Your email address is the single most identifying piece of information you provide to the internet. It's used to create accounts, receive notifications, reset passwords, receive marketing, and — when any one of those services is breached — expose you to spam, phishing, and credential stuffing attacks.
The problem with a single email address isn't just spam. It's that when one service leaks your address, every other service you've used that same address for becomes a slightly softer target. Attackers correlate addresses across data breach databases. Your gaming account email showing up in a data breach is relevant to your banking security if it's the same address.
Email aliases solve this by giving you disposable, compartmentalized addresses that forward to your real inbox. Here's what they are, what types exist, and why more people should use them.
What an Email Alias Actually Is
An alias is a secondary email address that receives mail and routes it to your real inbox. From the sender's perspective, they're emailing a real address. From your perspective, you receive the message in your normal inbox but you know which alias it came from — and therefore, which service that sender is associated with.
The key properties that make aliases useful:
- Compartmentalization — each service gets a unique address, so a breach at one service doesn't expose your identity at others
- Traceability — when an alias starts receiving spam, you know exactly which service sold or leaked your address
- Disposability — you can disable or delete an alias when it starts receiving junk, without affecting your real address or other services
- Identity separation — aliases don't reveal your real name or primary email to services you don't trust
The Three Types of Aliases
Gmail and some other providers support tags appended after a + in the username. Mail sent to you+shopping@gmail.com arrives in your regular Gmail inbox. This is built-in and free — but it has a critical weakness: the format is widely known and trivially stripped by any form that processes email addresses. Many services silently remove the +tag before storing the address. It also doesn't hide your base address — the part before the + is visible to the recipient.
If you own a domain, you can configure a catch-all so that anything@yourdomain.com reaches you. You can then invent unique addresses on the fly — netflix@yourdomain.com, dentist@yourdomain.com — without configuring each one in advance. This is flexible and hidden from the recipient, but requires owning a domain and managing DNS.
Some privacy-focused email providers, including Haven, let you create distinct addresses within the same account — alias1@havenmessenger.com — that each have their own identity. These are harder to correlate with your real address because they don't share a common base. Many services in this category also support replying from the alias, so the recipient never sees your primary address.
The Real Privacy Benefit: Breach Isolation
HaveIBeenPwned documents over 13 billion accounts across thousands of known data breaches. If you've been online for more than a few years, your email address has almost certainly appeared in at least one. The question isn't whether it happens — it's what happens when it does.
With a single address: the breach exposes your primary email. Every other account using that address is now associated with a breached email. Phishing and credential stuffing attacks become more targeted.
With aliases: the breach exposes only the alias you used for that service. Your primary address is unexposed. Other services have entirely different aliases. You disable the breached alias. The damage is contained to the relationship with that one service.
Suppose you used shopping-haven@havenmessenger.com for a retail site that later suffered a breach. You start receiving phishing emails claiming to be from that retailer. You disable the alias. The phishing stops. Your real address, your other aliases, and your other accounts are untouched. Without aliases, that breach would have generated spam and phishing attempts against your primary address indefinitely.
Aliases as Tracking Prevention
Email addresses are routinely used as tracking identifiers across services. Data brokers purchase email lists and use them to build profiles — purchasing history, interests, demographics — that are then sold to advertisers or political campaigns.
When you give every service a unique alias, you break the data broker correlation model. service-a@domain.com and service-b@domain.com don't link back to the same person unless the broker already knows your real address. They're treating two separate email addresses, which appear to belong to two separate people. The cross-service tracking picture degrades.
This doesn't eliminate tracking — services also track by IP address, device fingerprint, and cookie — but it removes email as a reliable identifier across the ecosystem.
The Limitation: Outbound Identity
Aliases work well for receiving mail. The complication is outbound: if you want to reply to an email received at an alias, you need your email client to support sending from that alias address rather than your primary one. Some providers support this natively; others require configuration.
Haven supports both receiving and sending from aliases — you can reply from the same alias the sender used, keeping your primary address invisible throughout the conversation.
Services that only do receiving (forwarding aliases without send support) are still useful for newsletters, account registrations, and notifications — but don't work for two-way correspondence where you need to preserve the alias identity.
How Many Aliases Should You Have?
There's no right answer, but a useful framework:
- High-value accounts (banking, healthcare, government) — unique alias per account. These have real-world consequences if compromised.
- Shopping and retail — per-service or grouped (one alias for all shopping, so spam is easy to identify and isolate)
- Newsletters and content — a single "newsletters" alias, or per-publication if you want to know who sells your address
- Social platforms — unique per platform; social account breaches are common and usually generate phishing campaigns
- Personal contacts — your real address is fine here; the goal isn't to hide from people you know
The operational cost of aliases is low once you have a system. Most privacy-conscious users who adopt them wish they'd started earlier — the friction of setting up aliases at account creation is trivial compared to the friction of dealing with a compromised address that's tied to dozens of accounts.
Getting Started
If you're using Gmail or another provider that doesn't support true aliases, you have a few options: use plus addressing as a weak first step, switch to a provider with native alias support, or use a standalone alias service like SimpleLogin or AnonAddy that generates aliases and forwards to your existing inbox regardless of provider.
If you're evaluating encrypted email providers anyway, alias support is worth treating as a first-class feature rather than an afterthought. The two capabilities complement each other: encrypted email protects your message contents; aliases protect your identity and reduce your breach surface.