Now if only websites will stop rejecting plus-addressed email addresses as invalid. The most frequent offenders are mom & pop websites that you just _know_ are going to get breached.

I use shopname@firstname.lastname.email, with my own lastname.email domain. Fastmail makes configuring your dns records for this super simple.

It's always fun interacting with customer service reps when they for example confirm my email address... "errrrrr yeah so we email you at ourname@...?"

I own fakefakefake.email and savor the opportunity to give people dumb catchalls when they insist on needing an email address from me.

I've done that for nearly twenty years now. Importantly, it allows one to trace how your email gets distributed and stolen.

Did you find anything interesting? I started doing this recently and did not find anyone misusing my email so far and am now wondering if it's worth the extra effort.

For alias addresses they are filtering that because the data thiefs and middlemen know a small portion of people do this. They cut off the plus or dot part when your domain has a well known MX/MTA connected to it.

That still leaves custom mailservers and non-alias (as in aliases via plus or dot, not actual mailserver aliases) which does give an indication as to who is sharing your data.

A decade ago I found the unique email address I used at Hertz.com leaked for spam.

Of course when I complained they said it must have been something I did...

Oh yes, and also in physical stores when e.g. giving a contact e-mail for warranty updates.

- "Oh! You work with us? At which store?"

Why do you use shopname@? Once you know the pattern everyone can guess it.

Not OP, but I'm guessing because it's easier to remember than completely random email address (password manager might solve this?) and more unique than using the same email everywhere.

Yeah, thats exactly it, it allows filtering incoming messages into folders based on what I tell a shop and it makes it easier to remember what alias i used where

You can combine the shopname with a salt and store it in your password manager.

Only a tiny fraction of people is in a position to do this. If it were really an issue, using the pattern `shopname_n`, where nn is different for every address, should do the trick. It's similar to encrypting serial numbers so they don't [German Tank Problem](https://en.m.wikipedia.org/wiki/German_tank_problem) them.

Wow I have the exact same setup – it works perfectly! I assume you also, like me, have a backup domain like lastname-email.com for all the broken email validators out there?

Yeah just the base firstnamelastname@fastmail.com i got when first registering with fastmail.

I use this one for two or three vital services, like banking and receiving government messages.

Meaning i have some backup should i forget to renew the .email domain...

I like this! I haven't used my own mail-server for much, however this is a great way to avoid a single "e-mail" that everyone can support :)

That's not going to help, since everybody knows you can just strip everything after the '+' and get to the main mailbox.

Jokes on them, if my spam+<tag> doesn't have a tag it's straight in the bin.

It's always a cat and mouse game, user+$RANDOM@example.org would still get through and you'd not be able to block that based on the sender (assuming you do it like most people, blacklist-based, rather than allocating new email addresses when you need them).

Of course, this only becomes an issue when the masses start doing it. I'm very surprised how few spammers remove tge +tag, given that that's semi-mainstream by now.

you could track your +labels and reject any unknown ones.

personally i don't worry about spam, i want to track who leaks their users email addresses, and then be able to filter on labels that have gone bad

I do prefix+12RandomLetters@blahblah and every potential sender gets it's own random address. Then I use filters to move mail to predefined folders. What's left is spam.

If a mail comes in from an unknown sender to known address I know that the address is compromised.

Ideally I would like to plug my password manager to generate an address and automatically add email filters in place.

Although I was thinking about a service that would just give randomalphanumeric@example.com for all its users, so they would be on the same host and no connection between addresses could be implied. It could or even should be receive only.

Do you ever need to give someone an address on the phone? I do.

If you do, how well does your 12 random letter system work for that use case?

I use it only for services. If I have an actual person I give them my other (normal) e-mail.

'+' has no standardized meaning. Just put the tag first and let them strip off the unimportant part.

That's easy if you run your own mail server, but how do you apply that to your Gmail, Gsuite, Outlook, Fastmail or Yahoo mail account?

