Ideas and Validation January 12, 2021

Is this a terrible idea?

ConsoleFreak

Over Christmas I built a lightweight mail service (we'll call it "mailz" — that's not its actual name) because I was tired of having to give my email address to every website/app/service that demands it. Why? Because the more places I put my email address the more likely it is someone will get it who shouldn't, and the more likely it is to be abused. I'm thinking along the lines of:

  • spam
  • hacking
  • inclusion in mailing lists for sale or free (yes, it happens, and leads to even more spam)

That last point I'm sure has happened many times, but there's no easy way to keep track of who has your email address.

I've tried other solutions over the years:

  • multiple email accounts (they clutter up eventually, or credentials get lost)
  • Gmail "+" labels worked for a while, but many web forms consider the "+" symbol an invalid character (it's not)
  • temporary email services are extremely hit and miss and are blocked quickly (and many seem dodgy)

I just wanted to be able to signup for some things without sacrificing my privacy. I needed a "public" email address, one that it's safe to give anyone, but that had lower overhead than a full-blown email account. At the same time, it couldn't be a throw-away address.

So I built "mailz" for myself. It started out as a proof-of-concept, now I'm feeling like it could be more. It's already operational with it's most basic features working as intended, but it's definitely not ready for the public — it doesn't have a landing page, or any explanations of what it is for, or what it does.

So, what can it do so far?

  • Unlimited simple aliases — an alias derived directly from your "mailz", but is indistinguishable from a regular email address. I haven't come across another service that provides this feature.

  • Unlimited domain aliases — an alternative method to create aliases on a single-user domain, provided by "mailz".

  • Automatic deletion — because the majority of emails have a short lifespan (offers, activation emails, notifications, etc).

  • User-defined deletion period — specify how long messages are kept. Mailbox remains clutter free with zero effort.

  • One-click forwarding — if you want to store something longer-term, send straight to your main account with one click.

  • Simple sign-up/log-in — via social login or magic link.

  • No ads — ever, because I hate ads.

  • No sharing of data — ever, because I believe both in privacy and the right to selective disclosure.

I also have other features planned that either aren't available from most providers, or they're unnecessarily expensive.

How is "mailz" intended to be used?

It's meant to be used as a superficial substitute. When I conceived of this idea I didn't want to get rid of my main email account, just better protect it; giving it to fewer entities is a simple way to do that.

If signing up for an app, website, or online service that you don't trust or are still evaluating, you'd use your "mailz" address instead of your personal/private one. One of the benefits is that you can use your aliases to create email addresses for specific services. If you start getting mail to an alias address from an unexpected sender, you'll know from where it was leaked or stolen. There will also be more fine-grained control around who can even send to you (or your aliases).

Any feedback on the idea would be greatly appreciated. If anyone is interested in being a pre-alpha tester (yea, it's that early), say so in the comments or drop me a message.

If you got this far, thanks so much for reading!

  1. 5

    Isn't it like this: https://burnermail.io/? They're even a extension so you can create emails when signing up.

    1. 1

      Thanks for sharing the link. You're right it is similar, though I can see some differences in how burnermail works. I'll explore and see how much overlap there is.

  2. 3

    This sounds like an awesome idea for privacy-minded people!

    The paid email service mailbox.org has a throwaway alias feature as well. However, you can only have 11 of them and they expire if you don't renew them. Their biggest differentiation in their marketing is their focus on privacy. They have a free trial, so it might be worth checking out.

    As for your audience, IndieHackers might not be the right place. Your audience is privacy-minded people. I would ask in communities like reddit.com/r/privacy where privacy-minded people meet and talk. Disregard all "I would not pay for this" advice from people who are not in your target group, i.e. who do not deeply care about their privacy.

    1. 2

      Thanks nikwen, this is very helpful. I'll checkout mailbox.org and the subreddit you mentioned — great call.

      1. 2

        The subreddit is only for open-source software. Trust me, I have tried :D

        1. 1

          Thanks for the heads up. I'm still in the process of evaluating the other services mentioned in this thread so haven't got to the subreddit. I'll have a good read and see if it seems suitable.

