How an investigative journalist uses email aliases to protect sources
Sources need a way to reach you without being indexed
Priya's beat is corporate surveillance and the data-broker industry — which means most of her sources are either current or former employees of the companies whose practices she's covering. They reach out anonymously and the relationship sometimes lasts years. If her contact email is the same one she uses publicly (newsroom address, Twitter bio, byline footer), every data broker who scrapes journalist contact lists already has it — and every company she's writing about can pay to find out who emailed her recently.
She tried the standard playbook first: a Signal handle in her byline. Useful for the technically-fluent sources, useless for the ones who first reach out via email and only graduate to Signal later. She tried ProtonMail with a generic address. Better, but every source who emailed her then had that single address in their sent folder, which a forensic recovery on a leavers' device or a discovery subpoena could surface.
The pattern she actually needed: a different reachable email per source, all forwarding to her secure ProtonMail, none of them recognisable as belonging to a journalist. If a source's device gets searched, the only evidence is one alias on one device — not the journalist's whole network of contacts. That's exactly what anonymous email forwarding via aliases is designed to support, and what she ended up building.
The setup: per-source aliases on an unremarkable custom domain
- Bought a custom domain that looks generic and unrelated to journalism (
mailroute.net-style). Pointed MX at EmailAlias.io Premium, configured DKIM. - For each active investigation, generated 3–5 aliases, named after the story codename. Hands them out to sources individually — "reach me at
<alias>@mailroute.net". - Configured destination to her ProtonMail account, which is hardware-2FA'd, on a dedicated device.
- Set up a kill-switch flow: if a source signals they've been compromised, she disables that alias within minutes, the address starts bouncing, and any forensic recovery of the sent folder finds only a now-dead address.
What changed
Priya's source network has grown to 23 active long-term sources across four ongoing investigations, each on a separate alias. No two sources know any other source's alias — meaning a compromised source can't accidentally implicate a different one. No two stories share an alias either, so a discovery subpoena scoped to one story can't reveal communications from another.
When one source's employer got suspicious and started monitoring their email, that source's alias was disabled within an hour. The employer recovered the email metadata but found a dead address tied to a generic domain that didn't appear on any journalist's published contact information. No story link, no source link, no further escalation.
She's now also using aliases for her freelance-billing contacts at the publications she writes for — separate alias per outlet, so when one outlet's editorial-system gets breached (which happens), the leak doesn't expose her relationship with every other outlet.
What this would have cost without aliases
The cost framing for a journalist isn't dollars — it's source attrition. Sources who realize their identity is recoverable from a journalist's inbox simply stop reaching out, and the loss is invisible because you don't know about the conversations that never happened. Priya's pre-alias data point: in 2022, before she switched to per-source aliases, three long-term sources independently told her they'd been considering going dark because they suspected their employer was monitoring outbound email. Aliases changed the math for all three.
The discovery-cost angle is also real. Under UK and US journalism shield laws, the protection extends only to information the journalist actually possesses. If sources are on per-source aliases and the journalist can disable any alias in seconds — making future recovery impossible — the practical privilege envelope widens. That's not legal advice; it's an observation about what the operational shape of an email alias for journalists looks like under realistic threat models.
What she tried first
Before aliases, Priya rotated through several setups. SecureDrop is excellent for the highest-stakes leaks but requires Tor-savvy sources; most aren't. Signal is fantastic but requires phone-number disclosure, which many sources won't do. Dedicated burner Gmails worked briefly but Gmail's identity-correlation is aggressive — multiple accounts created from the same IP or device get linked behind the scenes, and a determined adversary querying Google's records can map them.
She also tested addy.io and SimpleLogin briefly. Both worked but the shared-domain footprint was a tell — sophisticated employers who scraped public alias-provider domain lists could flag any addy.io or sl.email address as "journalist alias." EmailAlias.io on a custom domain that looked entirely unrelated to journalism removed that fingerprint. Sources can hand the alias to anyone without it broadcasting what it's for.
The day-2 operational reality
The operational rhythm is investigation-driven, not calendar-driven. When she opens a new investigation, she generates 5 aliases and parks them; when sources need a contact email, she hands one over. When an investigation closes (story published, or shelved), she keeps the aliases live for 3–6 months in case sources have follow-up, then disables them. The dashboard view of "active aliases per story" doubles as a portfolio map.
The cognitive shift she describes: aliases turned source management from a memory exercise ("who emailed me from where?") into a structured workflow. She knows from the alias which story, which sensitivity level, and which trust tier the message came from before she even opens it.
Lessons for setting this up yourself
- Pick a domain name that looks unrelated to your professional identity. Generic, mail-routing-sounding domains are ideal.
- Configure DKIM and SPF correctly. Sources at corporate employers often hit spam filters that reject misconfigured forwarding mail.
- Use a hardened destination inbox (ProtonMail, Tuta) with hardware 2FA. The alias is only as secure as where it forwards to.
- Document which alias is for which source somewhere offline (paper notebook, encrypted local vault). Don't put it in a cloud doc.
- Have a kill-switch policy: under what circumstances you disable an alias, and how fast. Operationalize the decision before you need it.
“Every source gets their own alias the way every spy gets their own dead drop. The point is that compromising one tells you nothing about the others.
Frequently asked questions
Is using an email alias for journalists legally protected?
Aliases don't change the legal status of communications themselves — privilege still depends on jurisdiction and shield-law specifics. What they do change is the operational shape: an alias you've disabled doesn't exist on the EmailAlias.io infrastructure anymore, which materially affects what's recoverable under a subpoena. Talk to a media-law attorney for jurisdiction-specific guidance.
How is this different from SecureDrop?
SecureDrop is built for one-off whistleblower drops where the source needs maximal anonymity and the journalist needs no usable contact channel after the leak. Aliases are for the much more common case: ongoing source relationships where you need a reachable email address that can be cleanly burned later. The two are complementary, not competing.
Can I use a free alias service for source protection?
Not realistically. Free tiers run on shared domains that experienced corporate-security teams will flag as alias-provider addresses, which broadcasts the source's communication pattern. A custom domain is functionally required for serious source protection — that's the main reason most journalists who use aliases for source work pay for Premium.
Build a source-isolated contact stack of your own
Aliases on a custom domain, hardened destination inbox, kill-switch in one click. Premium covers everything you need.