The email privacy checklist
Fifteen practical steps, grouped from must-do (everyone, this weekend) to advanced (for the privacy-serious). Tick them off in order; each one compounds on the last.
TL;DR
Inbox privacy isn't one switch — it's a cascade of habits. The foundation tier (5 items) cuts 80% of your real-world risk in a weekend. The intermediate and advanced tiers harden the rest. Skip ahead if you want; the order is roughly "most impact per minute spent."
The five highest-leverage actions. Everyone should do all of them. Together they take maybe four hours.
- 1
Audit which services share your real email
Check your existing inbox for marketing-list senders. Most people share their real address with 100+ services — that's the surface area you're trying to shrink.
- 2
Turn on 2FA / passkeys for your real inbox
The single biggest leverage point. A compromised inbox lets attackers reset every account that uses it. Passkeys (WebAuthn) are phishing-resistant; SMS 2FA is better than nothing but worse than an authenticator app.
- 3
Stop reusing passwords (use a password manager)
If one service leaks your password, attackers try it against every other account on the same email. Unique passwords per service — generated and stored in a password manager — kills credential stuffing.
- 4
Set up email aliases for new signups
Generate a fresh alias for every new service from this point forward. 10 free aliases is enough to make this a habit. Use the browser extension so it's one click on every signup form.
- 5
Disable obvious spam-magnet accounts
Walk through your inbox for the past 90 days. The 5–10 senders that mail you most aggressively are your worst leaks. Unsubscribe — and if they ignore the unsubscribe, mark as spam and consider replacing the alias next time.
The next five. Most readers stop here, and that's a perfectly defensible privacy posture.
- 1
Migrate high-spam services to aliases
Don't try to migrate everything. Identify the 10–20 services that send you the most marketing email and update the email-on-file to a new alias. Most accounts let you change email without re-verifying.
- 2
Verify your inbox isn't in a known breach
Check Have I Been Pwned for your real address. If it's appeared in any breach (almost certainly has), assume the password was leaked — rotate it everywhere it was reused.
- 3
Set up sender-risk monitoring
Aliases with risk scoring catch suspicious senders before they reach your inbox. EmailAlias scores every inbound sender on phishing signals (risky TLDs, typosquatting, suspicious keywords) and alerts you when a high-risk one lands.
- 4
Don't reply-from-real-inbox to forwarded mail
When an alias forwards a message and you reply from your real Gmail/Outlook, the recipient sees your real address — defeating the alias. Premium tiers of alias services let you reply-from-alias; use that, or copy the alias address into the To: field manually before sending.
- 5
Stop using temp-mail for accounts you might keep
Temp-mail's inbox expires; if you ever forget the password to a temp-mail account, it's permanently lost. Aliases give you the same hide-my-address benefit without the recoverability tax.
The last five. These are quality-of-life upgrades and threat-model adjustments for people who actually take privacy seriously.
- 1
Move to a custom domain
Custom-domain aliases (yourname@yourdomain.com) give you full portability — if you ever leave your alias provider, repoint MX records to a new one and the addresses keep working. 5 domains on Premium.
- 2
Verify SPF / DKIM / DMARC on outgoing mail
If you send mail from your domain, make sure SPF, DKIM, and DMARC are configured so receivers can verify it's actually you. Misconfigured authentication = your mail lands in spam or gets impersonated.
- 3
Set up per-alias allow / block lists
Some aliases are mostly-good with occasional noise (a newsletter you want, that sometimes shares with sponsors). Premium aliases let you block specific senders without disabling the whole alias.
- 4
Audit your password manager for old leaked accounts
Most password managers have a "compromised passwords" report. Run it. For every account flagged: rotate the password, consider replacing the email with an alias, and disable any accounts you no longer use.
- 5
Review marketing consent and opt-outs quarterly
GDPR and CCPA give you the right to know what data each service has on you and to delete it. Pick one service a quarter, exercise the right, and learn how each company actually handles requests.
Frequently asked questions
What is an encrypted email alias?
An email alias is a unique forwarding address that shields your real email. When someone sends mail to your alias, it's encrypted and forwarded to your real inbox. The sender never sees your actual email address, protecting you from spam, phishing, and data breaches.
Do you read or store my emails?
No. EmailAlias operates on a zero-knowledge model. We forward emails in real-time through encrypted channels and only store metadata (sender, timestamp, delivery status) for your analytics dashboard. Email content is never stored on our servers.
What happens if a service I signed up for gets breached?
Because each service has its own unique alias, you'll know exactly which service leaked your data — when spam or phishing hits that alias, the source is obvious. Our exposure intelligence engine also flags suspicious senders in real time. Disable the affected alias and your real email stays safe.
Is EmailAlias GDPR compliant?
Yes. We are fully GDPR compliant. You can export or delete all your data at any time. We process minimal personal data, store nothing beyond what's needed for the service, and our infrastructure is designed with privacy-by-design principles.
What if I start getting spam on an alias?
Simply disable the alias from your dashboard. This is the beauty of per-service aliases — you can cut off spam from one source without affecting any other service. You can also create a new alias for that service if needed.
Tick the boxes that need a tool
Items 4, 6, 8, 9, 11, and 13 all benefit from a real alias service. 10 free aliases included; Premium ($4/mo) adds unlimited + custom domains + reply-from-alias.