What is a private email alias, and what makes it private?
A private email alias hides your real inbox behind a unique forwarding address. Every provider claims to be private; very few document what that actually means. This page covers what real privacy looks like in this category and how to evaluate any provider before you trust them with your inbound mail.
What is a private email alias?
A private email alias is a forwarding address minted on your behalf — for example m4-quiet-lake@emailalias.io — that you give to a website instead of your real address. Mail sent to the alias is forwarded to your real inbox, but the website only ever sees the alias. Your real address never crosses the wire.
The word private matters because it implies more than just “a different address.” Done well, a private email alias guarantees four things.
Four guarantees that make an alias “private”
- Industry standard
Provider doesn't read your forwarded mail
Message contents pass through the forwarding pipeline without being scanned, indexed, or stored.
- Rare in practice
Alias-to-real mapping encrypted at rest
A database compromise doesn't immediately leak the alias→real-address link. Look for AES-256 with documented key-management.
- Rare in practice
Provider doesn't sell your address or activity
Subscription-funded revenue, not ad-funded. Explicit no-sell commitment with no quiet exceptions.
- Rare in practice
Per-alias kill switch on demand
Disable any alias the moment it starts attracting spam — without losing access to any other alias or relationship.
Most providers tick the first box; far fewer document the next three. That gap is what this page is for.
What “private” should actually mean
In a marketing page, every email forwarder claims privacy. The substantive version of the claim has four pillars. If a provider can't answer all four, the alias isn't really private — it's just different.
1. Zero-knowledge forwarding
Mail is forwarded without being read, scanned, analyzed, or stored. Only delivery metadata is retained — sender, timestamp, status — and only as long as needed for your dashboard. EmailAlias.io publishes its full pipeline on /are-you-reading-my-email.
See the pipeline →2. AES-256 encryption at rest, with documented key management
The alias-to-real-address mapping has to live in a database somewhere. AES-256 at rest with documented key-management practices means a database compromise doesn't immediately leak your real inbox. Most consumer email forwarders don't publish their posture; assume the worst until they do.
Security architecture →3. No-sell, no-ads, subscription-only revenue
If a service is free with no upgrade path, the user is the product. Look for an explicit no-sell statement and a paid tier that funds the operation. EmailAlias.io's full statement and a why-the-economics-work section live on /are-you-selling-my-information.
Our no-sell commitment →4. Per-alias kill switch
Real privacy means a leak at any one site doesn't follow you across the internet. You should be able to disable an individual alias in one click and keep every other alias working. If you can also see which alias has been receiving suspicious mail before you disable it, the privacy story is even better.
Exposure intelligence →
Why other “private” tricks fall short
Three alternatives get suggested as substitutes for a private email alias service. None of them deliver the four pillars above.
Gmail “+” aliases
you+netflix@gmail.com still resolves to you@gmail.com. Spammers strip the suffix in seconds. Your real address is fully exposed.
Disposable / temp inboxes
Public mailboxes anyone can read, expire in minutes, can't reply. Many sites block known disposable domains outright. More →
Burner Gmail accounts
Workable but high-friction: switching accounts, keeping separate sessions, password sprawl, and Google still sees everything. Not actually private from the host.
A real private email alias service is a single account, every alias is permanent, mail forwards to one inbox you already use, and nobody is reading the contents. That's the bar.
How to evaluate any private email alias provider's privacy posture
Run these seven checks against any private email alias service before you sign up. The good ones answer all seven; the marketing-only ones go quiet on the technical details.
- 01
Dedicated security or architecture page
Look for: An architecture explainer with cipher choice, key-management story, and named compliance frameworks.
Red flag: Only a privacy policy and “your privacy is important to us” boilerplate.
- 02
Zero-knowledge or no-read claim
Look for: Engineering specifics: exactly what is read, what is stored, who can access it.
Red flag: Marketing language with no description of the data pipeline.
- 03
Email authentication on every alias
Look for: SPF, DKIM, and DMARC enforced on shared-domain and custom-domain aliases alike.
Red flag: Forwarded mail lands in spam; trace headers show broken alignment.
- 04
Per-alias disable (not just delete)
Look for: One-click disable that preserves the audit trail and can be reactivated later.
Red flag: “Delete” is the only option — your history of who mailed what disappears with it.
- 05
Sender-risk scoring on inbound mail
Look for: Sender-risk scoring on risky TLDs, typosquat patterns, and known phishing signals.
Red flag: You only find out about a breach when the spam wave gets unbearable.
- 06
Honest revenue model
Look for: A paid tier funded by users. You can name the line item on their pricing page.
Red flag: “Free forever” with no obvious revenue source. If you cannot see how they make money, you are how.
- 07
SOC 2, GDPR, and CCPA with substance
Look for: SOC 2, GDPR, and CCPA mentioned with retention rules, processor lists, and audit cadence.
Red flag: Compliance logos in the footer with no further detail.
EmailAlias.io documents all seven on /security, Are you reading my email?, and Are you selling my information?.
How EmailAlias.io builds privacy in
Seven concrete commitments behind every private email alias we issue. Each one maps to a page you can audit.
Zero-knowledge forwarding pipeline
Message contents are forwarded but never read, scanned, or stored. Only the metadata needed for your dashboard is retained.
Documented at Are you reading my email?→AES-256 at rest, TLS 1.3 in transit
AES-256 on alias mappings and metadata, TLS 1.3 in transit, and full SPF/DKIM/DMARC enforcement on every outbound forward.
