Originally implemented in the 1990s. Rewritten for modern requirements.
The mechanism described here is something I originally implemented in the 1990s. At the time it was a straightforward setup using sendmail's aliases file combined with a simple script, but the core idea of assigning a separate address for each counterparty was already proving its worth back then.
Since that time, the email landscape has changed considerably. The explosion of spam, the widespread adoption of sender authentication standards such as SPF, DKIM, and DMARC, the shift toward cloud-based mail services, and growing societal awareness around personal data protection have all reshaped the environment significantly. This implementation has been rewritten from scratch.
This system automatically generates a unique email address for each external service or counterparty, so that your real email address is never disclosed to the outside world.
Example of a generated address: [email protected]
This address is not random. It is computed deterministically from a counterparty identifier such as their email address or registration URL. The same counterparty always produces the same alias.
Every time you sign up for an online shop or web service, the system automatically prepares a dedicated disposable address for that service. Because your real address is never shared with the other party:
Think of it like using a different P.O. box name for every delivery you receive.
The simplest way to describe this system is: treating your email address like a firewall. No additional cloud services or external costs are required. The system plugs into your existing mail environment on your own domain.
The same counterparty identifier always produces the same alias. Because generation is not random, the same address can be reproduced later without storing every generated address in a database.
Generation uses HMAC-SHA256 with a secret key. It is computationally infeasible to reverse-engineer the counterparty's information from an alias address alone.
Some mail servers treat the local-part of an address as case-insensitive. This system uses lowercase characters exclusively, eliminating that class of problem entirely.
Registration URLs often vary in their query parameters and fragments. These components are stripped before the URL is used as an identifier, so different entry points to the same page are treated as equivalent.
The default setting of 16 characters provides approximately 80 bits of entropy. Even accounting for birthday-attack probabilities, collisions are negligible at any scale short of trillions of addresses.