Home > Security

.  Published

Easy way to avoid email address reuse - Guest post by FNY3000

Image: A quick way to setup your mailbox in such a way that you will not have to reuse your email address again. Coffee image via Pexels.

Subscribe to the Altcoin Trading newsletter. (Newsletter Archive)

One thing we are probably not going to stop seeing anytime soon in the crypto space is phishing: random people finding out your email address belongs to someone who owns cryptocurrencies and might have some on an exchange, localbitcoins or at blockchain.info. While a 2FA is on those places is a plausible protection, there is a fairly easy way to avoid reusing email addresses completely.

To do that you will need to buy your own domain name but there is no need to configure your own email server or develop any kind of custom mail server solution. And you shouldn’t, unless you have a team of people who know how to do that properly. If you are just bootstrapping something yourself, chances are you will not get the same level of security as you can get with something that has been built as a business.

The Idea

The main objective of doing this is to be able to invent an email address as you go and have it deliver emails into your single normal mailbox without the need to set up anything extra each time (catch-all function). The mailbox is something that is itself properly secured, and it also has the option to send an email out of the receiving addresses (email aliases).

As the secure email client of choice I will recommend Tutanota. You will not be able to create this setup with their free account, but the premium version costs only 12 EUR per year. With the default paid plan you get 5 different email addresses to use but they also have special extension packages to allow for more of them, currently up to 100. Tutanota has a web interface and smartphone apps, offers 2FA with Google Auth or Authy and stores all emails encrypted. You will not be able to make use of the encrypted communication other than when communicating with someone who is also with Tutanota (otherwise you would need to send them a link to open the email from the Tutanota server which is mostly not feasible) but it is still a step better than conventional email clients.

Protonmail is all in all a similar service to Tutanota and also offers custom domain support as a premium option, only the catch-all function is far more expensive than with Tutanota.

With Protonmail you can pay in Bitcoin, Tutanota still does not have crypto payments ready at the moment.

If for some reason you do not want to use a paid service you will be able to achieve this kind of solution for free with Yandex mailbox. Google has custom domains as a paid option, starting at 5 USD a month.

The Setup

  1. Pick a domain name for your email - winningbig.com or wenmoonsir.com, sadly lambomail.com is already taken. As Cernej Kocour points out in the comments below, the domain should ideally be brand new as in never used before. If it was used for spam in the past, emails from there will get blocked and sent to spam too often. You can find out about previous owners of a domain in its Whois History.
  2. The registrars that are easiest to use will be either Dynadot or Namecheap - Dynadot lets you pay in Paypal, Namecheap supports crypto payments.
  3. Get your premium email account with Tutanota or Protonmail, if you don’t have one already.
  4. Head to your domain’s DNS section add the DNS entries to direct emails for handles at this domain to your mailbox - for Tutanota it will be MX mail.tutanota.de and TXT v=spf1 include:spf.tutanota.de -all as seen here in their knowledge base. Protonmail’s how to is here for the basics and here for the anti-spoofing settings.
  5. Check your domain’s DNS settings for emails at http://mxtoolbox.com couple of times until you see your entries there. The change is not instant.
  6. Once the DNS change is confirmed, link the domain name to your email account. In Tutanota you will find it at Settings > Extensions > Custom domain in the old clients or at Settings > Global settings > Custom email domains in the new interface. The first field is for the domain name you are linking - say, lambomail.com - the second field is for your catch-all address. For that, use the default email address that you signed up with - say, porquenolosdos@tutanota.com.
  7. If you did your DNS right you should be able to confirm it and be all set to receive any emails for your custom domain name. It won’t let you finish the linking until the DNS changes are done and confirmed.
  8. If you want to set up the address for sending out, in Tutanota you can now head over to Settings > User Management > Email aliases. Add any specific address you need such as b1tf1n3xuser@lambomail.com and activate it. Tutanota will start giving you the option to send out emails from there. You can always discard the address or replace it with another, and then bring it back only for when you need to send an email out of there. As long as you have the catch-all address you will receive emails to any address under your domain name, no matter if has an alias or not.

Make Use Of It

If you have everything set up, next time you are registering on some third party place that is prone to getting hacked (think forums, newly emerged crypto portfolio dashboards and such) use any of the email addresses from your pool.

A good setup might be for instance to use mails like coinloop@lambomail.com, helloiota@lambomail.com or cryptoflash@lambomail.com - this way you will know where a leak comes from if you start receiving suspicious emails to that address. For exchanges I would recommend a password manager and using something less obvious so that even the signup email cannot be guessed - something like ok3xw1nn1ngh4rd9000@lambomail.com.

Once again, you do not need to create a mail alias for each of these email, with the catch-all function every mail coming to any handle under that custom domain will be delivered to your mailbox all the same.

The only time you need to configure the alias is when you need to send an email out of that particular address. Some exchanges will require that when you communicate with their customer service.

This is a guest post by FNY3000.

Reward the author:
BTC - 13LsqvRxr1VDu6QqdQJf9h51nWwjVWgBDS
LTC - LLTLshZFK8QFxVx8KYZibo7p2fa6yGYfJP
ETH - 0x416f7A2a03Fc9385F99c119b7f85fdC1bad5efF2

If you want to get your own guest post with donation addresses, we have this typeform for that.

The information in this article comes as it is without any guarantees. You are responsible for your own security.

Comment on "Easy way to avoid email address reuse"