Plus addressing and true aliases work best together: use plus tags (like name+store@domain.com) for fast, reusable labeling and filtering, and use separate aliases (random or distinct addresses that forward to you) when you want a throwaway identity you can disable without touching your real inbox.
Most people try to solve spam and account safety as two separate problems; you can treat them as one workflow instead: every signup gets a unique receiving address, and every address has a planned “what if it leaks?” exit.
The two tools you’re combining (and why each matters)
Plus addressing (subaddressing) means you add a +tag before the @, and mail still lands in the same inbox. The tag becomes a built-in label you can filter on. It’s fast because you never create anything—just type a new tag at signup time. (Google Támogatás)
Aliases are additional addresses that deliver to you (sometimes separate mailboxes, sometimes forwards). The key difference is control: you can turn an alias off (or delete it) when it starts attracting abuse, without changing your main address. (support.apple.com)
Think of plus addressing as “organized doors into the same room,” and aliases as “separate doors you can permanently brick up.”
A simple system that reduces spam and protects accounts
Use one consistent rule: never give the same address twice.
- Low-risk signups → plus addressing
Examples: newsletters you actually want, forums you browse, trials you might cancel.
Use tags like:
name+news@…name+forum@…name+store@…
If spam starts, you can filter it aggressively (or auto-delete it) based on the +tag.
- High-risk signups → dedicated aliases
Examples: banking, shopping accounts with saved cards, marketplaces, anything likely to be targeted for password resets.
Here, “tagging” isn’t enough—because the real protection is the ability to rotate the address later. If the address leaks, you disable it and replace it.
This pairing is what gives you both outcomes:
- Spam reduction because messages are pre-sorted by address.
- Account protection because a leaked signup address is no longer a permanent identifier tied to your primary inbox.
How plus addressing reduces spam in practice (without pretending it’s magic)
Plus addressing doesn’t stop your address from being collected. What it does is make spam easier to contain because every sender reveals which address they used.
Use the tag in three practical ways:
A) Create filters that “file by default”
If you sign up with name+receipts@…, filter messages to that address into a Receipts folder automatically. The inbox stays for human mail.
B) Create filters that “fail closed”
For accounts that should never receive marketing, you can set an “if sent to name+account@… and not from these domains → mark as spam/delete” pattern. When junk begins, it disappears immediately.
C) Detect which companies leak or overshare
When a message arrives to name+vendorX@… from someone else, you know exactly which address was shared. That gives you evidence to tighten filtering or stop using that address.
Important limitation: some websites reject + in email fields or strip it. That’s not your fault; it’s their validation. Your fallback for those sites is an alias (or a different provider-supported variation).
Where plus addressing is strongest (and where it’s weaker)
It’s strongest when:
- Your mail provider reliably delivers
local+tag@domainto the same mailbox. (Microsoft Learn) - You can filter based on the “to” address (most modern mail services can, directly or via rules).
It’s weaker when:
- A site refuses the plus sign.
- A site “normalizes” addresses and removes the tag on their side (so you lose the tracking benefit).
- You’re trying to use plus tags as a security boundary. It isn’t one. If someone knows your base address, they can guess unlimited tags.
That’s why aliases matter: aliases are about revocation, not labeling.
What aliases add: revocation, compartmentalization, and safer recovery
A dedicated alias improves account safety in three ways:
1) A leaked alias can be killed
If an alias starts getting spam or phishing, disable it. That stops mail to that address entirely, which is especially valuable for preventing password reset emails from reaching you (or creating noise you might miss). Proton explicitly positions aliases this way—hide the real address, then disable an alias if it’s abused. (Proton)
2) One alias per critical account reduces cross-account targeting
Attackers often use your email address as the primary identifier across breaches. If your shopping account and your bank share the same login email, a leak in one place helps target the other. Separate aliases break that linkage.
3) Recovery becomes cleaner
If you ever need to change your main email provider, aliases (especially on a custom domain or alias service) can insulate you: you update forwarding once instead of updating dozens of logins. Even with provider-native features like Apple’s Hide My Email, the model is still “unique addresses that forward to you, controllable later.” (support.apple.com)
A practical naming scheme that stays manageable
The biggest reason people abandon this approach is messy naming. Use a scheme you can type quickly and recognize instantly.
For plus tags (human-readable):
- Category-first:
name+shop-amazon@…,name+news-tech@… - Vendor-first:
name+amazon@…,name+nytimes@…(simple, easy to track leaks)
For aliases (high-risk):
- Randomized by default (best against guessing)
- Store metadata in your password manager (site → alias mapping)
If you want both clarity and safety: use random aliases for the address itself, but keep your internal label clean in the password manager (e.g., “Banking – Primary” → alias q7n4…@aliasdomain).
Rules that prevent self-inflicted problems
Don’t use plus tags for accounts you can’t afford to lose access to.
If a site later rejects + during login changes, support chats, or identity verification, you’ve created friction for yourself.
Never reuse the same receiving address for multiple critical sites.
Uniqueness is the point; reuse recreates the original problem.
Treat your “base” email address as private.
The more often you give it out, the more you lose the value of tags and aliases. Ideally, only humans and your most trusted services ever see the base address.
Expect provider differences.
Plus addressing is supported in major systems (including Exchange Online’s documented support for local+tag@domain). (Microsoft Learn)
But individual consumer products, custom domains, and legacy systems vary—so keep aliases as the universal fallback.
One workflow to implement today
- Pick your default:
- Use plus tags for anything you can replace easily.
- Use aliases for anything tied to money, identity, or long-term value.
- Create 3–5 filters immediately:
- “Receipts” (file away)
- “Newsletters” (file away)
- “Accounts” (high visibility)
- “Anything to
+oldtag” (auto-delete once you’re done with a service)
- Start unique-from-now-on:
You don’t need to migrate everything at once. The benefits compound as you stop reusing addresses.
Why does this matter
Because the fastest way to lose control of your inbox and your logins is to treat your email address as a permanent, reusable public identifier.
Sources
- Google Workspace: create variations with
+tag(Google Támogatás) - Microsoft Learn: plus addressing syntax and behavior in Exchange Online (Microsoft Learn)
- Apple Support: iCloud+ Hide My Email setup and management (support.apple.com)
Next Step: https://cyberspark.blog/2026/01/20/baseline-account-protection-settings-for-every-account/
Leave a Reply