Looking for a way to boost your online security and keep your email safe from data breaches? SimpleLogin offers an open-source solution to help you protect your privacy by generating email aliases. Instead of exposing your primary email address, SimpleLogin allows you to create unique email addresses for every site or app you use, significantly reducing the risk of data leaks. In this post, I share my experience using SimpleLogin and why it’s been a game-changer for my cybersecurity. Discover how this tool can help you safeguard your digital presence.

What’s the risk of using your primary email address everywhere?

When data is more valuable than oil, gold or any other commodities, then it attracts all type of people. Besides big tech and ad networks, it’s also a wealthy treasure for bad actors. Have I Been Pwned is one of the best resources that tracks the data breaches. They are common. If you ever use your email address on any site, store or app, then you’re at risk. As this is a consensus in the cybersecurity: it’s not the question if your data is leaked, but when.

Therefore, Have I Been Pwned among others, recommends one of the best proven methods to defend yourself: use unique passwords for each website. Most conveniently generated by a password manager. Bad actors who access private data use your combination of emails and passwords on other sites. With unique passwords, you’re more secure.

What is email masking – email alias generator?

In short, the email masking is a method of hiding your primary email address. With the email masking service, you can go a step further with the cybersecurity measures. Such service generates a unique email for every site, store, or app. So, combining these with unique passwords, means that it’s even harder for bad actors to associate your data, target or reuse it elsewhere.

I discovered SimpleLogin because I was specifically looking for an independent solution from my email provider. After over a year of using SimpleLogin, I’m sure it’s worth it’s money, and that’s why I’m sharing my experience here.

Instead of an email, can I just use my mobile number, Google, Facebook, Instagram or any other easy sign-up method?

Of course, you can. But the more you know about cybersecurity, the better you understand the risks. Relying on your mobile number or a 3rd party provider, creates a single point of failure. Which means, that if it fails, you’ll lose access to all the services, and by extension to your data.

The mobile number is not yours. It’s just leased by a telco, and remains active, for as long as you pay. However, cell network coverage is often disrupted, so SMS codes can be delayed or never arrive. Additionally, your number can be stolen via social engineering or other techniques.

Similarly, Google, Facebook, Instagram, LinkedIn, Microsoft, Apple accounts are also in full control of the Big Tech. At any moment, their algorithms can detect an anomaly and, even if it’s a false positive, block you out completely.

That’s especially true for their free accounts, where they don’t offer meaningful customer support. Consequently, one accident can cause you access to your primary email, your data, and all other sites, apps and stores where you used the easy sign-up.

I highly recommend using email address on a domain address you bought, and then choosing an email hosting provider. Even though I currently use Apple’s iCloud Mail, the domain, DNS zone and email address remain independent of Apple. Which I wrote in details here: Why I switched from Gmail to Proton Mail to iCloud Mail?

Digital Nomad reality of privacy protection laws

Digital nomads are especially exposed to email related security threats because we operate in a complex web of jurisdictions with uneven privacy protection laws. For example, I’m an EU citizen, currently staying in Asia and using American web services. Which laws are protecting me from the data theft?

There are GDPR, CCPA and other frameworks, but the point is, that an email address is required to sign up and use by every service. Regardless of our legal status and residence, we need to proactively secure our digital presence. Because mistakes can severely affect our online businesses and ability to travel.

SimpleLogin is part of Proton

Back in March 2023, I was researching alternatives to my Google Workspace account. Simple Login stood out due to its straight-forward solution: generate custom email aliases. Open-source, Chrome extension, mobile app and the ability to use my domain convinced me to buy the annual plan.

I was aware that SimpleLogin was acquired by Proton, but the two services remain independent. Even after Proton decided to implement SimpleLogin email masking feature directly within the Proton Mail dashboard.