The other problem I ran into is spam+sitename@mydomain.com is really awkward to read over the phone. I ended up switching to sitename@email.mydomain.com, which passes all validators and doesn't sound as sketchy. Using a subdomain, I don't seem to catch any of the spam that gets targeted to catchall domain addresses.

Also, I once encountered a site where spam+xyz worked for signup but failed validation on the login form. I think it was something important too, like a utility or bank.

I've done that, and gotten banned from a site later for having the company name in my email. (I was unbanned later, after contacting support)

The worst is when it doesn't fail signup, but URL-Decodes into a space in their data.

I use qmail, where - has been the extension for, well, since it was created. If you're a postfix person, you can use + or -, with recipient_delimiter.

You're less likely to bump into issues with -.

Some shops don't like their trade name in the email, so rot13 (g? in vim) solves that if your goal is to trace back the leaks. I have not found a reliable way of auto dropping mail from bad sources, sometimes companies change name which makes it hard to validate From with recipient.

> If you're a postfix person, you can use + or -, with recipient_delimiter.

Even better: postfix and dovecot (as of v2.3) now both allow specifying multiple recipient delimiters. So if you run your own mail server you can specify as many recipient delimiters and switch between them if websites are being picky.

I simply changed my mail configuration to use a different character, in my case _ though X would have worked as well.

I wish seive were better supported in mail clients. It works fine on the back end, but I edit my .seive file by logging into the server and sparking up Emacs rather than being able to handle it directly from my mail client.

Emacs can be used to edit sieve files directly on the server, with M-x sieve-manage, so long as you have the managesieve daemon running.

I use the managesieve plugin in claws-mail, works great with no issues.

Odd that you are talking about security breaches with this..

I figured sites wouldn't want to accept it because they know you are most likely filtering their emails so they have a much less chance of getting through to you.

If someone is stealing emails/passwords from a site obviously they will just strip characters after the plus to obtain your normal email address?

Periods are ignored in gmail and anything after a + is also ignored, so all of these will go to the same mailbox:

   johndoe@gmail.com
   john.doe@gmail.com
   j.o.h.n.d.o.e@gmail.com
   johndoe+spam@gmail.com
   john....doe+spam@gmail.com

but johndoe.spam@gmail.com wouldn't go to the same mailbox.

john...doe@gmail.com doesn’t seem to work though. I don’t think Gmail takes multiple dots.

Not just Gmail, that’s a syntactically invalid email address. See https://en.wikipedia.org/wiki/Email_address#Local-part for details.

But sure, you could have `(my name is)john."..".doe+spam(...)@gmail.com` if you wanted to. Syntactically valid! The parenthesised bits would be stripped out before sending, and I have no idea whether Gmail would be willing to accept the quoted dots bit.

Haha, I debated about throwing in the multi-dot address. Bummed that it was a bad example. :(

As for parens, I recollect the spec lets you nest your parens and quotes! It's insane. e.g. `f(oo."(bar."baz")."quux)@example.com` is valid in the spec.

I wrote an Oracle regex to parse for valid email addresses and I went against the spec rather than what is what's practically used. It was an insane thing.

Gmail lets you add "." in arbitrary places, but not to append additional text.

For example: foobar@ foo.bar@ f.o.o.b.a.r@ are all valid and normalize the case without the periods.

Periods are handled slightly differently than "+" characters in Gmail -- periods are ignored (so an email to email.spam@gmail would be delivered to emailspam@gmail.com), while everything following a + would be delivered (so email+spam@gmail.com will be delivered to email@gmail.com).

This doesn't work for me

bar.foo@gmail.com

gets rejected as email address doesn't exist when my gmail is bar@gmail.com

That's because the email in fact went to barfoo@gmail.com, not bar@gmail.com

So if you wanted to use it like this you would try something like b.ar@gmail.com

It is indeed a good way to filter out _all_ email...

No, you cant.

