Why Gmail Plus-Aliases Aren't a Real Privacy Solution

The Promise

You use Gmail and you've heard you can sign up for sites using [email protected] to create per-site aliases. The marketing copy says this gives you 'free email aliases' — track which sites leaked your data, filter aggressively, even 'disable' an alias by routing it to trash.

The reality is much narrower than the promise.

Issue 1: Spammers Strip the Tag

Any spammer with two minutes of attention writes email.replace(/\+[^@]*@/, '@') in their pipeline. The plus-tag is gone. The 'disabled' alias trick (route all +sitename to trash) doesn't work because the spammer now sends to your real [email protected].

The least-effective spammers still send to the plus-tagged address — so the trick works against them. The prolific, list-broker-fed spammers (the ones who actually flood your inbox) strip it.

Issue 2: Many Sites Reject the + Sign

The + character is fully valid in email per RFC 5322. But signup-form validators are written by junior engineers and product owners who don't know that. A meaningful minority of sites reject any email with a + in it.

You go to sign up. You enter [email protected]. Form says 'Invalid email address'. You revert to [email protected]. The plus-alias defence is now useless for this site.

Issue 3: All Your Plus-Aliases Are Permanently Tied to One Real Account

Real email aliases (SimpleLogin, Apple Hide My Email, AnonAddy) can be deleted individually. The forwarding stops; future mail bounces; the alias is dead.

Plus-aliases can never be deleted. [email protected] permanently routes to your inbox because the underlying [email protected] permanently exists. The most you can do is filter incoming mail to trash — but the spammer's send still succeeds and your account is still on their list.

Issue 4: If Your Plus-Aliases Leak, So Does Your Real Address

When a breach disclosure publishes the leaked email list, both [email protected] AND your derivable real address [email protected] are now associated with that breach in public-attacker datasets. The plus-tag obfuscation doesn't survive.

What Plus-Aliases Actually Help With

They're useful for:

• Inbox organisation: filter +amazon mail to the Shopping label, +meeting mail to Work, etc. Genuinely useful for productivity.
• Leak attribution: when a breach disclosure includes your tagged address, you know exactly which site leaked. Useful for accountability and trust calibration with that vendor.
• Sender-side filtering: when you reply to a tagged address, your filter rules can auto-tag the outgoing thread for organisation.

These are real benefits. They're not 'privacy' — they're organisation and attribution.

Real Alternatives

• Email aliases (SimpleLogin, Apple Hide My Email, Firefox Relay, AnonAddy) — per-vendor revocability, no + in the address, fully separate from your real address. The right tool for 'I want to keep this account but cut it off later if needed'.
• Disposable email (this service) — for one-shot signups where you don't need to keep the account. Address dies; no breach exposure possible.
• Catch-all on a custom domain — sophisticated option: own a domain, use any prefix you want as a fresh alias. More effort to set up; powerful for technical users.

Bottom Line

Plus-aliases are an organisational tool, not a privacy tool. They're free and zero-effort, so use them for what they're good at (filtering, leak attribution). For real privacy — per-vendor revocability and no-breach-exposure — use real aliases or disposable email.

Related Guides

See also: how to actually use plus-aliases, disposable vs alias vs burner, and temp mail vs Apple Hide My Email.