How to Sign Up for Anything Without Handing Over Your Real Email
A practical playbook for using disposable addresses, aliases, and forwarding to keep your primary inbox clean, catch data leaks, and still receive the reset links that actually matter.
EvilMail TeamJune 25, 202611 min read
# How to Sign Up for Anything Without Handing Over Your Real Email
Your primary email address is the closest thing you have to a permanent online identity. It is the recovery anchor for your bank, your password manager, your tax portal, and roughly forty other accounts you have forgotten about. And yet, every time a store wants ten percent off in exchange for it, or a PDF sits behind a lead-capture wall, or a forum insists on "verifying" you before you can read a single thread, you are asked to hand that identity over as casually as a business card.
Most people do. Then they wonder why, two years later, an address they only ever gave to one obscure webshop is receiving crypto spam in three languages. The answer is boring and predictable: that address was scraped, sold, breached, or all three. The good news is that you never actually had to give it out. There is a whole layer of email tooling — disposable inboxes, aliases, forwarding, catch-all domains — that lets you sign up for almost anything while keeping your real address to yourself. This is the playbook for using it well.
First, decide how much the account is worth
Before you type an address into any signup box, ask one question: if I lose access to this account forever, do I care? The honest answer sorts every signup into one of three buckets, and each bucket gets a different kind of address.
Throwaway. You need to see one email — a confirmation link, a download, a one-time code — and then you will never log in again. A recipe site, a wifi captive portal, a PDF whitepaper, a coupon. These deserve a disposable inbox and nothing more.
Recurring but low-stakes. A newsletter you might actually read, a shopping site you will return to, a hobby forum, a streaming trial. You want mail to keep arriving, but if the account vanished you would shrug. These deserve a per-service alias that forwards to your real inbox.
Critical. Anything tied to money, identity, or things you cannot re-create: banking, government, your primary cloud storage, your password manager, your domain registrar. These get your real, well-protected address, full stop. We will come back to why disposables have no business here.
The entire strategy flows from this triage. Most of the internet is bucket one and two. The mistake people make is treating everything like bucket three and pouring their whole life through a single address.
The tools, and what each is actually for
These terms get used interchangeably and they should not be. They solve different problems.
Disposable / temporary inbox. A mailbox that exists for minutes or hours, usually on a shared public domain, that you never have to create an account for. You open it, grab the address, receive your confirmation code, and walk away. It is the paper plate of email: zero setup, zero cleanup, not something you build a life on. Services like EvilMail exist for exactly this moment.
Alias. A second address that delivers into your *existing* inbox. [email protected], netflix.you@…, or a Gmail-style [email protected]. Mail sent to the alias lands with you, but you can filter, disable, or delete the alias without touching your real address. Aliases are for relationships you want to keep but control.
Forwarding. The plumbing underneath aliases. An address on one domain that automatically relays everything to another. Purpose-built forwarding services (addy.io, SimpleLogin, Apple's Hide My Email, Firefox Relay) generate a random address per signup and relay it to you, often letting you reply *through* the alias so your real address never appears in the headers.
Catch-all domain. If you own a domain, you can configure it so that *any* address at that domain reaches you. [email protected] works without you setting it up in advance. This is the power-user endgame, and it changes how you think about signups entirely.
Give every service its own address
Here is the single most useful habit in this whole article, and it costs almost nothing once you have the tooling: never reuse an address across services. Each signup gets a unique one.
Do this and something quietly powerful happens. The address becomes a tracer dye. If [email protected] was only ever given to your bank, and it starts receiving pharmaceutical spam, you now know — with certainty, not suspicion — that your bank leaked, sold, or was breached. There is no other explanation. The address existed nowhere else.
With a catch-all domain the workflow is effortless. When a site asks for email, you invent an address on the spot:
No pre-registration, no dashboard. It just arrives. And the day [email protected] turns into a spam firehose, you write one filter rule that sends anything to that address straight to trash, and the problem is permanently solved without collateral damage to any other account.
Forwarding services give you the same superpower without owning a domain — they mint a random alias per site and keep a tidy list of which alias belongs to whom, with a kill switch next to each. Slightly less elegant than a catch-all, considerably easier to set up.
A workflow you can actually follow
Put the triage and the tools together and signing up becomes a fast, almost mechanical decision. Here is the flow I run without thinking about it anymore.