FastMail had some of the cleverest ideas for plus addressing. username+tag@fastmail.fm could be given away as tag@username.fastmail.fm

I wrote that! I'm glad you like it. :)

It's been nearly 20 years since I added that feature. I assumed at the time everyone would do it when they saw how handy it is. For some reason that didn't happen...

I used it, Jeremy. Since then I transitioned to sitename@mydomain.email but I still have quite a bit of legacy sitename@myusername.fastmail.fm

Just heard about it today, and just started using it today! Any other cool tricks I should know about?

I use it too! It's fantastic

Thank you!

I use tagname@myusername.mydomain these days, and that's still my favorite feature!

Nowadays I just use tag@mydomain when I interact with websites.

Now adays I simply don't care about spam. It goes in the spam box and is a wasted effort for the criminal

Couldn’t agree more.

If the website is breached, the login isn’t a login for any other website, and advertisers have a harder time correlating your identity, and if you get spam you know who is the culprit, and you can stop the spam by deleting the alias.

With this, no need for any other antispam logic. Back to the mid 90s (which is a good thing as far as email traffic is concerned!).

I always do this as well. I knew for months before they announced it that Dropbox had been breached. Yes, they waited so long to announce that the thieves had started using the emails for spam.

I used this for a few sites, but then stopped as I realized this would be a pain to change if I ever wanted to change to a different email provider.

Wish every provider would support this as I’m sure spammers have caught on to the plus addressing scheme.

The majority of spam [that gets past various RBLs] that I receive is completely ignorant of the dash addressing that I use. It's exactly the same as plus addressing but with a dash instead of a plus.

Pharma spam, 419 scams, password leak crypto blackmail... remember that these miscreants rely on low costs to achieve their profits, so any sort of filtering is too expensive. They don't even filter out abuse@, postmaster@, hostmaster@, or mailer-daemon@.

I run a paid service called Kopi (https://kopi.cloud) that is meant to deal with exactly this issue.

You can use a shared domain:`hackernews@snorremd.kopi.cloud` Or, after setting up an MX and a TXT DNS record, you can use your own domain: `hackernews@mail.snorremd.com`.

You can change the "real address" of any "forwarder" (`snorremd.kopi.cloud`/`mail.snorremd.com`) to relay to any address you want, whenever you want.

You can block individual addresses like `hackernews@mail.snorremd.com` with two clicks starting from your mail client.

You can also configure individual addresses to redirect to RSS so you can read newsletters or other "chatty" services as part of your normal browsing habits.

This should work on gsuite, for example, if you use your own domain and set up a route for unknown users.

Panix.com has a similar feature. If you are dcoder@panix.com, you can use <anytag>@dcoder.users.panix.com, which avoids the problem of places that don't understand "+". I usually use companyname@dcoder.users.panix.com for each company I deal with. (Note, I am not actually "dcoder".)

It's a little longer to read over the phone, but I've never had trouble with it. And I've been able to tell a couple of companies that their email databases had been hacked or stolen.

Disclaimer: just a satisfied customer.

Why couldn't spammers just:

  s/(\w+)@(\w+)\.(fastmail\.fm)/\2@\3/g

...or equivalent?

In that instance you can. What is also nice though is if you have a custom domain, you can set the custom domain to do the same thing AND have an alias.

So for me, I have a few emails in my custom domain:

{firstname}@example.com

market@example.com

(there's others, but it's not relavent to this discussion).

market@example.com just goes straight to spam, as I don't use that email for anything. foo@market.example.com is used for each email instance. It works out extremely well.

It looks like you can accomplish this directly with Fastmail as well using aliases, e.g. foo@marketalias.fastmail.com (or one of their pseudonyms).

I really wish FastMail would add an option to use a minus instead of a plus since most forms properly handle minuses, but many do not properly handle pluses.

It reminds me a gag from the last season of What we do in the shadow. A character puts a toothpick on his lip and suddenly none of the other characters recognise him.