To verify if they’re committed to keep the SimpleLogin alive, I reached out to Proton support. They confirmed. Moreover, I suspect that there are many users like me, who prefer to use SimpleLogin as an addition to their preferred email provider. Overall, even though I was dissatisfied with Proton, I’m very satisfied with SimpleLogin and intend to keep using it.

Why don’t I use the iCloud “Hide my email”?

Indeed, since iCloud is my email provider, I could use their email masking feature. iPhone and MacBook are my preferred devices, so it would be very continent to use the Hide My Email. However, I would rather not lock this functionality within the Apple ecosystem. In case, I’ll switch to another ecosystem in the future.

Why did I choose SimpleLogin over email masking offered in password managers and other email providers?

As stated above, I avoid centralization. Too much power concentrated in one place creates serious vulnerability. More and more password managers, email providers and other apps offer the email masking feature. But none of them is as comprehensive as SimpleLogin. Here are the reasons that convinced me to choose this service:

1. Open-source, which means that their security standards are publicly verifiable.
2. Ability to use my custom domain for each email alias.
3. Browser extensions to quickly generate aliases for websites.
4. Mobile app to manage my account and generate aliases on-the-go.
5. Support for email security standards SPF, DKIM, DMARC.
6. Ability to direct any address to any other email address.
7. Possibility to reply from the custom email alias.
8. Works with any email provider.
9. 100% effectiveness to unsubscribe from unwanted newsletters.
10. No lock-ins – I can move email aliases to another provider.

Is SimpleLogin safe to use?

While I don’t call myself a cybersecurity expert, I do strive to keep my websites and my digital presence safe. Therefore, I seek for signals that can assure me if a given service is worth the trust. Firstly, the code of the app is publicly available on GitHub. The more people use it, the more pressure from the community and independent researchers there is. This is a self-enforcing virtue circle.

Secondly, it’s in SimpleLogin interest to verify any potential bugs in their system. That’s why I’m glad that they have an independent security audit. It’s crucial, as regardless of your technical fluency, you can read the overview of the audit to understand if the system is safe. Or to what degree is considered safe against specific threats.

Thirdly, the fact that SimpleLogin was acquired by Proton, is a vote of confidence. The whole brand of Proton is built around high-class security, and they would not invest into half-baked products.

Configure custom domains in SimpleLogin to future-proof your email aliases

SimpleLogin gives you their domains like @simplelogin.com. Which is already a cool feature because you can create unlimited email aliases right away. However, I don’t use them because I want to retain the possibility to change from SimpleLogin to another service. All internet companies are finite. So I configured SimpleLogin to be future-proof.

I use a custom domain, that’s not clearly associated with me. And I recommend that to you too. Avoid random strings of numbers and letters, e.g. d2n85XWAea.com, as spam filters and newsletter platforms may consider it suspicious and block it preemptively. Rather, register a .com domain that could sound like a company domain.

Since I generate new email addresses only when registering for a new site, then this unique alias with the unique password is saved in my password manager. The entire list of all generated aliases in my custom domain is saved in two independent places. Therefore, even if SimpleLogin or the password manager fails, I can reestablish email communication with another service.

The key factor is that from outside, my email alias looks like a regular address, e.g., [email protected]. Underneath, I can always replace the supporting structure to exchange the correspondence. It’s not possible if you use someone’s else domain, i.e., @simplelogin.com, @gmail.com, @hotmail.com, etc.

SimpleLogin browser extension that generates addresses for a given site

As the name of the app suggests, generating logins should be simple. And they deliver on the promise. The browser extension (offered for Chrome, Brave, Firefox, Safari) quickly generates the alias using the sites name. You can set the default domain used for new aliases, and as explained above, I use my custom domain instead of the ones offered by SimpleLogin.

Optionally, you can configure to display SimpleLogin tool directly within the registration input fields. Just ensure this doesn’t conflict with the password manager, as they also show their tool in the same spot.

Mind, that some sites prevent registering accounts using their domain name. So at the example.com, you won’t be able to register an account with “[email protected]”. If that’s true, then change the alias to anything else, e.g., “[email protected]”. Keep in mind to not use your name, as the whole point of email aliases is to protect your privacy.

