Privacy guidePrivate Email Alias

What is a private email alias, and what makes it private?

A private email alias hides your real inbox behind a unique forwarding address. Every provider claims to be private; very few document what that actually means. This page covers what real privacy looks like in this category and how to evaluate any provider before you trust them with your inbound mail.

Try EmailAlias free Security architecture

Definition

What is a private email alias?

A private email alias is a forwarding address minted on your behalf — for example m4-quiet-lake@emailalias.io — that you give to a website instead of your real address. Mail sent to the alias is forwarded to your real inbox, but the website only ever sees the alias. Your real address never crosses the wire.

The word private matters because it implies more than just “a different address.” Done well, a private email alias also guarantees:

The provider doesn't read your forwarded mail.
Your alias-to-real-address mapping is encrypted at rest.
The provider doesn't sell your address or activity to anyone.
You can disable any alias the moment it starts attracting spam — without losing access to anything else.

Most providers tick the first box; far fewer document the next three.

Four pillars

What “private” should actually mean

In a marketing page, every email forwarder claims privacy. The substantive version of the claim has four pillars. If a provider can't answer all four, the alias isn't really private — it's just different.

1. Zero-knowledge forwarding
Mail is forwarded without being read, scanned, analyzed, or stored. Only delivery metadata is retained — sender, timestamp, status — and only as long as needed for your dashboard. EmailAlias.io publishes its full pipeline on /are-you-reading-my-email.
See the pipeline →
2. AES-256 encryption at rest, with documented key management
The alias-to-real-address mapping has to live in a database somewhere. AES-256 at rest with documented key-management practices means a database compromise doesn't immediately leak your real inbox. Most consumer email forwarders don't publish their posture; assume the worst until they do.
Security architecture →
3. No-sell, no-ads, subscription-only revenue
If a service is free with no upgrade path, the user is the product. Look for an explicit no-sell statement and a paid tier that funds the operation. EmailAlias.io's full statement and a why-the-economics-work section live on /are-you-selling-my-information.
Our no-sell commitment →
4. Per-alias kill switch
Real privacy means a leak at any one site doesn't follow you across the internet. You should be able to disable an individual alias in one click and keep every other alias working. If you can also see which alias has been receiving suspicious mail before you disable it, the privacy story is even better.
Exposure intelligence →

Don't bother

Why other “private” tricks fall short

Three alternatives get suggested as substitutes for a private email alias service. None of them deliver the four pillars above.

Gmail “+” aliases

you+netflix@gmail.com still resolves to you@gmail.com. Spammers strip the suffix in seconds. Your real address is fully exposed.

Disposable / temp inboxes

Public mailboxes anyone can read, expire in minutes, can't reply. Many sites block known disposable domains outright. More →

Burner Gmail accounts

Workable but high-friction: switching accounts, keeping separate sessions, password sprawl, and Google still sees everything. Not actually private from the host.

A real private email alias service is a single account, every alias is permanent, mail forwards to one inbox you already use, and nobody is reading the contents. That's the bar.

Checklist

How to evaluate any provider's privacy posture

Before signing up to any private email alias service, run the following checklist against their site. The good ones answer everything; the marketing-only ones go quiet on the technical details.

Is there a dedicated security or architecture page? Not a privacy policy — an architecture explainer with specifics like cipher choice, key-management story, and which compliance frameworks they audit against.
Do they publish a zero-knowledge or no-read claim with engineering specifics, or only marketing language?
What's their email-authentication story? SPF, DKIM, and DMARC on every alias, including custom-domain ones. Anything less hurts deliverability and sender reputation.
Is there a per-alias disable in the UI? Some services only let you delete (which kills history) — disable should keep the audit trail intact.
Do they do any kind of sender-risk scoring, so you find out about a leak before the spam wave gets unbearable?
Is the revenue model honest? A paid tier funded by users beats a “free forever” service whose economics depend on something you can't see.
Are SOC 2, GDPR, and CCPA mentioned with substance, or just badges?

EmailAlias.io documents all of the above on /security and the related transparency pages. If you're comparing several private email alias providers, those are the kind of pages to look for on each one.