      2. 1

        Good luck on your journey. Make sure to report back on IH how it goes. :)

  3. 3

    If I'm reading this correctly, your idea is a website where you can access and store throwaway emails but still have security on each email address.

    I think it's a unique idea and that some people would use it. I have used throwaway emails on multiple occasions but have not thought of using a single network.

    I most likely wouldn't pay money for a service like this, and I doubt many would. Most people would (most likely) use your service as a 30-day-free-trial-network, which is usually the demographic looking to not spend money in the first place.

    There's also a lot of potential for abuse with spam bots potentially creating a network of outgoing spam using your service. I would make sure you have precautions against it.

    1. 1

      Thanks James. Your thinking around use of the service echos thoughts I've had. This creates a challenge because I'm opposed to monetisation via ads, but there are potential costs to cover if it does pick up a moderate number of free users.

      There's also a lot of potential for abuse with spam bots potentially creating a network of outgoing spam using your service. I would make sure you have precautions against it.

      Agreed. The plan is to implement reCAPTCHA or equivalent if — and long before — it's made publicly available.

    1. 2

      Hey ostap. I'm familiar with Relay. Our purposes are certainly aligned but the approach is quite different. For one, an extension isn't required to create aliases, they can be generated on the fly with no additional work (and, of course, you can create them beforehand).

      Also, my service isn't limited to a single browser. It was important to me for it to be available to as many devices and browsers as possible.

      Lastly, I don't think Relay allows you to choose your own aliases. With my service you have the flexibility to create an unlimited number of custom, meaningful aliases, rather than random characters/phrases.

  4. 2

    The title of this post was a great hook. I'll be using it for something later!

  5. 2

    Yeah I'm onboard with this. Sounds like a great idea and I'd love to try it.

  6. 2

    I am happy to be alpha tester. here is my email id [email protected]

  7. 2

    I paid for https://throttlehq.com/ a couple years ago, but their site wasn't updated very much and it became a hassle more than anything. The danger I ran into is that if I bought something from a company, I would want the receipt to come to my personal email instead of throttle. And once I cancelled I figured out there were a few sites that I ended up locking myself out of since they were associated with throttle.

    I don't think this will be a path I go down again personally. Best of luck with your business though.

    1. 1

      Hey Ryan, thanks for sharing your thoughts. My service permanently allows free access to your account, regardless of whatever paid features are introduced in future. Important emails (like receipts) can be forwarded. This could be done automatically, if you think there'd be regularly be emails you want to preserve).

  8. 2

    For sure - seems like a great problem to solve. I regret not trying to use some kind of throw away email address when I started my company two years ago. Now I'm on tons of newsletters, mailing lists, and I get cold prospected daily. My personal email is even worse. I must get 40 crap emails a day that I really couldn't care less about.

    1. 1

      This is the state of both my personal and professional mailboxes. It's really not how I wanted them to be. Just like with my phone number, I don't want incoming comms from random people. And with email it's worse because the junk quickly accumulates. Unsubscribe, block, mark as spam, but it keeps coming.

  9. 2

    Seems like most average users won't understand why they need it.

    Is it better than just starting a second free Gmail and handing that out?

    Login with Apple lets you avoid giving out your email, do you have an Apple device?

    1. 2

      On the contrary. I think if you do the marketing right (particularly the messaging), people will understand the value instantly. Everyone gets unwanted spam.

    2. 1

      Hey Josh, I'm an Android user, so I guess that option isn't available. Is that something you can do across any service or only when signing in on an Apple device or with your Apple account? I'm wondering if you can protect your email the same way when signing up for a newsletters or some random site/service that doesn't support login with Apple.

  10. 2

    I think the is a really good idea. I’m actually in the middle of submitting an app to the App Store and I had to submit like three different times because the account I provided them with used an email service that wouldn’t allow them to login from a different location. Basically it got rejected because they couldn’t sign in until I figured out a work around. An email service that doesn’t check stuff like that would have been really useful

  11. 2

    It's a great idea. Check out https://simplelogin.io/ for something similar.

