One of the underappreciated benefits of owning your own domain is unlimited email aliases. Instead of giving every website your real address (which gets sold, leaked, and spammed forever), you can hand out a unique address to each service — amazon@yourdomain.com, github@yourdomain.com, random-site-2024@yourdomain.com. When one starts spamming you, you cut just that one off and your real inbox stays clean. This guide explains how to set it up properly.
Why this beats Gmail’s “+” trick
Gmail’s “+address” trick (you+amazon@gmail.com) is widely known but has two flaws:
- Spammers strip the +tag. Common spam software removes everything after the +, leaving your real address. Gives no protection.
- Some sites reject “+” in email fields. Email standards allow it, but many forms don’t.
Custom-domain aliases avoid both. amazon@yourdomain.com is indistinguishable from a “real” mailbox to the outside world. Strippers can’t see anything to strip. Forms accept it without complaint.
Why this beats disposable email services
Disposable services (10minutemail, mailinator, etc.) have their own problems:
- Many sites block them. Their domains are well-known and rejected at signup.
- Mail is public. Anyone who knows the address can read it. Useless for actual accounts.
- Temporary by definition. No good for long-term services where you’ll need password resets later.
Aliases on your own domain are persistent (last as long as you want), private (only you receive them), and accepted everywhere.
Setting it up — two approaches
Approach 1: Catch-all to a single mailbox
The simplest — enable a catch-all and you can invent any address on the spot. Sign up for a service with random-name@yourdomain.com; the mail lands in your existing inbox automatically.
- cPanel → Email → Default Address.
- Set to Forward to Email Address → your real mailbox.
- Done. Any address @yourdomain.com routes to you.
Pro: zero ongoing setup. Make up addresses as you go.
Con: any spam to any address on your domain reaches you. If a spammer dictionary-attacks your domain (a@, b@, info@, etc.), you receive all of it. Filter aggressively or use Approach 2.
Approach 2: Per-service forwarders
Create a forwarder for each service you sign up with. Catch-all stays off.
- About to sign up for Amazon — go to cPanel → Email → Forwarders.
- Add Forwarder:
amazon@yourdomain.com→you@yourdomain.com. - Use the forwarder address at signup.
Mail arrives in your real mailbox tagged with the alias used. When Amazon (or a database leaked from Amazon’s vendor) starts spamming, you know exactly which alias is compromised — and can disable just that one.
Pro: precise control. Spammer dictionary attacks fail (those addresses don’t exist).
Con: takes 30 seconds per new signup. Worth it for important services; tedious for casual ones.
Hybrid approach (the practical recommendation)
Most privacy-aware customers settle into a hybrid:
- Per-service forwarders for important accounts (banks, primary email, accounts holding payment info).
- Catch-all for low-stakes signups (newsletters, one-time downloads, sites you don’t expect long relationships with).
- A spam filter in the catch-all destination that aggressively tags catch-all mail differently from named-forwarder mail.
Auditing what you have
Forwarders page (Email → Forwarders) lists every alias. Periodically (every few months) review it. Delete forwarders for services you no longer use. Note any that started receiving spam — investigate which service leaked them.
This audit is one of the most useful security exercises you can do. It tells you which services have been breached (the spammed alias is the canary) and reduces your inbound spam surface.
Sending FROM the aliases
Forwarders only handle incoming mail. If you also need to send as the alias (so replies come from amazon@yourdomain.com instead of your real address), you need either:
- A real mailbox at that alias (creates a separate inbox you’d need to read, defeats the purpose).
- A “Send as” identity in your mail client:
- Gmail: Settings → Accounts → “Send mail as” → add the alias and authenticate via SMTP.
- Apple Mail / Outlook: add a “From” identity, configure SMTP with your real mailbox credentials.
For most cases, replying from your real address is fine — the recipient sees a coherent thread regardless of which alias they originally emailed.
Privacy considerations
- Your domain is identifying. Every alias still includes
@yourdomain.com— useful for grouping, but it reveals you own the domain. For maximum privacy on accounts you don’t want linked to your identity, use a privacy-respecting third-party (ProtonMail aliases, SimpleLogin, AnonAddy) for those specifically. - Forwarders + DMARC interaction. Some forwarded mail may fail SPF at the destination. If your real inbox is Gmail, this is rarely a problem; if at a stricter provider, occasional bounces happen. Set up SRS (Sender Rewriting Scheme) via support if needed.
- Don’t reuse aliases. If
amazon@yourdomain.comwas leaked and is now in spammer hands, deleting and recreating the same alias just reopens the floodgates. Burn aliases; don’t reuse them.
Common questions
“How many forwarders can I create?” Plan-dependent but typically generous — hundreds at minimum. Practical: most users have 20-100.
“Can I forward to multiple destinations?” Create multiple forwarders with the same source address — each adds another destination.
“What happens if I delete a forwarder?” New mail to that alias bounces (unknown user). Existing forwarded mail in your destination inbox is unaffected — it’s already delivered.
“Mail to my alias takes ages to arrive.” Catch-all mail goes through extra spam processing. Specific named forwarders are faster. If speed matters, named forwarders > catch-all.
What’s next
- Forwarder setup details: Catch-all, forwarders, and filters.
- Privacy in hosting generally: Anonymous hosting explained.
- Anonymous payment to match privacy email: Anonymous payment methods.
Per-service aliases are one of the highest-leverage privacy practices available. Five minutes of forwarder setup at each signup pays compound dividends in spam reduction and breach detection over years.
Was this helpful?
Thanks for your feedback!
