Skip to main content
Glossary

Email Alias

A variation or forwarding address derived from a primary email account, often using plus-addressing (user+tag@gmail.com) or dot tricks, commonly exploited to create multiple accounts from a single inbox.

What Is an Email Alias?

An email alias is any variation of an email address that routes messages to the same underlying inbox. Unlike disposable email addresses, which use entirely separate providers and temporary mailboxes, aliases are derived from a real, permanent account. From the user's perspective, the alias is just another way to receive mail. From a platform's perspective, each alias can look like a completely different email address, making it a convenient tool for multi-accounting fraud.

Types of Email Aliases

  • Plus-addressing (subaddressing): Most major providers support appending a plus sign and any tag to the local part of an address. For example, user+shopping@gmail.com and user+promo@gmail.com both deliver to user@gmail.com. The tag is ignored by the mail server but treated as a unique address by most registration forms.
  • Gmail dot trick: Gmail ignores dots in the local part of an address. This means u.s.e.r@gmail.com, us.er@gmail.com, and user@gmail.com all reach the same inbox. For an address with n characters, this can generate a large number of visually distinct variations.
  • Subdomain aliases: Some providers accept mail addressed to subdomains of their primary domain, such as user@mail.example.com routing to user@example.com.
  • Custom domain catch-all: Users who own a domain can configure a catch-all rule so that any address at that domain (e.g., anything@mydomain.com) forwards to their real inbox. This provides an effectively unlimited supply of unique-looking addresses.
  • Provider-specific features: Apple's Hide My Email generates random, unique addresses that forward to a user's iCloud inbox. Firefox Relay and SimpleLogin offer similar forwarding services, creating aliases that are difficult to trace back to the original account.

Legitimate Uses

Aliases serve many legitimate purposes. Users create plus-addressed variants to filter incoming mail into folders, track which services share their address, or separate newsletter subscriptions from personal correspondence. Privacy-conscious users rely on alias services to limit their exposure when signing up for unfamiliar sites. These are valid use cases, and aggressive blocking of all aliases can harm legitimate users.

Abuse in Multi-Accounting

The same properties that make aliases useful for privacy also make them attractive for abuse. A single Gmail account can generate hundreds of visually distinct addresses through a combination of plus-addressing and dot tricks, each of which passes a naive uniqueness check at registration. Fraudsters exploit this to create multiple accounts for stacking referral bonuses, claiming repeated promotional offers, manipulating reviews, or evading bans. Unlike disposable emails, these alias-created accounts are tied to a real mailbox, which means they can pass email verification and receive ongoing communications, making them harder to dismiss outright.

Detection Approaches

Platforms can mitigate alias abuse through several normalization and analysis techniques:

  • Plus-tag stripping: Removing everything between the + and the @ sign before storing or comparing addresses. This collapses user+tag1@gmail.com and user+tag2@gmail.com into the same canonical address.
  • Dot normalization: For Gmail and providers with similar behavior, removing all dots from the local part to identify the base address.
  • Known alias provider detection: Maintaining a list of domains associated with forwarding or alias services (e.g., SimpleLogin, AnonAddy, Firefox Relay) and flagging or blocking registrations from those domains.
  • Canonical email comparison: Combining the above techniques to compute a normalized version of every email at registration time and checking for duplicates across existing accounts.

Aliases vs. Disposable Emails

While both aliases and disposable emails enable users to obscure their identity, they differ in important ways. Disposable emails are temporary, often lasting only minutes, and are provided by dedicated throwaway services. Aliases are permanent forwarding addresses backed by a real account. This means alias-created accounts tend to be longer-lived and can engage in sustained abuse, whereas disposable-email accounts are typically abandoned quickly. Effective detection strategies should address both vectors.

Email Validation in a Broader Security Stack

Email alias detection is most effective when combined with other signals. AntiProxies provides email intelligence alongside proxy and VPN detection, allowing platforms to flag alias-based registrations while simultaneously checking whether the user is connecting through a residential proxy or other anonymizing service. Layering email normalization with device fingerprinting, IP reputation scoring, and rate limiting creates a comprehensive defense that raises the cost of multi-accounting far beyond what any single check can achieve. For more on building this kind of layered defense, read building a fraud prevention stack or learn why every SaaS eventually builds email validation.

Related Terms

Disposable Email Email Verification Multi-Accounting SPF/DKIM
All glossary terms

Want to see what's in the database?

Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.

View Pricing Contact Us
30-day money-back guarantee
All databases included
Monthly updates