How to use the Bitwarden forwarded email alias generator

How to use the Bitwarden forwarded email alias generator(bitwarden.com)

135 points by humanperhaps 1 year ago | 64 comments

Huge! Well done to the Bitwarden team for this first class support of digital identity compartmentalization, although a bit more improvement to be made to reduce friction on the user side for plugging in alias providers (pop up to login to retrieve an API token behind the scenes vs the API token copy paste dance, with login creds Bitwarden might be storing already).

Edit: Is there a standard or API spec perhaps across email alias services for generating, listing, managing, and invalidating aliases?

(happy paying bitwarden customer, no other affiliation)

Ringz 1 year ago |

It's been like this for years. However, with one of my own domains and a catch all rule in the e-mail server. Why? From time to time, some services require that you send emails with exactly this e-mail address as the sender. And that doesn't just work with most services. Because in such a case, you have to turn exactly this e-mail address into a real account with a mailbox.

saghm 1 year ago | |

For me, the value of using aliases on my own domain isn't anonymity, it's provenance; I can tell where my email was obtained from based on the the prefix used. If I get an email sent to git@<domain>, I know that someone (or something) was looking at git logs to get it, if it's sent to resume@<domain>, I know someone got it from my resume, etc.

tamimio 1 year ago | | |

Pretty much my exact same reason, plus the separation of concerns concept. If a service got breached and that email leaked, I don’t have to worry about using that email to brute force other services.

dinglestepup 1 year ago | | |

In most cases you can have the same level of provenance with a plus addressed email, without needing to support a custom domain.

zfa 1 year ago | | |

I bet no spammer or salesperson would ever think of replacing such a generic localpart to get to your eyeballs.

CaptainNegative 1 year ago | |

In principle, someone seeing heido15wkj6@yourraredomain.com, yua16ooaaj2@yourraredomain.com, and kqoq91inhi4@yourraredomain.com in a dump might be able to infer that all of these belong to the same user with a catchall address (especially if they can verify that the domain is unpopular via dns caching or other tricks). Using a common service adds another partial layer of anonymity between the email addresses, making one harder to track.

ziml77 1 year ago | | |

Especially necessary when your domain is your full name. It's painfully obvious that all addresses under the domain belong to a single person. I've been using Fastmail's masked email service for a while to hide my personal domain. And before that I had a handful of gmail addresses that I set to forward to my main address.

Ringz 1 year ago | | |

Theoretical yes. But never had that. It is more likely that generic, non existant emails like info@domain.com, admin@domain.com, etc. will be generated if you have a domain with a public website.

OptionOfT 1 year ago | |

AFAIK Fastmail is the only service that allows you to respond from an arbitrary email address (of course, provided that you prove that you own the domain).

You can do it in Office 365 but it's tedious, you have to add the alias and then you can email from it.

Ringz 1 year ago | | |

If you do that with a good web host [1], its cheaper than Fastmail or any other mailservice.

[1]:https://www.hetzner.com/webhosting/

I am not affiliated with Hetzner.

m-p-3 1 year ago | | |

Firefox Relay Premium lets you do it

https://relay.firefox.com/faq/#:~:text=can%20i%20reply%20to%...

erinnh 1 year ago | | |

I’ve been doing this with SimpleLogin for years. I’d expect anonaddy to be able to do the same.

upon_drumhead 1 year ago | | |

Gmail for domains allowed the same, you had to add the alias and then you could email from it.

dinglestepup 1 year ago | | |

Startmail.com and Protonmail.com allow responding from alias email addresses.

uselpa 1 year ago | |

Not necessarily. You can for example configure both Thunderbird and mailcow to allow you to reply from any address (of the domains you manage, of course), without having to create the mailbox.

Ringz 1 year ago | | |

Creating a mailbox is effortless. At least at my web host.

subract 1 year ago | |

addy.io allows you to send email from any of your aliases. It’s a little clunky, but it’s the sort of thing I do so infrequently I don’t really mind.

https://addy.io/faq/#how-do-i-send-email-from-an-alias

Ringz 1 year ago | | |

But only for 30 aliases for 4$/month.

tamimio 1 year ago |

That’s great, but there’s a caveat. When I normally create a random email with my own domain as a username, I am not tied to a specific service. I can always migrate to another one without having to take any action. However, if I used this with Fastmail, for example, the generated emails are with fastmail.com or similar domains that aren’t under my control. If I wanted to migrate in the future, I would have to redo all of these randomly generated emails.

toomuchtodo 1 year ago | |

It's an important consideration; email sovereignty is at odds with a domain hosting relay aliases where you can blend in with everyone else. Perhaps the solution is a mechanism where you can migrate aliases between services, creating new aliases and updating at each service, and invalidating old aliases, all programatically. Somewhat similar to token and secret rotation. It's just a string identifier that can be an email target.

tamimio 1 year ago | | |

Or maybe having an option to generate aliases using my own domain. I don’t mind exposing my domain or even creating a new domain only for this purpose, say @aliasdomain.com. That way, I am still in full control and utilizing the generated aliases.

dinglestepup 1 year ago | |

As mentioned somewhere in this thread, using a custom domain poses other risks, in some cases more significant. All your aliases will be forever tied to your identity (and potentially de-anonymized by a single leak).

tamimio 1 year ago | | |

> All your aliases will be forever tied to your identity

A separate domain can be used if really needed. But even with using my own domain, I don’t see it as a problem. After all, emails are not anonymous, and a leak with an alias with a custom domain is still meaningless and doesn’t affect other services.

