Of emails and email aliases
I have been thinking a lot about emails and email aliases in the last few days.
Emails are the core identity of one’s online presence. They are everywhere, and form the base for any online service.
For years, I have used a Gmail address.
While it’s convenient and free, it isn’t the best choice for a privacy-focussed individual like me. In the last couple of years, I have started reading more about privacy online and opsec. I have gradually made changes to my workflow, including getting a custom domain based on my name.
My address is hosted on ProtonMail with a custom domain. In my opinion, ProtonMail is the safest email can get, thanks to their built-in PGP encryption and published security details.
Custom domains, private inbox, HEY
Having a custom-domain based email also gives me the flexibility of moving to another email host should there be a need. In the event ProtonMail shuts business, I can always move that domain to a new email host and don’t have to update all of friends and family about a new address.
That’s the beauty of owning a domain-based email address — I get to carry that email identity until the end of the internet.
That’s a standard practice that everyone must adopt. However, isn’t always the case due to lack of domain knowledge.
HEY email is Basecamp’s bet in turning that around. They aim to offer a Gmail-like service that’s easy to get started and manage, and respect users’ privacy. Of course, it’s a paid email service.
Apple has definitively approved HEY in the App Store!! No IAP, no 30% cut, but we’ve opened the door to a free temp address service, and use same app for work accounts. I’m so incredibly relieved! And now HEY is open to EVERYONE! No invite code needed 🎉❤️ https://t.co/J7OCCTFX2Z
— DHH (@dhh) June 25, 2020
I managed to secure my preferred address ([email protected]) on day 2, and it has been a little over a week.
So far, their features are okay. I cannot say they are marvelous. There is a learning curve to the product, as it’s not a traditional single-stream inbox. They have three feeds which constantly need to be juggled between. In particular, their Paper Trail
feed doesn’t differentiate read vs unread emails, which is a road blocker, for me.
Most annoying part is probably that there is no way to have a sender’s emails arrive in two different feeds. Right now, all of their logic is based on sender’s email address. Some businesses user the same address for marketing emails and support. In that case, it’s hard to make sense of where to divert the emails - Imbox
or Paper Trail
?
The founders say all of this likely to improve in the coming months. As with any product, I know this can improve. Time will tell.
ProtonMail on the other hand, at a fraction of HEY’s cost, fares a lot better. Especially considering the fact that HEY does not offer PGP-encryption.
Thinking beyond encryption
I came across a tweet from Pieter many months ago.
I think it's time we start seeing emails as security keys too
— @levelsio (@levelsio) January 17, 2019
With so many account leaks it makes sense to start doing:
🔑 username: [email protected]
🔑 password: ZosNRBKDcuXVKz7aCcdpdpdX
And just save it in a passwd managerhttps://t.co/qsaykOaMsN
He mentioned something an idea that was very intriguing:
Seeing emails as security keys too
What this means is that, in the event an email address gets leaked in a breach, it wouldn’t fall prey to credential stuffing attacks.
I briefly toyed with the idea of using a custom domain with random characters, but later discovered SimpleLogin and AnonAddy. Both services are much better implementations than what I was doing with a custom domain.
Time for you to sign up
If you are not using unique email aliases for your online accounts, it’s time to reconsider.