Feature Request: create new login with unique email

rhornsby

When creating a new account on a website, it would be kind of nice if 1P were able to support some kind of mechanism that would call a <script, url, something> to fetch a unique email address to use for that site. 1P doesn't have to do anything except pass along a bit of info like the site/app name, and get the email address back - the thing 1P calls would be responsible for "creating" the email address itself.

There are a couple of existing "solutions" to this need for a site-specific email address:

• username+somevalue@mydomain.com
• a wildcard/catchall address ie *@mydomain.com

The '+somevalue' is untenable because way too many site programmers decide on their own that '+' is an illegal character in an email address. The catchall is more universally accepted, but can be a pain to set up - if your chosen mail provider will even allow it.

A few websites will generate temporary email addresses - but you've got issues of privacy/security, blacklists, etc to deal with. Apple is rolling out something similar for iCloud users - but I don't use iCloud email, or Safari's password manager.

I'm also not super keen on another locked down 1P tie-in to a proprietary third party iCloud-like thing as the solution - similar to the narrow vault storage options like 1P account, Dropbox, or well ... no.

Maybe this is already possible with the "3rd party integrations" noted in the advanced prefs of the 1P app, but it seems like that's a read-only view of some 1P item metadata.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Jack.P_1P

Hi @rhornsby:

While it sounds like this may not be exactly what you're looking for, we do currently have the Masked Email integration with Fastmail: Use 1Password to create and manage Masked Emails in Fastmail

Since Fastmail masked emails can be used with your own domain, rather than just @fastmail.com, if you used your own domain on your Fastmail account, if you wanted to migrate to another email provider other than Fastmail, all of your masked email addresses would come with you.

With all that said however, I can see the appeal of a more generic method of creating masked emails, so I've noted your feedback internally, to see if something like this is possible in the future.

Jack

rhornsby

Thanks @jack.platten - I'll look into the fastmail thing.

Dreamhost used to support catch-all, but I think it was being abused somehow and causing more headaches than it was solving. For now it's a several steps process of logging into the DH web UI and adding a new alias in order to create a "new" account. It's been very interesting to see which accounts (with so many being uniquely tied to a site-specific email address) get spammed and which don't. Worse, which accounts appear on sites like haveibeenp0wned. I think I had to go through 3 or 4 iterations of linkedin email addresses because it kept showing up in breach databases or getting spammed by rayban type ads, before I finally gave up and deleted my LI account entirely.

On the other hand, to the internet's credit, the vast majority of site-specific email addresses have only ever gotten messages from that site. That is, for example, I only get amazon emails to my amazon-specific address. Surprisingly few get hit from unrelated domains. I still think it's absolutely worth having unique addresses because it lets you see, track, and effectively block unwanted senders just by deleting the destination address. It also helps privacy against data aggregation and correlation - but I know they still do that stuff with phone numbers and what not.

In any case, appreciate you making a note.

ag_ana

@rhornsby:

I still think it's absolutely worth having unique addresses because it lets you see, track, and effectively block unwanted senders just by deleting the destination address.

I hope you don't mind me asking, but I always wondered whether this wouldn't actually be a big annoyance if things go wrong. I understand that you can just delete the destination address in these cases, but what if it's a destination address that you need to keep using? For example, say you are using google@yourdomain.com to regularly access your Google stuff.

Do you keep "communication" email addresses separate from "login" email addresses?

rhornsby

@ag_ana I don't mind at all - you raise a valid question.

I rarely, if ever, use the domain-specific address for outgoing mail, ie as my from address. So in that sense, yes, I suppose the communication addresses are separate from the login addresses. For very specific situations like an email account (gmail, hotmail) it's a bit more difficult, since the communication and login addresses are necessarily the same. Fortunately, those are the exception.

For all of these addresses (aliases, really), it's a forwarding setup similar to what Jack described with FastMail. google@yourdomain.com is just an alias to my email address, or maybe a specific email account intended to be the mailbox for all of the aliases. The only person that knows it's an alias is me.

For a domain-specific address like google@yourdomain used for logging into services, it's easy enough to create a new alias ie google-20211217@mydomain.com and update the registered login address with that service to match, and delete the old alias. I had to do that with LinkedIn more than once because despite using the most strict privacy settings possible, my LI email address in its various iterations kept ending up getting spammed. Because the address is only ever used as the login for that one site, the only way that happens is if LI is selling the address, or a bad actor has access to their database.

Overall, I rarely see emails to a site-specific address that aren't from that site. The vast majority stay in their lane, and the emails that are sent to the site-specific address are things you'd expect - account notifications, newsletter from the site, etc. A small handful of times I can see that my email address has been sold/shared because it doesn't line up with who sent it. As far as things going wrong, over maybe 7 or 8 years of handling it this way (when I'm not too lazy to go make an alias when I'm creating a new account somewhere), LI is probably the only stand-out offender. I think maybe my 500px address was recently swiped because it got a couple of Rayban style spam messages, but that was an account I deleted anyway so I just killed the email alias.

ag_ana

Thank you for taking the time to clarify @rhornsby, I appreciate it :)