How to use the Bitwarden forwarded email alias generator (opens in new tab)

(bitwarden.com)

135 pointshumanperhaps1y ago64 comments

64 comments

Huge! Well done to the Bitwarden team for this first class support of digital identity compartmentalization, although a bit more improvement to be made to reduce friction on the user side for plugging in alias providers (pop up to login to retrieve an API token behind the scenes vs the API token copy paste dance, with login creds Bitwarden might be storing already).

Edit: Is there a standard or API spec perhaps across email alias services for generating, listing, managing, and invalidating aliases?

(happy paying bitwarden customer, no other affiliation)

Ringz1y ago

It's been like this for years. However, with one of my own domains and a catch all rule in the e-mail server. Why? From time to time, some services require that you send emails with exactly this e-mail address as the sender. And that doesn't just work with most services. Because in such a case, you have to turn exactly this e-mail address into a real account with a mailbox.

saghm1y ago

For me, the value of using aliases on my own domain isn't anonymity, it's provenance; I can tell where my email was obtained from based on the the prefix used. If I get an email sent to git@<domain>, I know that someone (or something) was looking at git logs to get it, if it's sent to resume@<domain>, I know someone got it from my resume, etc.

tamimio1y ago

Pretty much my exact same reason, plus the separation of concerns concept. If a service got breached and that email leaked, I don’t have to worry about using that email to brute force other services.

dinglestepup1y ago

In most cases you can have the same level of provenance with a plus addressed email, without needing to support a custom domain.

1 more reply

zfa1y ago

I bet no spammer or salesperson would ever think of replacing such a generic localpart to get to your eyeballs.

2 more replies

CaptainNegative1y ago

In principle, someone seeing heido15wkj6@yourraredomain.com, yua16ooaaj2@yourraredomain.com, and kqoq91inhi4@yourraredomain.com in a dump might be able to infer that all of these belong to the same user with a catchall address (especially if they can verify that the domain is unpopular via dns caching or other tricks). Using a common service adds another partial layer of anonymity between the email addresses, making one harder to track.

ziml771y ago

Especially necessary when your domain is your full name. It's painfully obvious that all addresses under the domain belong to a single person. I've been using Fastmail's masked email service for a while to hide my personal domain. And before that I had a handful of gmail addresses that I set to forward to my main address.

Ringz1y ago

Theoretical yes. But never had that. It is more likely that generic, non existant emails like info@domain.com, admin@domain.com, etc. will be generated if you have a domain with a public website.

OptionOfT1y ago

AFAIK Fastmail is the only service that allows you to respond from an arbitrary email address (of course, provided that you prove that you own the domain).

You can do it in Office 365 but it's tedious, you have to add the alias and then you can email from it.

Ringz1y ago

If you do that with a good web host [1], its cheaper than Fastmail or any other mailservice.

[1]:https://www.hetzner.com/webhosting/

I am not affiliated with Hetzner.

m-p-31y ago

Firefox Relay Premium lets you do it

https://relay.firefox.com/faq/#:~:text=can%20i%20reply%20to%...

erinnh1y ago

I’ve been doing this with SimpleLogin for years. I’d expect anonaddy to be able to do the same.

1 more reply

upon_drumhead1y ago

Gmail for domains allowed the same, you had to add the alias and then you could email from it.

dinglestepup1y ago

Startmail.com and Protonmail.com allow responding from alias email addresses.

uselpa1y ago

Not necessarily. You can for example configure both Thunderbird and mailcow to allow you to reply from any address (of the domains you manage, of course), without having to create the mailbox.

Ringz1y ago

Creating a mailbox is effortless. At least at my web host.

subract1y ago

addy.io allows you to send email from any of your aliases. It’s a little clunky, but it’s the sort of thing I do so infrequently I don’t really mind.

https://addy.io/faq/#how-do-i-send-email-from-an-alias

Ringz1y ago

But only for 30 aliases for 4$/month.