NoboruWataya 1 year ago | |

Bitwarden allows you to specify a custom domain for this (assuming that your email forwarding service is configured to work with that domain).

renewiltord 1 year ago |

Ah, this is nice. It brings the Apple Hide My Email functionality (though not compatibility) to all platforms, which is something I do desire since using Hide My Email makes non-Apple platforms unusable for logins.

dublinben 1 year ago | |

Why would using Apple's Hide My Email functionality make non-Apple platforms unusable for logins? If you're storing these credentials in a cross-platform password manager like Bitwarden, you should be able to enter your (fake) email address and password anywhere to sign in.

joeyhage 1 year ago | |

You can create on-demand Hide My Email aliases[1] that deliver to your Apple account email address without using your AppleID to login.

[1] https://support.apple.com/guide/iphone/create-and-manage-hid...

niklasmtj 1 year ago |

Oh this is funny to see. I just posted a blog post talking about Email Aliases an hour ago without knowing about the Bitwarden announcement.

I would love to see aliases being promoted more and more by companies. In the end most companies want to get in touch with you via e.g. a newsletter. So why do they need exactly your private email and not just an email alias. In the end they're reaching the same person.

noman-land 1 year ago | |

They don't want to send you a newsletter. They want to get you to click a unique, personalized tracking link so they can drop a cookie in your browser and start tracking everything you do and tying it back to a single, named identity in their contacts database that they can then try to extract money from.

rework 1 year ago | |

They need the exact email address because:

1) Prevent duplicate account creation

2) Users forget what email they used to signup (this happens ALLLLLL the time with + emails)

3) To sell your data, link you, and spam you.

lygten 1 year ago |

This will do the same thing: curl -s https://raw.githubusercontent.com/first20hours/google-10000-... | shuf -n 3 | tr '\n' '. | sed 's/\.$/@example.com/'

dlkmp 1 year ago |

Is this really a problem people have? I personally just use some free mail account for all low-priority stuff without push notifications enabled in my client apps.

DrBenCarson 1 year ago | |

People use password managers so they can conveniently have a single password without a single breach compromising all of their accounts.

This is the same idea but for their email identity.

jabroni_salad 1 year ago | |

Here's a fun one: https://www.martinvigo.com/email2phonenumber/

The more places you use the same email address, the greater your exposure.

knowaveragejoe 1 year ago | |

If you are privacy conscious, yes. Compartmentalizing emails used for services is useful. It also tells you who is selling your information.

toomuchtodo 1 year ago | | |

Also, when it is clear someone is abusing the email you provided, you can nuke it. Perhaps some functionality to be had here between aliases and haveibeenpwned detecting an alias in a breach, queuing for alias cycling or invalidation with a human approval step.

eli 1 year ago | |

If one address is getting spam I can just turn it off or filter it to the trash.

stranded22 1 year ago |

A shame that Apple Hide My Email isn’t available within Bitwarden. I use that occasionally and would love to have it integrated and working together.

NoboruWataya 1 year ago |

This seems to just generate a random string to go with whatever domain I have set. Personally I prefer my email aliases to be of the form `<business_name>@<my_domain>` or `<website_domain>@<my_domain>`. That way if you do start getting unsolicited email it is crystal clear who is spamming you (or has sold/leaked your data).

In fact, given it seems to just put a random string in front of a domain name you give it I'm a little curious as to why they need your API key at all - is it just to ensure that you are not creating duplicate email aliases?

zfa 1 year ago | |

Needs your API key as it needs to access the email forwarding service which you want to use with it.

It's not just making up a bullshit address, it's generating a random localpart then going to the email forwarding service you've integrated and having that service create an email forward to your real address per whatever settings you have there.

Any email sent to the address it generates (signup confirmations, password resets etc) need to get to you, after all.

This design is completely different to using <business>@example.com. The latter is kind of useful for your use of 'who has sold my address' but has privacy drawbacks this design doesn't. e.g. if a spammer gets bestbuy@exmaple.com they know you prob also have twitter@exmaple.com, facebook@exmaple.com or whatever else and it's all just the same guy with the same inbox.

Truly 'random' addresses at generic forwarding services means that if Ashley Maddison gets breached again then your secret remains safe. sj4h3bd@forwarder.net could be anyone.

NoboruWataya 1 year ago | | |

> It's not just making up a bullshit address, it's generating a random localpart then going to the email forwarding service you've integrated and having that service create an email forward to your real address per whatever settings you have there.

Fair enough - the one I use automatically creates an alias whenever it receives an email at the relevant domain so there's no need to manually create one, I assumed the other services were the same.

dumpHero2 1 year ago |

How do you send email or reply from the alias that you create?

NoboruWataya 1 year ago | |

It depends on the alias service you use (this appears to just give you another frontend to your alias service, eg, Addy.io or Firefox Relay). I know with Addy.io, forwarded emails have a special "Reply-To" header which is an address that Addy.io monitors and will forward your response back to the original sender. So replying to email delivered to your alias isn't a problem, though I think initiating an email from an alias would be tricky.

joeyhage 1 year ago | | |

It’s possible to initiate from Addy as well. For example, if your Addy alias is example@mailer.me and you wish to email hn@gmail.com then you would send an email to example+hn=gmail.com@mailer.me from the email address registered to the Addy account.

The Addy app has a utility to generate this, too.

amelius 1 year ago |

How is this different from Firefox Relay?

dinglestepup 1 year ago | |

It's not in the same category. You can use Firefox Relay as an alias generator within Bitwarden. It provides a convenient UI and an integration with the password manager.

amelius 1 year ago | | |

I still don't understand why I would need Bitwarden if I use Firefox Relay, sorry.

woldemariam 1 year ago |

this has to be done on every instance of where I use Bitwarden separately?

lygten 1 year ago | |

curl -s https://raw.githubusercontent.com/first20hours/google-10000-... | shuf -n 3 | tr '\n' '. | sed 's/\.$/@example.com/'