@
All posts
20 April 2026

Why email aliases still matter in 2026

In an age of passkeys and federated identity, giving every website a disposable email address is still the cheapest defence you have against data breaches and targeted spam.

Every two weeks there's a new breach: a SaaS vendor leaks a customer table, an unsecured S3 bucket surfaces on BreachForums, a PDF with plaintext passwords falls off a consultant's laptop. By now it's not news — it's weather. You can't opt out of the breaches; you can only opt out of being in the tables.

That's what email aliases do, quietly, on a budget. One per site, one per newsletter, one per sketchy SaaS you're trying for a week. When it gets breached — and statistically, something eventually will — the attacker learns an address they can only use to send mail to themselves, because you've already rotated it.

Passkeys didn't kill aliases

The "aliases are obsolete" argument comes up a lot: if passkeys replace passwords, the email address stops mattering as much, right? Half-right. Passkeys reduce phishing surface, but the email is still your account identifier. Leak it and an attacker knows where you bank, where you shop, and what services to target with follow-on social engineering. The password being replaced doesn't solve the recon problem — the address itself is the leak.

What a decent alias service does

The minimum viable alias is a random address that:

  • Forwards to your real inbox without disclosing it.
  • Can be paused or deleted without contacting support.
  • Has no per-alias account, password, or seat licence.
  • Carries enough metadata (which alias, which sender) that you can triage it in one glance.

That's emailforward.xyz. We add Telegram as a delivery target because email-in-email is useful, but email-in-your-phone is faster — especially for one-off verification codes that time out in ten minutes.

When aliases aren't enough

Aliases are a reconnaissance countermeasure. They don't defend against:

  • Mail-rendering exploits (use a client that doesn't auto-load remote content).
  • Tracker pixels in the message body (use a service that strips them — DuckDuckGo Email Protection does this; we don't yet).
  • Human-layer phishing (nothing technical helps here).

Stack them with a password manager, passkeys where available, and a mail client with conservative defaults. Alias services are cheap leverage, not a panacea.

The bottom line

If you already have a password manager but not an alias service, you're skipping the cheaper half of the win. The marginal effort is ~10 seconds per signup; the marginal value compounds every time a vendor gets breached.

Start with emailforward.xyz or any of the alternatives we compared. The specific tool matters less than the habit of not handing your real address to every site that asks for it.

Published 20 April 2026 · by emailforward.xyz