Anti-Spam Whitelist Email Strategy with the Plus Character

A friend of mine on the group that I am a part of was lamenting how one of his email addresses that only exists for billing needs ended up on a spam-list. That started me thinking about how I might address this, in a really needlessly geeky way.

A lot of email providers allow folks to use the + (Plus) construction when it comes to email addressing. This construction will deliver to the primary mailbox, which is before the + character, and then discard any tag after it, unless you want to use it for categorization in email rules. Which is exactly where I was going with this entire idea.

So start with an email, probably best to pick a provider that is free, say we pick gmail.com, so a new email address, lets call it John Doe, the username is jdoe@gmail.com. Obviously, just an example.

We set up rules, in the rule we throw any email directly addressed to jdoe@gmail.com right in the trash. Then we set up uuid’s for each service using uuidgen, which is an 128-bit value guaranteed to be unique in space and time. So we can set up a vendor list, like this:

  • Google – E11849AF-60E5-4008-A23F-2DCDCC970DF4
  • Microsoft – A268F0C4-C17D-4BC1-BA46-E6E4E7DC856A
  • Apple – 1969FF7F-49DA-487C-9692-0AECCFC62E58

So then, when we enter in our email addresses in these unique services, we can just go with these:

  • Google – jdoe+E11849AF-60E5-4008-A23F-2DCDCC970DF4@gmail.com
  • Microsoft – jdoe+A268F0C4-C17D-4BC1-BA46-E6E4E7DC856A@gmail.com
  • Apple – jdoe+1969FF7F-49DA-487C-9692-0AECCFC62E58@gmail.com

Then right above the email processing rule throwing all the email to jdoe@gmail.com in the trash, we define each of these To: addresses as authentic, and then we can do stuff with the emails in the rules, like send to a folder for example, or mark it, throw a sound, webhook, whatever.

If any vendor gets clever, spots the + construction and strips it, they get nothing, as we are throwing all the messages addressed to jdoe@gmail.com and jdoe+@gmail.com right in the trash without even seeing them. If emails come in from our contact services and they are really meant to be, they will arrive.

What if we start getting spam with an address? Re-roll the uuidgen, then change your email address to the new one. So now if Google sells our address to a spammer, we just create a new uuidgen, like 49F8179E-F171-4783-9246-8D3C46532575, and then go to google and change our email address to jdoe+49F8179E-F171-4783-9246-8D3C46532575@gmail.com. Then the rule where any email that isn’t matching the right uuids gets all thrown in the trash.

This way, you’ll never get another drop of spam ever going forward. If a site sells your address, just change your email address, and burn the old uuid.

It’s one way to address spam, by a scorched-earth policy. We can’t have nice things, so we have to do it this way.