Private email forwarding lets you hand out an address that points at your real inbox without revealing what that real inbox is. Every message gets routed through a forwarding alias, so the sender only ever sees the alias — and if that alias starts attracting spam or shows up in a data breach, you turn it off in one click without changing the email you actually use. This guide explains how it works under the hood, where it pays off, and which providers do it well in 2026.
What is private email forwarding
Private email forwarding is the practice of giving every sender a unique, throwaway-style address that quietly relays mail to the inbox you actually read. The sender stores an address like shop23@yourdomain.tld; the provider receives mail at that address, strips routing metadata, and forwards the message to your real inbox at, say, jane@gmail.com. Replies route back through the same alias, so even outgoing mail keeps your real address hidden. The whole point is decoupling: one identity per sender, instantly disposable, none of them tied to the inbox where your password resets, bank statements, and tax forms land.
Crucially, private email forwarding is not the same as a disposable inbox. With a disposable inbox you get a temporary mailbox at someone else’s domain, you log in there to read mail, and once the session expires the mail is gone. With this approach the mail lands in your normal inbox — Gmail, Outlook, Fastmail, ProtonMail, whatever — and stays there as long as you keep it. The alias is what’s disposable, not your archive. We’ve written before about why permanent forwarding aliases are a stronger privacy primitive than disposable mailboxes for anything you’ll need to log back into.
Why you need private email forwarding in 2026
The case for private email forwarding has gotten stronger every year, and 2026 isn’t an exception. Three forces in particular keep pushing more users toward it:
- Breach frequency. Have I Been Pwned now indexes over twelve billion breached credentials. If one address is sitting in every signup form you’ve used in the past decade, a single breach exposes the entry point for password resets across your whole life.
- Cross-site tracking via email hash. Ad networks and data brokers routinely SHA-256 your email and match it against other databases. Hand out a different alias to each vendor and the hash never matches, breaking the join key. Private email forwarding turns email-based identity resolution into a dead end.
- Account takeover via leaked email + password reuse. When the same address appears across hundreds of services, attackers don’t need to phish you — they just credential-stuff a breach list against every login form. Aliases per service mean even a working leaked password can’t be replayed against your bank’s address, because your bank’s address is unique to your bank.
The interesting shift in the past 18 months is that it’s no longer just for security researchers and privacy hobbyists. Apple ships it inside iCloud+. Mozilla ships it inside Firefox. DuckDuckGo bundles it with their browser. The category has gone mainstream, which means signing up with a forwarding alias is no longer the unusual signal it used to be — vendors expect it now and rarely block it.
How private email forwarding works
Under the hood, private email forwarding is a three-step relay. First, you generate an alias — a fresh address at the provider’s domain or, if you’ve connected your own, your own domain. Second, you hand that alias to the sender (the shop, the SaaS signup, the airline). Third, when mail arrives at the alias, the provider’s mail server accepts it on your behalf, rewrites the envelope so the destination is your real inbox, and forwards the message. The provider keeps a small mapping table linking each alias to your true inbox; the sender never sees that mapping.
Two technical details are worth pulling out, because they explain why a thoughtfully built forwarding service feels different from a hand-rolled forward rule:
- SPF / DKIM alignment. Without care, forwarded mail breaks the sender’s SPF and DKIM signatures and lands in spam. Good providers rewrite the envelope sender (SRS) and re-sign with their own DKIM so deliverability survives the relay.
- Reply path rewriting. When you reply from your real inbox to a message that was forwarded, the provider intercepts the outgoing reply, swaps the “From” header back to the alias, and relays it to the original sender. This is what keeps your real address hidden in both directions — without it, the first reply leaks your true mailbox.
If you’ve ever tried to roll your own setup with a plain catch-all and a sendmail rule, you’ve probably hit both of these. They’re the reason most people end up using a dedicated provider rather than DIY.
How we evaluated private email forwarding providers
For this comparison we focused on the six services most people actually shortlist. We graded each on the criteria that matter once you start using one daily, not the ones that look good on a landing page:
- Custom domain support. Provider-domain aliases (like
foo@duck.com) are convenient until you want to move providers. Custom-domain aliases stay with you forever — see our portability guide. - Leak / exposure detection. Does the service tell you when an alias starts receiving spam, gets traded between vendors, or shows up in a breach feed?
- Reply support. Can you reply to forwarded mail without revealing your real inbox?
- Free-tier ceiling. How many aliases before you’re forced to pay?