SimpleLogin mobile app to generate addresses and manage aliases

When I sign up for any website, I always prefer to do it on my laptop. However, whenever I’m on the road and need to quickly register for a local tourist attraction, then I use the SimpleLogin mobile app. Similarly to the browser extension, you can generate a new alias, copy and paste it. Whether it is a local café site offering discounts or a paper survey where you need to write down your email.

Moreover, the app allows you to manage your aliases, check when each alias was last used and configure other features of your SimpleLogin account. Keep in mind that the full functionality of SimpleLogin is available at the web dashboard.

Support for email security standards SPF, DKIM, DMARC

Spoofing, spam, phishing, and many other harmful phenomena are common in the email industry. It’s essential to protect yourself and your receivers. SimpleLogin makes it easy to configure the SPF, DKIM and DMARC. Moreover, these standards are something I expect from any email service. Even the biggest email hosting companies like Gmail now require them. As exchanging emails without properly configured SPF, DKIM, DMARC increases the risk of being categorized as spam or being blocked by email filters.

Since the above standards require edits in the DNS zone of your domain, the instructions have to be clear. Once again, I was pleasantly surprised by SimpleLogin approach. Their configuration flow is straightforward, with checkboxes that verify if each step has been properly completed before moving to the next phase. Honestly, this also builds up my trust in them. SimpleLogin has an in-depth understanding about email ecosystem.

Direct any alias to any email address

Once your SimpleLogin account and custom domain are configured, you can start using the aliases on any websites. Furthermore, you can decide where each alias should direct a message. That’s especially useful when you use separate inboxes for work and personal matters. Or if you have a dedicated inbox for newsletters.

Reply from your custom email alias

If you use aliases in Gmail or iCloud, you know that you have a dropdown list of senders when composing a message. But the amount of these aliases is capped by the respective provider. Luckily, SimpleLogin allows for unlimited aliases. And you don’t need to select a sender. Just reply to the message.

The SimpleLogin routing system is designed in a way, to deliver your message using the alias and not to expose your real address. Of course, keep in mind that if you have your real email address in the signature, then it’ll be included in the message content.

SimpleLogin works with any email provider

Even though SimpleLogin is now owned by Proton, and some features are being integrated directly with Proton Mail or Proton Pass, the app remains provider-agnostic. Which means that you can use SimpleLogin with any email hosting or domain registrar. Crucial, if you, like me, prefer to keep systems interoperable and independent.

100% effectiveness to unsubscribe from newsletters

The SimpleLogin dashboard allows you to deactivate any alias. This is a 100% effective method to block all email communication. Especially useful for coupons, promotions, sales or any other services that don’t respect your choices.

Deactivate the email alias or unsubscribe using the link in the email message?

Mind that once you deactivate the alias, all communication will be blocked. Which is not desirable, when you still want to receive payment notifications, security breach or other important signals.

Therefore, in some cases, I’d recommend clicking the unsubscribe link or adjusting the notifications in the specific service’s dashboard.

SimpleLogin is a great security addition to your main email account

After about 18 months of actively using SimpleLogin, I’m very satisfied with the results. It introduces a bit more complexity to how my email inbox works, but the massive benefit is that it effectively increases my cybersecurity.

One slight disadvantage is that emails are routed through SimpleLogin servers. Therefore, expect that any communication sent that way may be a bit delayed. Yet, email communication has never been instant, so it’s not that big of a deal.

I choose when to use and when don’t. For example, for banking apps or other “mission-critical” services, it’s better to use your main address. During a security check, the bank rep may ask to spell the email for verification. Still, your main email address doesn’t have to be the same as the one visible in public records.

In summary, SimpleLogin is worth its price. I feel safer, knowing that each service I use has a unique email address and unique password that can’t be directly linked to me. I highly recommend you to set the same security measure.