Like if spammers and hackers were not aware of the + notation, and like if it wasn’t trivial to extract the underlying email address by removing anything after the +...

Unless you have an alias that completely obfuscate the underlying email, I just don’t see the point.

I agree. But there are other corner cases where that would be helpful. I’ve worked at a lot of software as a service companies where your email address has to be unique per client for a multi tenant system.

We would create different users for different roles. I would love to be able to use one email address distinguished with a tag.

I use these all the time with my outlook.com account (and Gmail before that). You are right that they don't help with spam. However, they add an extra layer of security because now my logins have both a unique email address and password. Of course, a password manager is mandatory.

I moved all my public emails from first@last.something to first.last@wellknownmailprovider

and then spent a lot of time changing my email address in accounts that I've had a really long time.

Shocked at how badly that went, actually. For certain service providers, I couldn't change my email address and was encouraged to open a new account, which would've meant losing certain records in the old accounts. I couldn't consolidate.

And companies that have different email addresses for their accounts and their mailing lists -- not helpful.

And finally, companies that disable the "update your email address" link in footer of popular email list services, so your only option is to unsubscribe -- good going (not).

What was your reasoning behind moving your emails to a public email provider instead of an email with a domain you seemed to control?

I've been trying to move in the other direction and its been exactly as much of a pain as you've mentioned.

There's a long story here, but here's the short take:

Most of my email accounts are public email provider mapped to domains. But anytime I sign-up for something that's not tied only to one of my work endeavors, I use the non-mapped address. So, newsletters, sign-ups, Amazon account, etc. I don't use any mapped domains for those things, as those kind of come-and-go.

I segregate my personal email and my business emails from the @public-email-provider address, which I want to keep away from my other activities. It also puts all those mailing list emails, legal acknowledgements, etc., in one place as much as possible. I can filter and manage those in one place.

I also don't have a strong sense of personal ownership of that stuff. It's like a PO Box, not my house address. I don't check that account for human- initiated communication. That's my personal address (which gets almost zero traffic these days) and my work/business email addresses.

I have a strong aversion to the company behind public email provider. But I set a calendar reminder for a year out so I don't think about it much until then. I have some endeavors that will let me close up various business activities and centralize to one. If/when that's solid, I'll probably consolidate all my income-oriented business accounts and services [and probably somewhere else], but keep the public... as it's just a PO Box.

I understand the appeal of this feature for sorting, but it seems ineffective for things like "figure out who sold my email to the spammers" because everyone knows about it and it's elementary to just trim off everything after the plus sign.

Unless you do some kind of verification and filter email sent to addresses without a valid suffix?

Since I have my own domain, I receive all emails addressed at whatever@domain.com. Of course, different values of "whatever" end up in different directories, and should one of those display an insufficient SNR, it would go straight to /dev/null. This way the "proper" address, i.e., the one that goes to the actual inbox, is not easy to extract.

The hard part is social acceptance. This morning the Whirpool technician was very puzzled by me giving him whirpool@domain.tld as my email, although he accepted my explanations in the end. (I might use more opaque identifiers, but then I would forget about what is what, so for the moment I am trying to stick with this scheme, until it becomes too difficult)

The social acceptance part is truly hard. I recently received a BS trademark cease & desist because i was using the company name in the e-mail address I provided them & was using to communicate with them.

Personally, i've just replaced the recipient_delimiter default value(+) with "." as that is basically impossible to strip out. Ex, firstname.COMPANY@example.net

I do get a lot of weird looks when handing the addresses out in person, but a quick explanation usually works. I just tell them, that if I start receiving spam from one one the addresses, I can just block it and be done with it. They sometimes counter with "but we won't spam you" and I acknowledge that with "but not everyone is so nice as you" or something like that.

ps: you can use multiple delimiters, so grouping is possible with firstname.bills.COMPANY@example.net

I use the "companyname" part of "companyname@mydomain.tld" to express (often very profane) editorial views about the company when their site won't let me sign-up with "companyname@mydomain.tdl". I'm sure nobody ever sees it, but it makes me feel better.