- Pricing fairness. Monthly cost for the paid tier most people actually use.
- Portability. If you cancel, can you keep the aliases by pointing your domain at a new provider — or are you stuck?
The first criterion is the biggest filter. Plenty of providers offer their own subdomain free of charge, which is fine until you want to leave. The day you cancel, every alias on provider.com dies and every sender suddenly bounces. Custom-domain aliases are the only ones that survive provider changes — and so the providers below are ranked partly on how well they support running aliases on a domain you own.
Private email forwarding providers compared
| Service | Free aliases | Custom domain | Reply support | Leak detection | Paid price |
|---|---|---|---|---|---|
| EmailAlias.io | 10 | Premium ($4/mo) | Yes | Yes (built-in) | $4/mo |
| SimpleLogin | 10 | Paid only | Yes | Manual | $2.49/mo (billed annually) |
| addy.io | Unlimited shared, 25 standard | Paid only | Pro tier only | No | $3.33/mo (billed annually) |
| DuckDuckGo Email Protection | Unlimited | No | Yes | Tracker removal only | Free |
| Firefox Relay | 5 | Premium only | Premium only | No | $0.99/mo |
| Apple Hide My Email | Unlimited | iCloud+ only | Yes | No | $0.99/mo (iCloud+ entry) |
The table is a starting point; the right choice depends on whether you care about owning a domain, whether you live in the Apple or Firefox ecosystem, and whether leak detection is worth paying for. The six product breakdowns below explain when each one is the right call.
1. EmailAlias.io — best private email forwarding overall
EmailAlias.io is the service we build, so take this listing with the disclosure it deserves — but the reasoning for the placement is mechanical. EmailAlias.io is one of the only services that bundles custom-domain support, built-in exposure detection, and replies on every paid plan, at $4/month. Most competitors split those across tiers and gate the most valuable one (leak detection) behind the highest-priced plan, or skip it entirely.
Features
- 10 free forwarding aliases on the
emailalias.iodomain. - Up to 5 custom domains on Premium, with no per-alias cap beyond the soft cap of 150 aliases per domain.
- Built-in exposure intelligence: every alias is scored for spam volume, sender diversity, and breach-list hits, and you get an alert when an alias starts behaving like a leaked one.
- Reply-from-alias on every plan that supports forwarding — your real inbox stays hidden in both directions.
- Spam filtering, sender blocklists, and per-alias mute / disable / delete controls.
Pricing
Free plan: 10 aliases, basic forwarding, no custom domain, 10 emails/day. Premium plan: $4/month (annual billing available), 5 custom domains, “unlimited” aliases (soft cap 150 per domain), leak detection, send/reply, and 350 inbound emails/day. See the full breakdown on the pricing page.
Pros and cons
Pros: the only mainstream service with leak detection on every paid plan, generous free tier at 10 aliases, custom-domain support without a separate add-on, transparent pricing.
Cons: custom domain support is paid-only (the free tier uses the shared emailalias.io domain); smaller brand recognition than Mozilla or Apple.
2. SimpleLogin — best self-hostable option
SimpleLogin is the open-source veteran of the space, acquired by ProtonMail in 2022 and now sold both standalone and as part of the Proton Unlimited bundle. The codebase is on GitHub, which means you can self-host the whole stack if you don’t want to trust a managed provider with your mapping table.
Features
- 10 free aliases on shared domains; unlimited on paid.
- Custom-domain support on paid tier.
- Reply, send, PGP encryption, browser extensions.
- Open-source backend (self-host or trust the managed service).
Pricing
Premium is $2.49/month billed annually. Bundled free if you’re already paying for Proton Unlimited.
Pros and cons
Pros: open source, cheap, mature reply support, PGP. Easy choice if you’re already a Proton user.
Cons: no built-in leak detection — you have to spot spam yourself. Self-hosting is real work, not a checkbox.
3. addy.io — best free tier
addy.io (formerly AnonAddy) is the other open-source contender. Its free tier is among the most generous — 25 standard aliases plus unlimited “shared-domain” aliases — and the codebase is similarly self-hostable. Worth a look if you want addy.io’s hosted convenience without paying immediately.
Features
- 25 standard + unlimited shared-domain aliases on free.
- Custom domains on paid.
- Reply support on Pro tier ($3.33/month).
- Open-source server, browser extensions, mobile app.
