A phishing email arrives. The recipient address displays free-achats@votredomaine.com. You immediately know what happened: Free sold or lost your data. No need to investigate further. This is what a correctly used email alias can do. Most guides present it as an anti-spam filter. This underestimates the tool. A well-configured alias is a passive tracker that documents the reliability of each service you’re signed up with and allows you to cut off contact with one click if something goes wrong.
What is an email alias?
An email alias is a secondary address that automatically forwards all received messages to a primary inbox without creating a separate account or separate storage. You manage everything from a single interface but can receive and send from multiple identities.
The distinction with a secondary account is technical but concrete. An email alias stores no messages server-side: it forwards in real time to your existing inbox. A secondary account has its own credentials, its own storage, and requires a separate login. For a solopreneur managing contact@, factures@, and support@, three aliases are better than three inboxes to clear out each morning.
There are two distinct technical methods. Subaddressing (the “plus” method) involves adding a label after your username: alice+free@gmail.com. Simple, free, but the base name remains visible if you remove what follows the “+”. In contrast, dedicated alias services such as SimpleLogin, Proton Pass, or Addy generate a completely opaque address (xk7f3@simplelogin.io) with no visible link to your real identity.
Email alias as a data breach detection tool
This is the usage that few guides mention. According to the Verizon Data Breach Investigations Report 2025, 16% of confirmed data breaches began with a phishing attack. If each online registration uses a dedicated alias, you can immediately identify which company is the source of a breach as soon as that alias receives spam or phishing.
The functionality is straightforward: you create a unique alias per service (free-2026@votredomaine.com, spotify-free@votredomaine.com). If the alias spotify-free starts receiving phishing attempts, the source is clear. You disable the alias, create a new one for Spotify, and report the incident. The average cost of a data breach reached 4.44 million dollars in 2025 according to IBM Security. For an individual user, the concrete consequence is often the compromise of the main account. A distinct alias per service limits the impact radius to a single point of exposure.
This naming discipline isn’t complex. It just requires adopting a convention from the start and sticking to it. Security communities sometimes refer to this principle as โemail forensicsโ: the alias as proof of origin in case of dispute or incident.
Professional uses: organization and branding
In a business context, email aliases solve several common problems. The most frequent: functional addresses like contact@, support@, or billing@ allow requests to be redirected to the right person without exposing their personal address. When an employee leaves the company, the alias remains active and redirects to their replacement in seconds, without service interruption.
Google Workspace allows up to 30 aliases per user, expandable to 2,000 mappings via advanced routing configuration. Microsoft 365 Business goes up to 400 aliases per account depending on the plan. Free Outlook caps at 10 active aliases simultaneously. These limits cover almost all ordinary professional uses.
Freelancers and consultants also benefit from aliases to segment their clients: one alias per project makes sorting, billing, and archiving easier, without multiplying email inboxes to monitor every day.
When to use a dedicated alias service?
The aliases integrated into Google Workspace or Microsoft 365 are sufficient for standard professional needs. For serious privacy protection, specialized services go further. SimpleLogin (acquired by Proton in 2022), Addy (formerly AnonAddy), and Firefox Relay generate completely opaque aliases, with no visible relation to your real identity.
| Service | Free aliases | Paid plan price | Open source | Highlights |
|---|---|---|---|---|
| SimpleLogin (Proton) | 10 | โฌ4/month | Yes | Proton Mail integration, reply from alias |
| addy.io | Unlimited (limited bandwidth) | โฌ1/month | Yes | Self-hosting possible, advanced customization |
| Firefox Relay | 5 | โฌ1.99/month | Yes | Browser extension integrated with Firefox |
The key difference with Gmail subaddressing: here, the recipient cannot guess your real address. Even if the alias is compromised or resold, your main inbox remains unknown to the concerned service.
What email aliases do not do
An email alias does not encrypt your messages. It does not guarantee total anonymity if you reply from an email client that exposes metadata. It also does not protect against services that require phone verification or that tie access to your real account.
The limitation of subaddressing is well-documented: many forms reject addresses with the “+” character or, worse, silently remove it, redirecting to your base address. For reliable protection, the unique aliases generated by SimpleLogin or Addy are the only viable option.
Combined with a password manager and two-factor authentication, a well-managed alias significantly reduces the attack surface accessible from a compromised email address. It is not a solution in itself. It is a link in a chain of defense.
