DuckDuckGo Email Protection: First impressions
When DuckDuckGo announced DuckDuckGo Email Protection on the 20th of July, 2021, I was thrilled about it. As a pi-hole user, the idea of blocking trackers (ads as well) for all emails excites me. The idea is simple: you give away your DuckDuckGo address instead of your actual email address, DuckDuckGo receives it, removes trackers and forwards the email to you.
Note about replying to emails
Replying to the email reveals your primary address to the sender. DuckDuckGo is not an alias service like SimpleLogin or Anonaddy.
They promise to delete the email once they forward it, but we can never confirm as the service does not seem to be open source. Given DuckDuckGo’s track record though, I trust them with my emails.
At WWDC 2021, Apple announced a client-wide email blocking functionality, but that’s limited to the default Apple Mail client. I wanted something that works irrespective of what email client I use. pi-hole works in a way, because it blocks all DNS requests for these trackers, but I haven’t done a detailed analysis of what kind of email trackers it actually blocks. Perhaps there a blocklist specifically tailored to email trackers.
Related post
Set up pi-hole on the Tailscale network
HEY.com is another alternative and perhaps the trend-setter. I gave up after an year, because I wanted to use my email account on any IMAP client, vs being limited to proprietary web clients. The HEY.com web client is nicely done; just wasn’t what I wanted. The address remains mine forever though. I have configured [email protected]
to forward to my DuckDuckGo address, which in turn sends to my primary email address, with all trackers removed.
Signup and setup
I signed up for DuckDuckGo’s on the day of announcement. Because they were rolling out invites in batches, I didn’t get my invitation until today.
Today we're announcing the beta release of DuckDuckGo Email Protection! Get a free Duck Address, and we'll forward emails to your current inbox after zapping hidden trackers and protecting your current email address.
— DuckDuckGo (@DuckDuckGo) July 20, 2021
That's privacy, simplified.https://t.co/Bcgz5yB7nZ
The service is straightforward. Once you receive the invitation, you choose your username and set an email address to forward to. The destination must be one that you reply from, not another email forwarding service.
You can distribute this personal address, or generate unique aliases per site, newsletter or app.
When you receive your emails, DuckDuckGo will prepend the number of trackers removed, with a privacy report link attached to it, or a notice that there weren’t any trackers.
The arrow next to the notice points me to a privacy report web page, where details of the domain removed is listed. It also allows me to turn off the throwaway DuckDuckGo alias if needed.
There’s a dashboard where one can look at the number of addresses generated (but not the actual addresses or an option to turn them off), address being forwarded to, and some links to submit feedback or download browser add-ons. I was hoping to see an option to change the address being forwarded to, but that doesn’t seem to be available. Guess one has to go through support to do that.
My setup: SimpleLogin + DuckDuckGo Email Protection + HEY.com
I am a very happy SimpleLogin user today. While it doesn’t block trackers, I have found a way to use the two together.
I will continue generating SimpleLogin aliases for all websites, but configure my DuckDuckGo address as the receiver, which in turn forwards to my primary address.
Because DuckDuckGo sets the original sender in the Reply-To
header, my response to the email reaches the original sender, not DuckDuckGo.
To: [email protected]
Subject: Test email sent to [email protected]
Date: Mon, 09 Aug 2021 17:13:30 +0000
Duck-Original-Sender: DuckDuckGo <[email protected]>
From: "DuckDuckGo (via duck.com)" <[email protected]>
Reply-To: [email protected]
This part is tricky because the address in the Reply-To
header in my setup is a SimpleLogin reverse-alias, rather than the actual sender.
Since reverse-alias can accept emails only for the mailbox that it is delivered to (in this case, the DuckDuckGo address), I had to add my regular email address to be an authorized sender too.
With this in place, my incoming email setup looks like this:
Incoming
Sender to SimpleLogin alias to Duck address to regular inbox.
And here’s how my outgoing email setup looks like:
Outgoing
Regular inbox to SimpleLogin “reverse alias” to sender (sender sees the SimpleLogin alias, not my regular address or the “reverse alias”)
I also configured my HEY.com address to forward to my Duck address, rather than my regular inbox.