Pricing
Free, Lite ($1/mo), Pro ($3.33/mo billed annually).
Pros and cons
Pros: generous free aliases, self-hostable, mature feature set.
Cons: reply is locked behind the Pro tier; no leak detection; UI is dense relative to competitors.
4. DuckDuckGo Email Protection — best for quick setup
DuckDuckGo Email Protection is the simplest on-ramp because there’s no signup form beyond claiming a @duck.com address inside the DuckDuckGo browser or extension. It’s free, it strips trackers out of forwarded mail, and it never asks for a payment method.
Features
- Unlimited
@duck.comaliases. - Email tracker removal — DuckDuckGo strips known tracker pixels before relaying.
- Reply support from any mail client.
- One-click address generation from the DuckDuckGo browser autofill.
Pricing
Free forever.
Pros and cons
Pros: free, simple, strong tracker stripping, no account hoops.
Cons: no custom domain — every alias dies if DuckDuckGo discontinues the service or you lose access. No leak detection. No alias categorisation or analytics.
5. Firefox Relay — best Mozilla integration
Firefox Relay ships forwarding aliases directly inside the Firefox browser and across Mozilla’s other privacy products. The free tier is the tightest in this list (5 aliases), and the paid tier ($0.99/month) lifts that cap. For anyone whose browser of choice is Firefox, the relay autofill is genuinely seamless. For everyone else, the cap on free aliases makes it hard to use as a daily-driver service.
Features
- 5 free aliases, unlimited on Premium.
- Native Firefox browser integration.
- Custom domain on Premium tier.
- Reply support on Premium.
Pricing
Free (5 aliases), Premium ($0.99/mo) for unlimited aliases + reply.
Pros and cons
Pros: cheapest Premium tier on the market; tight Firefox integration.
Cons: tiny free cap (5); reply support is paywalled; no leak detection; tied to Mozilla’s product roadmap. If you’re not on Firefox, you’re paying for the integration you can’t use.
6. Apple Hide My Email — best for Apple users
Hide My Email is Apple’s alias feature, bundled with any paid iCloud+ subscription. You get unlimited @icloud.com-style aliases generated directly from the iOS / macOS Mail and Safari autofill UI, and replies route back through Apple’s servers so your real iCloud address stays hidden.
Features
- Unlimited Apple-generated aliases.
- Reply through Apple’s servers.
- Custom domain support (iCloud+ Custom Email Domain).
- Native Sign in with Apple integration on iOS and macOS.
Pricing
$0.99/month iCloud+ entry tier (50 GB storage included).
Pros and cons
Pros: deep iOS/macOS integration; cheap when bundled with iCloud+; reliable Apple infrastructure.
Cons: Apple ecosystem only; no leak detection; no alias-level analytics; you’re tied to Apple for the life of every alias.
Key features to look for in private email forwarding
The six providers above cover most of the market, but the feature checklist is shorter than the marketing pages suggest. Five things matter; the rest is nice-to-have:
- Reply from alias. Without it, the first time you reply to anyone you leak your real address.
- Custom domain. Aliases on a domain you own survive provider changes. Aliases on the provider’s domain don’t. Read more on custom-domain aliases here.
- Per-alias controls. Disable, delete, mute, rename — without these you can’t shut down a single noisy alias without affecting the others.
- Leak / exposure detection. A meaningful service tells you which alias is leaking, not just that some are.
- Spam filtering. Forwarding without a filter just relays spam to your real inbox faster.
One feature is often missing from comparison tables but is the single biggest deciding factor in the long run: how easy it is to leave. A forwarding service you can’t leave is one that owns your identity. Custom domains are the only meaningful escape hatch — if you can point the same MX records at a different provider, your aliases survive. If you can’t, every alias dies the moment you cancel.
How to set up private email forwarding
Setting it up from scratch is a five-step process. The same steps apply regardless of which provider you choose; the differences are cosmetic.
- Pick a destination inbox. This is the address mail will land in. Use your stable, long-term inbox — Gmail, Outlook, ProtonMail, Fastmail. This address is the one you’ll keep secret.
- Sign up with the forwarding provider. Give them the destination inbox and verify ownership via the link they email you. From here on, you’ll never use this address publicly.
- (Optional) connect a custom domain. Buy a short domain —
jdfwd.com, whatever — and follow the provider’s DNS instructions to point MX records at them. This step is what makes your aliases portable. - Generate aliases per sender. When you sign up for a new service, generate a fresh alias in the provider dashboard, label it with the sender’s name, and hand that out instead of your real address. See our deep-dive on alias generation patterns.
