How an indie hacker manages 87 SaaS subscriptions with EmailAlias

When your inbox is the index of every tool you've ever signed up for

Akhil ran into the problem every indie hacker recognizes: building a product means signing up for a hundred SaaS tools — Stripe, Vercel, Supabase, PostHog, Plausible, Sentry, Linear, Notion, Figma, Loom, Cal.com, RevenueCat, Cron-job.org, and so on through the long tail. Every one of those signups landed on his Gmail address. By the third month of his startup, his inbox had 87 active vendor relationships, dozens of marketing newsletters he'd accidentally subscribed to, and zero way to tell which of them was responsible for the spam he started receiving in month four.

The breaking point was a phishing email that perfectly mimicked his domain registrar's billing reminder. The address it was sent to was the same address he'd used for every other signup, so there was no easy way to know whether the registrar had leaked his data or whether someone had bought a list with his email on it. He realized he had no observability into the most important surface his business depended on. As Have I Been Pwned shows, multi-vendor email reuse is the default failure mode — and once a single SaaS vendor leaks, the leaked address is correlated with every other tool the user has signed up for.

He'd tried Gmail's +tag addressing earlier, but discovered most signup forms either reject the + character or strip it before storing. He needed real, permanent, separate addresses for each vendor — and he needed them to keep working five years later when one of those vendors got breached. That meant an email alias for SaaS workflows on a domain he owned, not a shared provider domain.

The setup: one custom-domain alias per vendor, generated on signup

1. Bought a short custom domain (akhilr.xyz) for $12/year. Pointed MX records at EmailAlias.io's Premium tier.
2. Wrote a 30-line script that calls the EmailAlias.io REST API to generate a fresh alias on the custom domain every time he signed up for a new SaaS, tagged with the vendor name. Took an afternoon.
3. Migrated his top 20 vendors first (the ones with payment data attached), pointing each at a new alias and updating the account email on the vendor's dashboard. The rest happened opportunistically over six weeks.
4. Set up the EmailAlias.io exposure-detection alerts to ping him on Telegram whenever an alias started receiving spam — that's the signal a vendor leaked.

What changed

Six months in, Akhil has 87 active vendor aliases on his custom domain, plus 12 expired ones he's killed off. His primary inbox is invisible to every vendor he uses; the only humans who have it are his cofounder, his accountant, and three close friends. Spam volume on the primary is zero.

More importantly, he has full attribution. When PostHog had a customer support issue and someone leaked his alias to a phishing list, the exposure-detection alert told him within 48 hours which alias was being hit. He muted that alias, contacted PostHog, and the leak was contained — none of his other vendors were affected.

The setup paid for itself the first time he could cancel a noisy vendor mid-bill cycle without worrying about his "real email" being in their reactivation database. He just disabled the alias and walked away clean.

What this would have cost without aliases

Akhil ran a rough back-of-envelope on what the lack of an email alias for SaaS sprawl would have actually cost him by month 12 of his startup. A single ATO (account takeover) on one of the connected billing tools — Stripe, Vercel, or his domain registrar — could have caused enough downstream damage (chargebacks, domain hijack, leaked customer data) to require 40+ hours of cleanup and likely a security disclosure to his early customers. At his hourly rate, that's $4,000–$6,000 of his time, plus the harder-to-measure cost of trust erosion with his first 50 paying customers.

The other invisible cost was attention. Without per-vendor aliases, every "is this real?" judgement on incoming mail took a few seconds of cognitive load. Across an indie founder's 80+ vendor-related emails per week, that compounds into roughly 30 minutes of context-switching per week — about 26 hours per year of pure email-triage tax that aliases eliminated by making sender authenticity unambiguous from the To: line alone.

What he tried first

Before settling on EmailAlias.io, Akhil tried three alternatives that all failed in specific ways. Gmail's +tag addressing was the obvious first move — but as he discovered (and as we've documented in email alias vs Gmail plus-addressing), about 30% of signup forms reject the + character outright, and another 15% strip it server-side, leaving the alias indistinguishable from the underlying inbox once it lands in a vendor's database.

He tried SimpleLogin next, which solved the rejection problem but ran on a shared sl.email domain. That worked until he hit two issues: some signup-fraud systems automatically flag sl.email as a forwarding-alias provider (incorrectly classifying it as disposable), and the shared domain meant his identity was correlatable across services via the alias-provider footprint. Moving to a custom domain on EmailAlias.io fixed both at once — and gave him an alias identity that didn't broadcast "this is a privacy-tool user" to every vendor he signed up with.

The day-2 operational reality

What surprises most new alias users is how little day-to-day maintenance the setup actually requires. Akhil's weekly time investment is about five minutes — reviewing the exposure-detection notifications, deciding whether a noisy alias needs to be muted, and occasionally generating a new alias when signing up for a new tool. The script he wrote handles 90% of new-alias generation automatically by hooking into his signup workflow.

The one thing he had to internalize early: never reuse an alias across vendors, even when the temptation is strong. He admits to one mistake in the first month — using his billing@ alias for two different SaaS vendors because he was tired — and when one of those vendors got breached, he had to rotate both. After that, every new vendor gets its own fresh alias, no exceptions. The discipline is the whole product.

“

I treat my primary inbox like a private key now. Aliases are the public-facing surface. When one gets compromised, I rotate it and nothing else changes.

Frequently asked questions