    1. 2

      Thanks Paul. Simple Login looks interesting, and at first glance I can already see some advantages over it, but will explore it fully and see what I can learn from it. Much appreciated.

  12. 2

    +1 to what James said.

    + As you mentioned these solutions;

    multiple email accounts (they clutter up eventually, or credentials get lost)
    Gmail "+" labels worked for a while, but many web forms consider the "+" symbol an invalid character (it's not)
    temporary email services are extremely hit and miss and are blocked quickly (and many seem dodgy)

    These are easy to go through and keep my wallet in my pocket. I'm using temp mails a lot as well, if one doesn't work second usually works. Also I don't see a solution to cluttering or getting blocked.

    However the process is always the same and no one improves that part, search on google, try to remember which one worked well last time, click, wait to load, get bombarded w/ ads, copy and change tabs, paste the mail, change tab etc... I don't think any of those services offers a browser extension to make the process smoother.

    We need those accounts whenever we need it, not for later use. They saves us from spam, unwanted messages and distractions.

    IMHO an improved solution would be like this;

    • Click the extension, auto-generate the mail addr and copy to clipboard.
    • Paste it into the form without changing tabs,
    • Get the mail from extension while on the same page,
    • Store it in the local storage, maybe, not necessarily.
    1. 3

      Man, that improved solution just made me realize how awesome it would be to have a temp email alias provider that was as simple as putting your email in a bit.ly like link shortener that gave you a temp address that can be revoked whenever.

      1. 1

        I quite like that, though not sure how valuable it would be in this service since it's already possible to create aliases on the fly. Definitely worth thinking about though.

    2. 1

      Maybe if you combined two major functions: email alias management and login management (ie, a password manager)? That way, you're using new email aliases to log into websites, each with a unique password, and then you could track where you submitted a particular email alias. And if you start getting spam, you know who sold your information.

      1. 1

        That's an interesting suggestion. I already use a password manager so it never occurred to me to add that form of management layer to the service.

        First thought is that there's a possibility of conflict if a password manager is in use already. I also don't feel that comfortable with the idea of managing passwords, which is one of the reasons the service uses only passwordless authentication methods.

        1. 1

          That and the complexities of coding more features. So, it's scope creep for sure but I thought it interesting and useful to mention. As far as a conflict, no not really. I've had and used Keeper and LastPass both at the same time. But yeah, there are certainly security ramifications of how you'd protect the password store. Not insurmountable but a concern all the same.

    3. 1

      Thanks anilkilic.

      These are easy to go through and keep my wallet in my pocket. I'm using temp mails a lot as well, if one doesn't work second usually works. Also I don't see a solution to cluttering or getting blocked.

      I guess you've had better luck than I have in recent times, but I can see how experiences can be mixed here. :-)

      You make a good point though about the process, because it tends to be clunky. One of the things the service does to mitigate this is to allow aliases to be created on the fly, without having to go into a separate interface or open a browser extension. This eliminates the need for:

      Click the extension, auto-generate the mail addr and copy to clipboard.

      The idea of having a browser extension crossed my mind, but I wondered how beneficial it would be. For instance:

      Get the mail from extension while on the same page,

      ...is potentially quite easily simplified by just showing a push notification (for things like activation/confirmation emails, anyway).

      I think this further reduces the effort to use the alias. What do you think?

      I agree though that for viewing mail in full, a browser extension might make it more convenient for some. However, it's arguable, because switching tabs is literally just ctrl+tab away, so would really depend on the user.

      Thoughts?

      1. 2

        Well I had to persist, it usually worked on second at most but even if it didn't work. I'd either try more or one of my disposal gmail accounts. I'm unable to see that advantage over there, there is no guarantee for mailz accounts to be not blocked.

        If I need to open my mail interface and put my login credentials, I simply use another free service. I still don't see a significant reason to pay. Of course if I were a paying for an @hey account for some unknown reason, I wouldn't mind paying for your service too. You'll need to find those people in the end.

        What's the difference in between using [email protected] and [email protected] It's harder to trust smaller companies or indies on confidential topics. You won't have the same security level with gmail so it's not going to be my primary or personal account.