I have the same setup, with not very many different directories (most just comes to my inbox), since my email load is pretty manageable. I find the most spam by far comes from an address checked in to a public git repo, with my actual (public) github email a distant second and everything else pretty much nil.

The only non-public email so far that has resulted in a lot of spam was the one I gave to the animal shelter when I adopted my cat. (I count unsolicited advertisements as spam.)

I also have my own domain and use a similar setup, with some grouping, such as:

home@domain.tld is for anyone and anything dealing with my physical home. Delivery of an appliance, repairs, homeowner's insurance and such. I expect the email volume here to be low except when ordering something.

fly@domain.tld is for any flight reservations. That's pretty convenient, I can find any old tickets or travel details by filtering for this address, and I also know any incoming mail is likely an ad, unless I just bought tickets.

hotel@domain.tld is for all hotel reservations, and is even more convenient. Unlike flights, I never need any emails from hotels except to see that my stay has been confirmed.

And on the rare occasions I expect to need a throwaway email, I'll use somethingrandom@domain.tld and point it to /dev/null after receiving what I needed.

If bad actors cut off the +, fight back by not using your bare email at all: Provide everyone with a + address, ignore all emails that come without.

I would agree with this technique, but it’s not possible due to the high number of services that don’t permit “+” in the email address or break because they don’t URI encode it. I have several services I will never be able to unsubscribe from because of the latter—and yes, I tried manually URI encoding it and changing the form fields with dev tools.

Such services are likely breaking the law.

Edit: Downvote me all you want, they're still breaking the law… In the US there's the CAN-SPAM act (https://www.ftc.gov/tips-advice/business-center/guidance/can...) and nearly every other country has similar laws. Most of them require one-click unsubscribes to work.

It's still failure to comply even if it's due to negligence/ignorance/incompetence.

How exactly should I go about dealing with Universal Pictures Home Entertainment under the CAN-SPAM Act?

Individuals cannot sue under CAN-SPAM Act and I don't think any state Attorney General is going to bring a suit on my behalf because they didn't accommodate a plus alias.

Little of consequence most likely, but in the USA the route would be an fcc complaint I believe.

https://consumercomplaints.fcc.gov/hc/en-us

The technical details as to why they are failing to unsubscribe you does not matter at all. What matters is, you've unsubscribed repeatedly and they are failing to register your intent.

Send them a letter stating that they are spamming you and hope they will fix it?

They're not saying that not allowing a + is breaking the law, but unsubscribe links being broken (due to the presence of a + in the email) could be breaking the law, especially if there are no alternative methods to unsubscribe.

The parent post to the one you're responding explicitly calls out that they cannot unsubscribe from lists when they've subscribed with a +-address:

> I have several services I will never be able to unsubscribe from because of the latter—and yes, I tried manually URI encoding it

You're allowed to subscribe with an address with the + sign, but the unsubscribe endpoint chokes on the + sign.

I've long held the thought of having a mailbox that receives [everything]@[domain], except certain blacklisted addresses.

As certain addresses get spam and/or I lose interest in the business I gave the address to, I add them to the blacklist. So far, I'm using AWS SES, which seems to be focused on the sending of marketing emails, and are not fussed on receiving, but includes rudimentary blacklisting. So far, it's zero cost.

How is it set up with SES? AFAIK they don't provide a POP/IMAP interface.

SES has rule sets for receiving email. I have one rule that matches all the blocked recipients (addresses at my domain that receive spam), which bounces with 'mailbox does not exist' (then stops rule processing), then another rule after that that puts all mail into an S3 bucket.

Then I have a script that uses the AWS CLI to move all the mail from the bucket to a local dovecot server.

The whole thing is really hacky/experimental at the moment, and I haven't given out any addresses, so all that I receive is spam. But the spam I do receive is very little and quickly adds to the blocked recipients list.

