Online security used to be simple. All you needed was a good password, and in the early days, you didn’t need a ton of numbers, letters, and special characters to achieve that goal. No need for antivirus software to verify you were logging into legitimate sites, either. Privacy also wasn’t quite as fragile as it is today. Your email wasn’t constantly being lost to yet another data breach.
But as hackers and criminals get more sophisticated, so have recommendations for best security practices. Currently experts recommend the use of unique, random passwords (and the more characters, the better), plus two-factor authentication as a strong baseline. But you can go further—and companies on the frontlines of cybersecurity are trying to make that easier.
One such step is called masked email. (You may also hear it referred to as email masks or email masking.) It formalizes a long-available feature known as email aliases as a privacy and security measure. A randomized email address is created to hide (aka mask) your true email address for an online account. Any correspondence sent to the masked email address gets forwarded to your actual inbox. The sender doesn’t know about the email’s final destination. They’ll only find out if you accidentally reply to a message as your main account.
The benefits are twofold. You get better privacy, because the more you use different masked email addresses (ideally, one per online account), the more you limit the potential fallout of the information leaking in a data breach. That email address won’t work on other websites as a login ID or for a password reset. Nor can someone take over the address like with an actual account. It’s just a forwarding address, and a disposable one at that.
Masked email vs email aliases
PCWorld
If you already filter your incoming email and/or guard against spam by using email aliases, masked email may sound like an empty marketing term for a familiar feature. But there is a slight difference—email masking is a narrower use of email aliases, with a particular style in how the aliases are created.
With masked email, the focus is on auto-generated random, unique identifiers. Think 4k9xkeo@emailservice.com or even siftflask.3242@emailservice.com. You don’t need to come up with your own aliases, thus streamlining their use. The suggested aliases also completely obscure your email address, which inserting periods into your username (e.g., random.username@gmail.com) or adding a plus sign and an extra phrase (e.g. randomusername+alias@gmail.com) don’t achieve. You should also get streamlined controls to block incoming mail or disable the forwarding address if it gets flooded with unwanted email.
The result is a faster, easier way to maintain anonymity in your contact info—and for sites that default to email addresses as usernames, your login info too. With the added benefit of integration with some browsers and password managers, email masking saves time and reduces the hassles of the DIY route.
Ways you can start using masked email
PCWorld
Two common ways to get email masking is through an email provider or a dedicated service. Email providers offer the feature as an integrated part of the service. Access will likely cost you a little bit, though. Only a few providers offer masked email, typically bundled into paid plans (e.g., Apple iCloud+, Fastmail, ProtonMail). That said, ProtonMail does offer a limited amount of masks for free, and prices otherwise start as low as $0.99 USD per month (iCloud+).
Dedicated services can be used with any site, main email address, browser, password manager, etc. You create an account using the email address you want to receive the forwarded email, and then create masks through the web interface or a browser extension. Some services also offer premium plans that allow sending and replying from an email mask, support larger file attachments, and generate email masks for multiple email addresses. All email masks are managed through the service, which is less convenient than with an email provider. You won’t have a single repository for your direct and forwarded email.
To really simplify the incorporation of email masking into your daily flow, choose a service that integrates with a password manager. Once you connect your email account or masking service, you’ll be able to create the email masks directly within the password manager. It eliminates the need to copy and paste the new forwarding address when saving login info. Right now, 1Password has a partnership with Fastmail, and Bitwarden has relationships with Fastmail, SimpleLogin, Addy.io, DuckDuckGo, Forward Email, and Firefox Relay. Apple users can use the company’s Hide My Email feature; email masks automatically save to iCloud Keychain if you actively use the latter.
Alternatively, you can pick a password manager like NordPass that directly handles email mask generation.
Free email masking services
PCWorld
While getting masked email through an email provider usually costs money, dedicated services usually offer a free plan. They’re more limited in scope but still a great start.
Addy.io allows you to create unlimited “standard” email masks. These are based on your Addy.io username, however—so if you want more privacy, you can then use one of your 10 free shared domain email masks. You can send and reply from your aliases, too. The catch: You’re limited to 10MB (yes, megabytes) of bandwidth per month. The company estimates that to be roughly 140 emails max. (Start adding in attachments and that drops very, very fast.)
SimpleLogin offers 10 free forwarding addresses. There are no bandwidth limitations, and forwarded emails can be up to 25MB each. The service also allows you to reply to email from an alias, too.
Firefox Relay lets you create just 5 free forwarding addresses, with a 10MB size limit per email and no bandwidth limitations. It’s the most stripped down of the freebie tiers, but it makes the list for a couple of reasons: It works across devices (and browsers—there’s a Chrome extension, too), and upgrading to the paid tier with unlimited addresses and the ability to send email from aliases is just $12 per year. (If you’re intensely focused on privacy, consider quitting Chrome and switching to Firefox while you’re at it.)
PCWorld
Apple users also have an alternative option called Sign in with Apple. For apps and websites that allow you to sign in with your Apple ID, you get access to a limited form of Hide My Email, the company’s email masking service. Apple will generate a random forwarding email that will pass messages from the site or app to your Apple ID’s linked email address. Unlike with the version of Hide My Email that comes with iCloud+, you can’t change the generated aliases or create ones independently. Also, as a general security note, signing in with this method can carry risk, since anyone with access to your Apple account could also then access linked services and apps, too.
P.S.—Unique user IDs help online privacy and security, too
The general concept behind masked email can be applied to creating user IDs, too. For sites that ask you to create a dedicated username (e.g., randomuser1), going with a new identifier each time makes it harder for people to track you across the web. Unauthorized access to your other accounts is less likely, too, when your username and password are different for every site and app. And you can combine masked email with a unique user ID so that you’re really hard to trace—useful when signing into sites that have yet to implement passkeys, a more secure alternative to passwords. (Or when, in the name of saving your future bacon, you still keep a username/password combo as secondary method of logging into an account with passkeys enabled.)
Sounds complicated? This is why a password manager is so handy. It lets you continually level up your security with very little mental burden, especially if you pick one with support for email masking and passkey storage. Choose a paid password manager or a free one—either will make life easy.