1 more reply

tamimio1y ago

That’s great, but there’s a caveat. When I normally create a random email with my own domain as a username, I am not tied to a specific service. I can always migrate to another one without having to take any action. However, if I used this with Fastmail, for example, the generated emails are with fastmail.com or similar domains that aren’t under my control. If I wanted to migrate in the future, I would have to redo all of these randomly generated emails.

toomuchtodo1y ago

It's an important consideration; email sovereignty is at odds with a domain hosting relay aliases where you can blend in with everyone else. Perhaps the solution is a mechanism where you can migrate aliases between services, creating new aliases and updating at each service, and invalidating old aliases, all programatically. Somewhat similar to token and secret rotation. It's just a string identifier that can be an email target.

tamimio1y ago

Or maybe having an option to generate aliases using my own domain. I don’t mind exposing my domain or even creating a new domain only for this purpose, say @aliasdomain.com. That way, I am still in full control and utilizing the generated aliases.

1 more reply

dinglestepup1y ago

As mentioned somewhere in this thread, using a custom domain poses other risks, in some cases more significant. All your aliases will be forever tied to your identity (and potentially de-anonymized by a single leak).

tamimio1y ago

> All your aliases will be forever tied to your identity

A separate domain can be used if really needed. But even with using my own domain, I don’t see it as a problem. After all, emails are not anonymous, and a leak with an alias with a custom domain is still meaningless and doesn’t affect other services.

1 more reply

NoboruWataya1y ago

Bitwarden allows you to specify a custom domain for this (assuming that your email forwarding service is configured to work with that domain).

renewiltord1y ago

Ah, this is nice. It brings the Apple Hide My Email functionality (though not compatibility) to all platforms, which is something I do desire since using Hide My Email makes non-Apple platforms unusable for logins.

dublinben1y ago

Why would using Apple's Hide My Email functionality make non-Apple platforms unusable for logins? If you're storing these credentials in a cross-platform password manager like Bitwarden, you should be able to enter your (fake) email address and password anywhere to sign in.

joeyhage1y ago

You can create on-demand Hide My Email aliases[1] that deliver to your Apple account email address without using your AppleID to login.

[1] https://support.apple.com/guide/iphone/create-and-manage-hid...

niklasmtj1y ago

Oh this is funny to see. I just posted a blog post talking about Email Aliases an hour ago without knowing about the Bitwarden announcement.

I would love to see aliases being promoted more and more by companies. In the end most companies want to get in touch with you via e.g. a newsletter. So why do they need exactly your private email and not just an email alias. In the end they're reaching the same person.

noman-land1y ago

They don't want to send you a newsletter. They want to get you to click a unique, personalized tracking link so they can drop a cookie in your browser and start tracking everything you do and tying it back to a single, named identity in their contacts database that they can then try to extract money from.

rework1y ago

They need the exact email address because:

1) Prevent duplicate account creation

2) Users forget what email they used to signup (this happens ALLLLLL the time with + emails)

3) To sell your data, link you, and spam you.

lygten1y ago

This will do the same thing: curl -s https://raw.githubusercontent.com/first20hours/google-10000-... | shuf -n 3 | tr '\n' '. | sed 's/\.$/@example.com/'

dlkmp1y ago

Is this really a problem people have? I personally just use some free mail account for all low-priority stuff without push notifications enabled in my client apps.

DrBenCarson1y ago

People use password managers so they can conveniently have a single password without a single breach compromising all of their accounts.

This is the same idea but for their email identity.

jabroni_salad1y ago

Here's a fun one: https://www.martinvigo.com/email2phonenumber/

The more places you use the same email address, the greater your exposure.

knowaveragejoe1y ago

If you are privacy conscious, yes. Compartmentalizing emails used for services is useful. It also tells you who is selling your information.

toomuchtodo1y ago

Also, when it is clear someone is abusing the email you provided, you can nuke it. Perhaps some functionality to be had here between aliases and haveibeenpwned detecting an alias in a breach, queuing for alias cycling or invalidation with a human approval step.

eli1y ago

If one address is getting spam I can just turn it off or filter it to the trash.

stranded221y ago

A shame that Apple Hide My Email isn’t available within Bitwarden. I use that occasionally and would love to have it integrated and working together.

NoboruWataya1y ago

This seems to just generate a random string to go with whatever domain I have set. Personally I prefer my email aliases to be of the form `<business_name>@<my_domain>` or `<website_domain>@<my_domain>`. That way if you do start getting unsolicited email it is crystal clear who is spamming you (or has sold/leaked your data).