Sending using SES uses the built-in SMTP server functionality at AWS and has very generous limits for one who is not marketing.

I presume the parent means Amazon work mail which AFAIR uses SES to send. Last time I evaluated email services, they didn’t handle catch-all which made that a non-starter for us.

Oh no, not WorkMail. That costs ~US$4/user/month, which is not what I want at all. Check my response to your parent post.

Curiously enough, so far I've only ever observed the reverse happening - spammers somehow ending up stripping off the common prefix and leaving the individual suffix intact.

(Though on the other hand thankfully I'm still not getting much spam anyway and it's only a few addresses that were affected, so I only have a limited amount of data to go by.)

Not really surprising: in the eyes of a naive regex for extracting email addresses from a string, a+b@c.d contains a nicely email-looking substring b@c.d but a@c.d isn't contained at all. Spammer address supply chains aren't usually characterized by the highest levels of sophistication.

Could also be url decoding of the non-urlendocded email which would convert the + into a space.

Hyphens and equals are other options that are supported by various services:

* https://en.wikipedia.org/wiki/Email_address#Subaddressing

Equals specifically is used by mailing list software (esp. Mailman) for bounce processing (VERP):

* https://en.wikipedia.org/wiki/Variable_envelope_return_path

The process for sending email /from/ a + address is tricky.

First -- in GMail at least -- you have to explicitly set up a + account as being in your list of "from" accounts and then you have to remember to use it every time you reply!

Not to mention forgetting the email I gave them when resetting passwords sucks, too. "Was that foo+hn or foo+ycombinator or foo+ycombinator.com or foo+hackernews or... hm... uhhh..." (You need a centralized password manager, in other words.)

I've had several issues where I've replied and sending from the base-address means the conversation goes awry ("We don't recognize this email address"), or at best I still expose the base address because I only remember to reply using the laboriously-created-from-plus address about a fourth of the time.

Good point, I've been meaning to make this a feature request in ProtonMail.

You can't even send from a normal alias in Office 365, so I'd be shocked if you'll be able to send from these '+' aliases.

Wow, that sucks.

I honestly don't see how that would work. Like, how would you unsubscribe to a mailing list? Most these days let you click a link rather than reply with "unsubscribe" but still...

I've had multiple occasions where contact /to/ a business needed to come from the email address I used to sign up with their service (automatic correlation to users I guess).

One particular exchange was particularly painful. Every email I sent was, I assume, routed to a new customer queue. Every email that I sent from my non-+ alias was delayed by days and then dealt with by an unhelpful "we don't recognize this email address".

It was very painful and it was all because I used a + alias as my supplied email address but kept forgetting to use it as my 'from' address.

Had I not had the ability to set it as my 'from' I'd probably have stopped using + aliases entirely.

Finally.

This has only been allowed since RFC 822 (1982). Is there any reason why Microsoft did not support this from the beginning (of Exchange)?

Exchange was originally an X.400-based groupware system, SMTP support was somewhat of an afterthought. Exchange has a long history of not implementing SMTP properly with protocol violations and proprietary payloads (TNEF) and headers (e.g. Thread-Index)

I've been using "Microsoft 365" since 2012, outlook w/ a custom domain and all the grandfathered features. The +tag has always been supported, and I can't really tell what the difference between "Office 365" and "Microsoft 365" is, since the latter appears to include the former, if not identical.

Microsoft recently renamed a majority of their products yet again because if it wasn't confusing enough already, it's even more confusing now!

"Microsoft 365" now includes all of Windows 10, Office 365 (Office on PC) and Azure. This is more geared towards the home market.

Then, there's "Office 365 for Business" which as the name implies is more for business/corporate customers.

It looks like your custom domain is using the old Outlook.com/Hotmail architecture, which already supported +<tags> in email addresses - while Microsoft's corporate offering (running on a cloud based Exchange Server) still doesn't, and they're pushing support for it out later this year.

