
read receipts
Your Email's Last Name Is a Lie Spammers Already Saw Through
Adding +shop to your Gmail feels clever. A regex deletes it in milliseconds. Here's what actually gives you a kill switch.
A spammer who buys a list of leaked emails runs one tidy line of code before sending a thing: strip everything from the + to the @. Your carefully labeled [email protected] becomes plain [email protected] in the time it takes to blink, and your clever little tag is gone.
That's the dirty secret of plus-addressing, the trick where you append +anything to your Gmail address. Google itself documents that mail to [email protected] lands in the inbox of [email protected]. It's real, it works, and it's genuinely useful for one job: filtering. You can route everything tagged +newsletters into a folder you check on Sundays. Fine.
What it does not do is hide you. The + is a public, documented convention. Any spammer, any data broker, any sloppy marketing vendor that bought your address in a breach can normalize it back to your bare inbox with a regular expression you could write on a napkin. People treat plus-tags like a disguise. They're a name tag.
So when someone sells you on plus-addressing as a privacy move, they're half right and dangerously misleading. As a forensic tool? It's decent — until the leak happens. As a defense? It's a screen door.
The real upgrade is an alias service that hands out a genuinely different address for every signup and forwards mail to your true inbox without ever revealing it. Apple's Hide My Email generates random [email protected] addresses and lets you switch each one off whenever you like. Mozilla's Firefox Relay does the same, free for up to five masks, more on its paid tier. The masked address has no relationship to your real one. There's no + to strip, no base name to recover. A spammer who buys that list buys a dead end.
Here's the part that turns this from convenience into power. Give Acme Tools a unique alias. Give your dentist another. Give that sketchy contest a third. The day spam starts hammering one of them, you don't have a mystery — you have a signed confession. The address only one company ever held is now in a spammer's hands, which means that company leaked it, sold it, or got breached. You don't guess who burned you. You read it off the envelope. Then you kill that single alias and your inbox goes quiet, while every other relationship keeps working untouched.
That's the kill switch plus-addressing can never give you. Turn off jane+acme and a spammer just emails jane directly, because they already stripped the tag months ago. Turn off a Relay mask and the mail bounces into the void.
The catch with aliases is friction. You need the service handy at signup, replies route through a forwarder, and the occasional vendor rejects an @icloud.com or relay domain at checkout. Plus-addressing is zero-setup and works everywhere a + is allowed (and annoyingly, some forms still reject the +, treating a valid RFC 5233 address as a typo).
My verdict: use plus-tags for sorting your own mail, where the tag is a feature and nobody's trying to defeat it. Use real aliases anywhere you're handing your address to a stranger. The first organizes your life. The second tells you exactly who sold it — and lets you cut them off without changing a thing about how you log in tomorrow.
Sources
- Google Workspace Help — Gmail plus-addressing and dot variations
- Apple Support — Hide My Email random address generation and deactivation
- Mozilla Firefox Relay — Email masking tiers, including free five-mask plan
- IETF RFC 5233 — Subaddress (plus-tag) extension specification