In fact, given it seems to just put a random string in front of a domain name you give it I'm a little curious as to why they need your API key at all - is it just to ensure that you are not creating duplicate email aliases?

zfa1y ago

Needs your API key as it needs to access the email forwarding service which you want to use with it.

It's not just making up a bullshit address, it's generating a random localpart then going to the email forwarding service you've integrated and having that service create an email forward to your real address per whatever settings you have there.

Any email sent to the address it generates (signup confirmations, password resets etc) need to get to you, after all.

This design is completely different to using <business>@example.com. The latter is kind of useful for your use of 'who has sold my address' but has privacy drawbacks this design doesn't. e.g. if a spammer gets bestbuy@exmaple.com they know you prob also have twitter@exmaple.com, facebook@exmaple.com or whatever else and it's all just the same guy with the same inbox.

Truly 'random' addresses at generic forwarding services means that if Ashley Maddison gets breached again then your secret remains safe. sj4h3bd@forwarder.net could be anyone.

NoboruWataya1y ago

> It's not just making up a bullshit address, it's generating a random localpart then going to the email forwarding service you've integrated and having that service create an email forward to your real address per whatever settings you have there.

Fair enough - the one I use automatically creates an alias whenever it receives an email at the relevant domain so there's no need to manually create one, I assumed the other services were the same.

dumpHero21y ago

How do you send email or reply from the alias that you create?

NoboruWataya1y ago

It depends on the alias service you use (this appears to just give you another frontend to your alias service, eg, Addy.io or Firefox Relay). I know with Addy.io, forwarded emails have a special "Reply-To" header which is an address that Addy.io monitors and will forward your response back to the original sender. So replying to email delivered to your alias isn't a problem, though I think initiating an email from an alias would be tricky.

joeyhage1y ago

It’s possible to initiate from Addy as well. For example, if your Addy alias is example@mailer.me and you wish to email hn@gmail.com then you would send an email to example+hn=gmail.com@mailer.me from the email address registered to the Addy account.

The Addy app has a utility to generate this, too.

amelius1y ago

How is this different from Firefox Relay?

dinglestepup1y ago

It's not in the same category. You can use Firefox Relay as an alias generator within Bitwarden. It provides a convenient UI and an integration with the password manager.

amelius1y ago

I still don't understand why I would need Bitwarden if I use Firefox Relay, sorry.

1 more reply

woldemariam1y ago

this has to be done on every instance of where I use Bitwarden separately?

lygten1y ago

curl -s https://raw.githubusercontent.com/first20hours/google-10000-... | shuf -n 3 | tr '\n' '. | sed 's/\.$/@example.com/'

j / k navigate · click thread line to collapse

64 comments

toomuchtodo1y ago

Edit: Is there a standard or API spec perhaps across email alias services for generating, listing, managing, and invalidating aliases?

(happy paying bitwarden customer, no other affiliation)

Ringz1y ago

saghm1y ago

tamimio1y ago

dinglestepup1y ago

In most cases you can have the same level of provenance with a plus addressed email, without needing to support a custom domain.

1 more reply

zfa1y ago

I bet no spammer or salesperson would ever think of replacing such a generic localpart to get to your eyeballs.

2 more replies

CaptainNegative1y ago

ziml771y ago

Ringz1y ago

Theoretical yes. But never had that. It is more likely that generic, non existant emails like info@domain.com, admin@domain.com, etc. will be generated if you have a domain with a public website.

OptionOfT1y ago

AFAIK Fastmail is the only service that allows you to respond from an arbitrary email address (of course, provided that you prove that you own the domain).

You can do it in Office 365 but it's tedious, you have to add the alias and then you can email from it.

Ringz1y ago

If you do that with a good web host [1], its cheaper than Fastmail or any other mailservice.

[1]:https://www.hetzner.com/webhosting/

I am not affiliated with Hetzner.

m-p-31y ago

Firefox Relay Premium lets you do it

https://relay.firefox.com/faq/#:~:text=can%20i%20reply%20to%...

erinnh1y ago

I’ve been doing this with SimpleLogin for years. I’d expect anonaddy to be able to do the same.