Our approach

How EmailAlias.io builds privacy in

EmailAlias.io is a private email alias service designed around the four pillars above. Concretely:

Zero-knowledge forwarding pipeline — message contents are forwarded but never read, scanned, or stored. Only metadata needed for your dashboard is retained.
AES-256 at rest for alias mappings and metadata, with TLS 1.3 in transit and full SPF/DKIM/DMARC enforcement on every outbound forward.
Suspicious-sender intelligence on every inbound message — risky TLD detection, typosquat patterns, phishing-keyword signals — surfaced as exposure events on your dashboard.
Per-alias kill switch with one-click disable from the popup or the dashboard, with the audit trail kept intact.
Real custom domains (Premium) — bring your own domain so aliases live on a domain you control, with full deliverability.
Subscription-funded revenue. We do not run ads. We do not sell, share, rent, or trade your data, ever.
Open-source-friendly transparency — the browser extension source is reproducible from a published archive, and the REST API is fully documented.

Detailed compares against the most-asked-about competitors: vs Firefox Relay, vs DuckDuckGo Email, vs SimpleLogin, vs Addy.io.

Use cases

Who should use a private email alias

Anyone tired of breach fatigue

Per-site aliases mean a leak at any one service doesn't follow you across the internet. Disable the leaky alias; everything else stays intact.

Privacy-first individuals

Hide your real address from ads, data brokers, and aggregators. The alias is the only handle they ever get.

Freelancers and consultants

Per-client aliases on your own domain — clientx@yourdomain.com — kept separate from your personal inbox.

Security and audit professionals

Programmatic alias rotation via API, exposure analytics, and an MCP server so AI assistants can manage your alias hygiene.

FAQ

Frequently asked questions

Are private email aliases legal?

Yes, in every jurisdiction we operate in. Email aliases are a form of mail forwarding — the same legal framework that lets you set up Gmail filters or use a P.O. box. You're allowed to give a unique address to each service you sign up for; the service has no legal claim to your underlying real address. The only legal issue arises if aliases are used to commit fraud, send harassment, or evade subpoenas — and that's true of any email tool, not just aliases.

Can the recipient figure out my real email from the alias?

No, if the forwarding service is built correctly. The provider rewrites the message envelope so the From, Reply-To, and return-path all point at the alias domain, not your real address. Headers that could leak you (Bcc copies, X-Original-To, etc.) are stripped, and the rewritten message is DKIM-signed by the alias domain. As long as you don't mention your real address in the message body, the recipient sees only the alias.

Does anonymous email forwarding hide me from law enforcement?

No, and it shouldn't be assumed to. The forwarding provider knows your real address by definition — they need it to deliver mail. With a valid legal request, that mapping can be disclosed. Anonymous email forwarding makes you anonymous to senders — it's not a tool for evading lawful process. For network-level anonymity (Tor, VPN), you'd combine an alias service with those tools, but each layer is separate.

Do you read or store my emails?

No. EmailAlias operates on a zero-knowledge model. We forward emails in real-time through encrypted channels and only store metadata (sender, timestamp, delivery status) for your analytics dashboard. Email content is never stored on our servers.

What is zero-knowledge privacy?

Zero-knowledge means we've designed our systems so that we technically cannot access your email content, even if we wanted to. Emails pass through our encrypted pipeline and are delivered to your inbox without being stored or read. We only retain minimal metadata for routing and analytics.

How does EmailAlias encrypt my emails?

We use TLS 1.3 for all email transmissions in transit and AES-256 encryption for data at rest. Our zero-knowledge architecture means we never read or store the content of your emails — only encrypted metadata needed for delivery.

What happens if a service I signed up for gets breached?

Because each service has its own unique alias, you'll know exactly which service leaked your data — when spam or phishing hits that alias, the source is obvious. Our exposure intelligence engine also flags suspicious senders in real time. Disable the affected alias and your real email stays safe.

Is EmailAlias GDPR compliant?

Yes. We are fully GDPR compliant. You can export or delete all your data at any time. We process minimal personal data, store nothing beyond what's needed for the service, and our infrastructure is designed with privacy-by-design principles.

Get a private email alias in 30 seconds

Free plan with no credit card required. Premium adds custom domains, send-and-reply, and exposure intelligence. See plan details.

Start free Email Alias Service guide