts of their name and initials in their main email.
  • You know who is selling your data. Emails are commonly sold from one company to another via data brokers. If you start getting spam or unsolicited email against a unique address you’ll know who sold it, or whose service has been compromised.
  • It’s more difficult to build a profile of you across services. Data brokers build profiles of your behavior based on where you have accounts (among other things). With a unique email for each service, this becomes more challenging for brokers to correlate. It’s not impossible - they can still analyze patterns of your domain - but they can’t easily know if your domain is used by a group or individual.
  • There’s also a non-privacy-based use case: If you’re someone who needs to create a lot of test accounts (developer, QA, etc.) this is highly convenient.

Are there any disadvantages?

  • Some people report getting more spam overall, though personally, that has never been a problem - even on email servers we self-host. So long as you’re using an email provider with good spam detection you shouldn’t see any issues.
  • You need to remember which email you used for each account. But this is trivial when you’re using a password manager (if you’re not, drop everything and do that first)

How can I create a catch-all email?

So you’re sold on the idea! Great - you can get started in three easy steps.

  1. First things first - you need to buy a domain name that supports catch-all emails. I use NameSilo because they’re inexpensive ($10 a year for a .com, and you can pay less if you choose a different top-level domain). They also make your WHOIS information private for free, so no one knows you own the domain.

  2. Create an email forward for *@your-domain.com that forwards to your main email address. The * is a special character that means “anything”. This is what allows you to type in anything-you-want@your-domain.com and still receive your emails. Every interface is different, but you should be able to find email forward settings in your domain management panel - here’s what it looks like in NameSilo:

NameSilo Example

  1. Profit! OK well, actually you’ll need to wait 15-30 minutes or for the settings to propagate, depending on your domain service. Then you should run a test by sending an email to whatever@your-domain.com. You should see the email arrive in your main inbox addressed to your one-off email.

If you don’t see the email arrive (and you’ve given enough time for your domain settings to get up and running) check your spam folder. You may need to whitelist your new domain with your email provider, though in my experience this has rarely been a problem.

And that’s it - now when you create a new account you can make up any email on the fly.


We’re committed to helping everyone achieve more privacy and security online. That’s why we’re building an end-to-end encrypted photo storage and sharing application in StoryArk. Your data is valuable - don’t give it away.