1 more reply

upon_drumhead1y ago

Gmail for domains allowed the same, you had to add the alias and then you could email from it.

dinglestepup1y ago

Startmail.com and Protonmail.com allow responding from alias email addresses.

uselpa1y ago

Not necessarily. You can for example configure both Thunderbird and mailcow to allow you to reply from any address (of the domains you manage, of course), without having to create the mailbox.

Ringz1y ago

Creating a mailbox is effortless. At least at my web host.

subract1y ago

addy.io allows you to send email from any of your aliases. It’s a little clunky, but it’s the sort of thing I do so infrequently I don’t really mind.

https://addy.io/faq/#how-do-i-send-email-from-an-alias

Ringz1y ago

But only for 30 aliases for 4$/month.

1 more reply

tamimio1y ago

toomuchtodo1y ago

tamimio1y ago

1 more reply

dinglestepup1y ago

tamimio1y ago

> All your aliases will be forever tied to your identity

1 more reply

NoboruWataya1y ago

Bitwarden allows you to specify a custom domain for this (assuming that your email forwarding service is configured to work with that domain).

renewiltord1y ago

dublinben1y ago

joeyhage1y ago

You can create on-demand Hide My Email aliases[1] that deliver to your Apple account email address without using your AppleID to login.

[1] https://support.apple.com/guide/iphone/create-and-manage-hid...

niklasmtj1y ago

Oh this is funny to see. I just posted a blog post talking about Email Aliases an hour ago without knowing about the Bitwarden announcement.

noman-land1y ago

rework1y ago

They need the exact email address because:

1) Prevent duplicate account creation

2) Users forget what email they used to signup (this happens ALLLLLL the time with + emails)

3) To sell your data, link you, and spam you.

lygten1y ago

This will do the same thing: curl -s https://raw.githubusercontent.com/first20hours/google-10000-... | shuf -n 3 | tr '\n' '. | sed 's/\.$/@example.com/'

dlkmp1y ago

Is this really a problem people have? I personally just use some free mail account for all low-priority stuff without push notifications enabled in my client apps.

DrBenCarson1y ago

People use password managers so they can conveniently have a single password without a single breach compromising all of their accounts.

This is the same idea but for their email identity.

jabroni_salad1y ago

Here's a fun one: https://www.martinvigo.com/email2phonenumber/

The more places you use the same email address, the greater your exposure.

knowaveragejoe1y ago

If you are privacy conscious, yes. Compartmentalizing emails used for services is useful. It also tells you who is selling your information.

toomuchtodo1y ago

eli1y ago

If one address is getting spam I can just turn it off or filter it to the trash.

stranded221y ago

A shame that Apple Hide My Email isn’t available within Bitwarden. I use that occasionally and would love to have it integrated and working together.

NoboruWataya1y ago

zfa1y ago

Needs your API key as it needs to access the email forwarding service which you want to use with it.

Any email sent to the address it generates (signup confirmations, password resets etc) need to get to you, after all.

Truly 'random' addresses at generic forwarding services means that if Ashley Maddison gets breached again then your secret remains safe. sj4h3bd@forwarder.net could be anyone.

NoboruWataya1y ago

Fair enough - the one I use automatically creates an alias whenever it receives an email at the relevant domain so there's no need to manually create one, I assumed the other services were the same.

dumpHero21y ago

How do you send email or reply from the alias that you create?

NoboruWataya1y ago

joeyhage1y ago

The Addy app has a utility to generate this, too.

amelius1y ago

How is this different from Firefox Relay?

dinglestepup1y ago

It's not in the same category. You can use Firefox Relay as an alias generator within Bitwarden. It provides a convenient UI and an integration with the password manager.

amelius1y ago

I still don't understand why I would need Bitwarden if I use Firefox Relay, sorry.

1 more reply

woldemariam1y ago

this has to be done on every instance of where I use Bitwarden separately?

lygten1y ago

curl -s https://raw.githubusercontent.com/first20hours/google-10000-... | shuf -n 3 | tr '\n' '. | sed 's/\.$/@example.com/'

j / k navigate · click thread line to collapse