Same as the difference between a Microsoft account, a Microsoft Passport, a .NET Passport, and a Windows Live ID.

No it hasn’t. RFC 822 essentially says “local-part is whatever you want it to be” and defines no semantics. Certainly it doesn’t say “you can put a plus on and anything after that will go to the same mailbox”. That’s a far more modern notion, and one that is far from ubiquitous. Rather, it says things like this:

> The local-part of an addr-spec in a mailbox specification (i.e., the host's name for the mailbox) is understood to be whatever the receiving mail protocol server allows. For example, some systems do not understand mailbox references of the form "P. D. Q. Bach", but others do.

1982? Back then Microsoft's attitude toward the Internet was "embrace, extend, and suffocate." It made little sense for them to work with the nuances of standards, according their business model back then.

I have added this capability to every commercial web property I've worked on.

> I have added this capability to every commercial web property I've worked on.

I tried doing email validation the modern way: if '@' in emailfield then return True else 'email address needs an @'. The user gets a confirmation email anyway, and the sign-up process was literally name, email, tick a box that you read the privacy policy, and click continue, so they can just re-do that if they typo'd the address.

Iirc the boss decided to set requirements for a regex that I was to implement instead. Or maybe he made the regex and I tweaked it saying "this won't match .amsterdam domains", not sure anymore.

> Back then Microsoft's attitude toward the Internet was "embrace, extend, and suffocate."

I'm pretty sure that's close to Microsoft's current attitude towards the Internet.

their Outlook.com has this for years, I'm surprised O365 didn't have it

outlook.com is an extension of hotmail.com, whereas O365 is built onto Exchange...

Outlook.com supports Exchange

I think if you have the means, you should always get a custom domain for your email address. Your email address is the key to your online identity. You should own it, and not lease it from someone else.

And it is not like you have to manage your own email servers. You can use services like fastmail or any number of email providers to receive email on your own domain. You also have the ability to change your implementation without changing your address. You can decide to host it yourself, or go to another provider without having to tell all your contacts that you are changing your email.

It becomes trivial to actually give out email addresses that are customized for the service. Instead of me+service@hotmail.com you can give out service@mydomain.com.

In my opinion, the money you spend for your own domain for email, is well worth it.

I wonder why there are no email providers that offer an infinite number of aliases that cannot be associated with the primary address. Simply offering any aliases would soon fill out easy-to-remember addresses, but can't email providers offer a feature to add a randomly-generated address such as 098f6bcd4621d373cade4e832627b4f6@email.provider? This way, users can use a different email address on a different web service when registration, which would reveal no information about the user and drastically improve users' privacy. In addition, it is easy to track down which web service is at fault in the event of receiving spams via sold user data.

Maybe they will get around to fixing their In-Reply-To header removal madness one of these decades too, would be something!

Tired of Microsoft users subscribed to mailinglists constantly breaking threading.

I found out this was a bad idea to use when I used it with gmail to signup for AirBnB. I had forgotten that I used it.

I created a new account without it, but I could not bring over my past reviews.

I had to normalize email addresses in my web service by removing "+..." because of spammy users. My god, spammers are often so obvious...

They had to. This was the only reason why people would refuse to migrate from GSuite to Office365.

I don't think it is the only reason. Labels in Gmail are still really nice. Microsoft Outlook rules will often duplicate messages and smart folders using search filters don't work between browser and email client. Using IMAP they are simply virtual directories like they should be.

Microsoft Calendar is also pretty bad too. Like in a large organization you'll often have people leave the company. When you delete a series in Outlook with multiple people it tries removing the history for everyone which is important dates. There are a lot of nuances that would prevent me from ever switching to Office. Even OneDrive is tied to SharePoint and it is way too easy to break.

I'd rather have a properly supported catch-all than + addresses.

You could use such addresses already, but had to configure an address regex for each user.

They should just fix searching in Outlook web instead.

LMAO so true. The search is beyond dire. Not much better on the desktop either.