1. Read the box, judge the account. Is this a see-it-once interaction, or the start of a relationship? That answers which bucket you are in. 2. Throwaway → disposable inbox. Open a temporary mailbox, copy the address, paste it, submit. Watch for the confirmation email, click or copy the code, done. Do not bookmark the inbox; assume it is gone in an hour. 3. Recurring → per-service alias. Generate a fresh alias (catch-all address or forwarding service). Paste it, submit, confirm. Immediately note *which service* it belongs to — the whole leak-detection benefit depends on that mapping being unambiguous. 4. Critical → real address, hardened. Use your genuine address, but make sure that account has a strong unique password and two-factor authentication. The address being "real" is fine; the account being weak is not. 5. Set the filter now, not later. For aliases, create the sorting/label rule at signup while you remember what the address is for. Future-you will not.
The first time through this feels like overhead. By the tenth signup it is muscle memory, and your primary inbox has stopped being a landfill.
Password resets and 2FA: the part everyone gets wrong
This is where the disposable strategy either quietly saves you or quietly betrays you, so it deserves its own section.
A password reset link is only useful if you can still reach the inbox it was sent to. Send a reset to a temporary address that evaporated an hour after signup, and you have locked yourself out with no recovery path. This is fine — even desirable — for bucket-one throwaways you never intend to log into again. It is a disaster if you did it to an account you actually care about. So the rule writes itself: any account you might need to recover must use an address that still exists when you need it. That means an alias or your real address, never a temporary inbox.
Two-factor authentication has a parallel trap. Email-based 2FA — where the service texts a code to your inbox on every login — means you permanently depend on that inbox being reachable. Route email-based 2FA through a disposable address and you have effectively set a self-destruct timer on your own account. Aliases handle this gracefully because the codes forward straight to you. Better still, wherever a service offers app-based 2FA (a TOTP authenticator) or a hardware key, take it. It is more secure and it severs the dependency on your inbox entirely, which is exactly what you want for anything in the critical bucket.
A compact way to remember all of this:
| Signup type | Address to use | Can you recover it? | Email 2FA okay? | |---|---|---|---| | See-it-once throwaway | Disposable inbox | No, and you don't care | Irrelevant | | Recurring, low-stakes | Per-service alias | Yes, via forwarding | Yes | | Critical account | Real address | Yes | Prefer app/hardware 2FA |
When services fight back
Disposable email is popular enough that plenty of sites actively block it. You will paste a temp address and get "please use a valid email" or a silent failure where the confirmation never arrives. A few things are happening, and each has a countermove.
Many sites check submitted domains against public blocklists of known disposable providers. The common public temp-mail domains show up on every one of those lists because millions of people use them. The fix is not to fight the blocklist — it is to use an address the blocklist has never seen. A per-service alias on your own domain, or a private forwarding domain, is not on anyone's disposable list, because from the server's point of view it is just an ordinary custom email address. You get the disposability benefit (kill it anytime) without the disposable-domain stigma.
Other patterns you will hit:
MX record checks. Some signups verify that the domain can actually receive mail. Real forwarding services and your own domain pass this trivially; the flimsiest throwaway domains sometimes do not.
"No plus addressing." A handful of sites strip or reject [email protected]. Aliases on a real domain sidestep this because the tag is invisible — [email protected] looks like a completely normal address.
Delayed or missing delivery. Public temp inboxes get hammered and occasionally drop or delay mail. If a code has not arrived in a couple of minutes, it may not be coming. For anything time-sensitive, an alias with reliable forwarding is the safer bet.
The general principle: escalate from cheap-and-anonymous toward stable-and-custom as the site gets pickier or the account gets more important. Reach for the disposable first; reach for the alias the moment the disposable is refused.
Keep the map, or the whole thing falls apart
Every technique here rests on one unglamorous discipline: knowing which address you gave to whom. Lose that map and your leak detection is meaningless, your kill switches fire blind, and you will eventually delete an alias that some account you forgot about still depends on.
You do not need anything fancy. A password manager already stores a username field for every login — put the exact address there, and the mapping maintains itself as a side effect of saving credentials. Forwarding services keep the list for you automatically, which is a large part of their appeal. If you run a catch-all, a plain notes file or spreadsheet with two columns — service and address — is entirely sufficient. The format does not matter. The habit does.
Once the map exists, the payoff compounds. Spam becomes traceable to a source instead of an unsolvable mystery. Breaches announce themselves before the news does, because the tainted alias starts misbehaving. And your real address — the one wired into your bank and your identity — stays known only to the handful of accounts that genuinely earned it. That is the whole game: not hiding from email, but deciding, deliberately and per-service, exactly how much of yourself each signup gets to keep.