One thing we are probably not going to stop seeing anytime soon in the crypto space is phishing.
Once it becomes public knowledge an email address belongs to someone who owns cryptocurrencies, hackers will naturally try to get into the crypto trading platform accounts and web wallet associated with that email.
Then there is the fun stuff on top of everything, such as Ledger wallet’s customer database getting breached.
You are making this fact a public knowledge every time you sign up for an airdrop, bounty or even a crypto-related mailing list.
While MFA on exchanges is always a must, there is a fairly easy way to avoid reusing email addresses so that you always know where your address leaked from even before it appears on haveibeenpwned.com.
To do that you will need to get your own domain name.
Your goal is to be able to invent any random email address as you go and have it deliver emails into your usual mailbox.
Obviously you cannot set up a new mailbox each time you want to sign up somewhere, nobody is going to do that.
If you own a domain name though, you can use a so-called catch-all function to receive emails to any email address under that domain and have them delivered into the same mailbox.
If you also need to send an email out of the receiving addresses, you will need email aliases - mostly that will not be necessary though.
The email provider for catchall addresses
Remember, the mailbox itself should be properly secured with MFA as well.
As the secure email client of choice I will recommend Tutanota. You will not be able to create this setup with their free account, but the premium version costs only 12 EUR per year.
With the default paid plan you get 5 different email addresses to use but they also have special extension packages to allow for more of them, currently up to 100. Tutanota has a web interface and smartphone apps, offers 2FA with Google Auth or Authy and stores all emails encrypted.
Alternatively, you will be able to achieve this kind of solution for free with Yandex mailbox. It’s a paid feature with Google (GSuite).
How To Setup The Catch-All Mailbox
- Pick a domain name for your email -
lambomail.comis already taken. The domain should ideally be brand new as in never used before. If it was used for spam in the past, emails from there will get blocked and sent to spam too often. You can find out about previous owners of a domain in its Whois History.
- The registrars that are easiest to use will be either Dynadot or Namecheap - Dynadot lets you pay in Paypal, Namecheap supports Bitcoin payments.
- Get your premium email account with Tutanota or Protonmail, or dive into the documentation for Yandex.
- Head to your domain’s DNS section add the DNS entries to direct emails for handles at this domain to your mailbox - for Tutanota it will be
TXT v=spf1 include:spf.tutanota.de -allas seen here in their knowledge base. Protonmail’s how to is here for the basics and here for the anti-spoofing settings.
- Check your domain’s DNS settings for emails at http://mxtoolbox.com couple of times until you see your entries there. The change is not instant.
- Once the DNS change is confirmed, link the domain name to your email account. In Tutanota you will find it at Settings > Extensions > Custom domain in the old clients or at Settings > Global settings > Custom email domains in the new interface. The first field is for the domain name you are linking - say,
lambomail.com- the second field is for your catch-all address. For that, use the default email address that you signed up with - say,
- If you did your DNS right you should be able to confirm it and be all set to receive any emails for your custom domain name. It won’t let you finish the linking until the DNS changes are done and confirmed.
- If you want to set up the address for sending out, in Tutanota you can now head over to Settings > User Management > Email aliases. Add any specific address you need such as
email@example.com activate it. Tutanota will start giving you the option to send out emails from there. You can always discard the address or replace it with another, and then bring it back only for when you need to send an email out of there. As long as you have the catch-all address you will receive emails to any address under your domain name, no matter if has an alias or not.
How To Use Catch-All Mailbox The Secure Way
When you are signing up at ANY third party place, use a single-use address from your domain.
- Let’s say you are about to do a bounty at
- Go sign up to the bounty and use a catch-all address
- Your email confirmation will still come to your usual mailbox but your exchange accounts are safe because you are not using this address there.
- Some 6 months later, your airdrop shitcoin probably doesn’t exist anymore and you start receiving spam or phishing emails to address
firstname.lastname@example.org. (Yeah, that’s what usually happens.)