- Migrate existing accounts gradually. Don’t try to swap every account at once. Pick the highest-risk ones (bank, breach-prone vendors, low-trust signups) and rotate them first; the rest can wait.
The whole flow takes about ten minutes for the first alias and under a minute for each subsequent one. The migration step is the slowest, but it’s also the one you can do at your own pace — even a partial rollout cuts your exposure substantially.
Common use cases for private email forwarding
Most people start with one or two of these and add more once they realise how cheap aliases are:
- Newsletters and signups. Hand out a dedicated alias to every newsletter; if one starts spamming, mute or delete that single alias.
- E-commerce checkouts. Online shops are some of the worst offenders for selling addresses to marketing affiliates. A per-shop alias breaks the resale chain.
- Job applications. Recruiters share inbound CVs across employer databases. A dedicated alias per application lets you spot which platform leaked. See our job-search alias guide.
- Forum and community signups. Almost guaranteed to end up in a breach feed eventually — an alias contains the blast radius.
- Free trials. Per-trial aliases let you cancel cleanly without future emails from that vendor.
- Travel bookings. Airlines and hotels resell addresses to travel data brokers. A per-trip alias surfaces who did. More on this here.
The pattern is the same in all six: one identity per sender, instantly disposable, and instantly auditable when something goes wrong. If an alias starts pulling spam, you know exactly which vendor leaked or resold the address — there’s no detective work, because there’s only one possible source. That single property is what turns email from a guessing game into a measurable system.
Final thoughts
Private email forwarding has gone from privacy-niche to mainstream over the past few years for a simple reason: it’s one of the few defences against email-based tracking and breach replay that doesn’t require changing how you read mail. You keep using Gmail, Outlook, or whatever you already use — the alias does the work in front of it.
If you want the cheapest possible setup, pair Firefox Relay with DuckDuckGo Email Protection and you’ll spend nothing. If you want the most resilient setup, register a short custom domain, point it at a provider that supports leak detection and replies on every plan, and rotate aliases per sender from day one. EmailAlias.io is the choice we’d make for the second case — and the only one that bundles leak detection at the $4/month tier. Whichever direction you go, the marginal effort of issuing a new alias instead of reusing your real address is the smallest privacy upgrade with the largest long-term payoff.
Frequently asked questions
What is private email forwarding?
Private email forwarding is the practice of giving each sender a unique
alias that quietly forwards to your real inbox. The sender only ever sees the
alias, so your true address stays hidden — and you can disable any alias
without affecting your real mailbox.
Is private email forwarding the same as a disposable email service?
No. Disposable email services give you a temporary mailbox you log into
separately; once it expires, the mail is gone. Private email forwarding sends
mail to your normal inbox (Gmail, Outlook, ProtonMail, etc.) and keeps it
there. The alias is what’s disposable, not your archive.
Will senders be able to figure out my real email address?
Not from the forwarded message alone — the alias is what they see in the
“To” header. As long as you use a provider that rewrites the reply path so
outgoing replies also go through the alias, your real address stays hidden in
both directions.
Does private email forwarding work with Gmail and Outlook?
Yes. Forwarding providers route mail to whichever destination inbox you
set, including Gmail, Outlook, Fastmail, ProtonMail, and iCloud. Modern
providers also handle SPF rewriting and DKIM re-signing so forwarded mail
doesn’t end up in spam.
Can I use a custom domain with private email forwarding?
Yes, on most paid plans. You buy a short domain, point its MX records at the forwarding provider, and every alias on that domain is portable – you can move to a different provider later without losing the aliases.
How many aliases do I actually need?
Most people end up with somewhere between 20 and 200 aliases over a few
years — one per recurring sender. EmailAlias.io’s free plan covers 10 aliases,
which is enough to get started and migrate your highest-risk accounts.
Is private email forwarding secure?
Reputable providers operate the same SPF / DKIM / TLS pipeline as a regular mail server, with the added benefit of separating each sender into its own alias. The biggest risk is provider lock-in — using a custom domain is how you avoid it.
What happens to aliases if I cancel my forwarding service?
If the alias was on the provider’s shared domain, it dies the moment you
cancel and every sender starts bouncing. If the alias was on your own custom domain, you point the MX records at a new provider and the alias keeps working – that’s the whole reason custom domains matter.