        Lastly ctrl+tab was never my thing, when I fire up the browser I start with at least 4 tabs and it never falls beyond that number.

        Haha, I remembered someone on IH put a spam protection to their site and even there I was able to register on my second try. I guess I should buy a lottery ticket.

        https://www.indiehackers.com/post/just-deployed-fake-email-detection-a2d6dd7fc4?commentId=-MHm_ArN_v4ksrsnjSrd

        1. 1

          What's the difference in between using [email protected] and [email protected]

          The main difference is the former eliminates the need to create multiple disposable accounts, unlike the latter. I understand that for some, like yourself, that's not an issue. Also, what I didn't make clear: simple aliases are available for free. I think this makes it more likely that it would be used.

          It's harder to trust smaller companies or indies on confidential topics. You won't have the same security level with gmail so it's not going to be my primary or personal account.

          Indeed. As I noted, it's intended use — and the way that I use it — is as a secondary account. It's not for your bank account or utilities, but rather for non-critical uses (like the general example given in my original post).

          Haha, I remembered someone on IH put a spam protection to their site and even there I was able to register on my second try. I guess I should buy a lottery ticket.

          I was thinking more about protecting against automated/bot sign-ups, rather than fake email detection. The way its designed would make it incredibly difficult for bots or humans to spam via the service.

  13. 1

    I'm curious how much of an issue this really is:

    Gmail "+" labels worked for a while, but many web forms consider the "+" symbol an invalid character (it's not)

    I have yet to run across this limitation, and this is a convenient and free alternative built right into gmail.

    1. 1

      Hi Mark. Perhaps it relates to the line of work I'm in, or just my natural curiosity, but I end up signing up for and trying out lots of apps and services. I guess this exposes me to more forms than the average user, but I can assure I've encountered the character restriction enough times for me to class the "+" as unreliable.

      Not only that, but the "+" approach still exposes your email address — anyone can just strip off the "+" and do as they wish with it. So, it's not that effective for keeping track of and managing the use of your email address.

      Also, please note that the main features of "mailz" are free. :-)

      And bear in mind that the limitations around the "+" approach was just one of various reasons I decided to build the proof of concept.

      1. 2

        Good points all around! I guess if the focus is privacy then having your email exposed with the "+" method isn't great.

        Apple is giving users the option to obscure their emails with the "Sign in with Apple" feature, which is now mandatory on iOS apps AFAIK, so I'd say that's validation for your idea.

        It would be cool to have a browser extension like LastPass that has a "fake" email ready for you when you sign up for a new account. This would go well with a password manager now that I think of it...

  14. 1

    Sounds to me exactly a temporary email service. I don't see any difference, maybe I'm wrong ?
    Also, creating a new gmail is a good alternative (and free), and use this email for similar usage

    1. 1

      Hi Tim, I can see how it might seem that way, but the email account is actually permanent. The email account is also private, unlike typical temp mail services. "mailz" could be used as temporary email service, utilising throwaway aliases, but I think an equal or greater use case (and one of the ways I use it) is long-term, to filter, organise, and even track usage of your email address, all in a very simple way and with minimal effort.

  15. 1

    I really don't understand the need for this kind of service. I have just created a yet another email on Gmail with the natural looking but but not a real name.

    I use it for all the a account whose services I don't intend to use for longer time or as a solution for some serious problem I care.

    So now where is the question of privacy when your identity is fake at the root ?

    Please correct me , If I have understood your product wrong .

    1. 1

      Hi sachingk. Alternate Gmail accounts are something I've created too. Among other issues, I've noticed that it's easily linked to my main account. Unless you're really diligent, your alias can end up with an undesirable association with your main account. For example:

      • go to a site like Medium, or some other that supports signing in with your google account
      • when you're not already signed in, a pop-up/notification appears in the corner of the browser window suggesting you should login
      • there's a very good chance that it lists multiple accounts, including your alias

      This might be harmless, it might not. I also don't know for sure what can be derived from this by external services, but personally I'd rather have complete separation.

Recommended Posts