Documented at /security→Suspicious-sender intelligence
Inbound mail is scored on risky TLDs, typosquat patterns, and phishing-keyword signals, surfaced as exposure events on your dashboard.
Documented at Monitoring & analytics→Per-alias kill switch
One-click disable from the popup or the dashboard. The audit trail stays intact, so you can still see who mailed the alias before you killed it.
Documented at /security→Real custom domains (Premium)
Bring your own domain so aliases live on a domain you control. Full SPF/DKIM/DMARC verification means deliverability stays high.
Documented at Custom domain email alias→Subscription-funded, never ad-funded
Revenue comes from paying users. We do not run ads. We do not sell, share, rent, or trade your data — ever.
Documented at Are you selling my information?→Open-source-friendly transparency
The browser extension source is reproducible from a published archive, and the REST API is fully documented.
Documented at REST API documentation→
Compare against the most-asked-about competitors
Feature-by-feature breakdowns: vs Firefox Relay, vs DuckDuckGo Email, vs SimpleLogin, vs Addy.io.
Who should use a private email alias
Anyone tired of breach fatigue
Per-site aliases mean a leak at any one service doesn't follow you across the internet. Disable the leaky alias; everything else stays intact.
Privacy-first individuals
Hide your real address from ads, data brokers, and aggregators. The alias is the only handle they ever get.
Freelancers and consultants
Per-client aliases on your own domain — clientx@yourdomain.com — kept separate from your personal inbox.
Security and audit professionals
Programmatic alias rotation via API, exposure analytics, and an MCP server so AI assistants can manage your alias hygiene.
Frequently asked questions
Are private email aliases legal?
Yes, in every jurisdiction we operate in. Email aliases are a form of mail forwarding — the same legal framework that lets you set up Gmail filters or use a P.O. box. You're allowed to give a unique address to each service you sign up for; the service has no legal claim to your underlying real address. The only legal issue arises if aliases are used to commit fraud, send harassment, or evade subpoenas — and that's true of any email tool, not just aliases.
Can the recipient figure out my real email from the alias?
No, if the forwarding service is built correctly. The provider rewrites the message envelope so the From, Reply-To, and return-path all point at the alias domain, not your real address. Headers that could leak you (Bcc copies, X-Original-To, etc.) are stripped, and the rewritten message is DKIM-signed by the alias domain. As long as you don't mention your real address in the message body, the recipient sees only the alias.
Does anonymous email forwarding hide me from law enforcement?
No, and it shouldn't be assumed to. The forwarding provider knows your real address by definition — they need it to deliver mail. With a valid legal request, that mapping can be disclosed. Anonymous email forwarding makes you anonymous to senders — it's not a tool for evading lawful process. For network-level anonymity (Tor, VPN), you'd combine an alias service with those tools, but each layer is separate.
Do you read or store my emails?
No. EmailAlias operates on a zero-knowledge model. We forward emails in real-time through encrypted channels and only store metadata (sender, timestamp, delivery status) for your analytics dashboard. Email content is never stored on our servers.
What is zero-knowledge privacy?
Zero-knowledge means we've designed our systems so that we technically cannot access your email content, even if we wanted to. Emails pass through our encrypted pipeline and are delivered to your inbox without being stored or read. We only retain minimal metadata for routing and analytics.
How does EmailAlias encrypt my emails?
We use TLS 1.3 for all email transmissions in transit and AES-256 encryption for data at rest. Our zero-knowledge architecture means we never read or store the content of your emails — only encrypted metadata needed for delivery.
What happens if a service I signed up for gets breached?
Because each service has its own unique alias, you'll know exactly which service leaked your data — when spam or phishing hits that alias, the source is obvious. Our exposure intelligence engine also flags suspicious senders in real time. Disable the affected alias and your real email stays safe.
Is EmailAlias GDPR compliant?
Yes. We are fully GDPR compliant. You can export or delete all your data at any time. We process minimal personal data, store nothing beyond what's needed for the service, and our infrastructure is designed with privacy-by-design principles.
More questions? See the full FAQ.
Adjacent guides on this topic
Email Alias Service→
Buyer's guide framing of the same category. What an alias service does, how forwarding works, and how to choose one.
Custom Domain Email Alias→
Bring your own domain. DNS setup walkthrough, SPF/DKIM/DMARC primer, and subdomain-vs-real-domain explainer.
Anonymous Email Forwarding→
What "anonymous" actually means here, the 5-stage forwarding pipeline, and why reply-from-alias is the trickier half.
Email Aliases for Shopping→
Per-retailer kill switch framing. Order confirmations still forwarded; identity stays hidden.
Email Aliases for Newsletters→
One alias per Substack or industry list. Unsubscribe by disabling the alias — instant, final.
Email Privacy Checklist→
Fifteen practical steps to harden your inbox — alias adoption is the highest-leverage step in the foundation tier.
Best Email Alias Service in 2026→
Honest opinionated roundup. 5 picks ranked by use case, with pros/cons and a 12-row feature table.
Email Alias Generator→
The three alias-generation modes (random, custom prefix, tagged) and how inline browser generation makes the privacy-first pattern frictionless.
Get a private email alias in 30 seconds
Free plan with no credit card required. Premium adds custom domains, send-and-reply, and exposure intelligence. See plan details.