This technique’s about a decade old, but a lot of people still aren’t using it, and I can’t help but suspect that can only be because they didn’t know about it yet, so let’s revisit:
You have a GMail account, right? Or else Google for Domains? Suppose your email address is firstname.lastname@example.org… did you know that also means that you own:
You have a practically infinite number of GMail addresses. Just put a plus sign (+) after your name but before the @-sign and then type anything you like there, and the email will still reach you. You can also insert as many full stops (.) as you like, anywhere in the first half of your email address, and they’ll still reach you, too. And that’s really, really useful.
When you’re asked to give your email address to a company, don’t give them your email address. Instead, give them a mutated form of your email address that will still work, but that identifies exactly who you gave it to. So for example you might give the email address email@example.com to Amazon, the email address firstname.lastname@example.org to Twitter, and the email address email@example.com to… that other website you have an account on.
Why is this a clever idea? Well, there are a few reasons:
- If the company sells your email address to spammers, or hackers steal their database, you’ll know who to blame by the email address they’re sending to. I’ve actually caught out an organisation in this way who were illegally reselling their mailing lists to third parties.
- If you start getting unwanted mail from somebody (whether because spammers got the email or because you don’t like what the company is sending to you), you can easily block them. Even if you can’t unsubscribe or just because they make it hard to do so, you can just set up a filter to automatically discard anything that comes to that email address in future.
- If you feel like organising your life better, you can set up filters for that, too: it doesn’t matter what address a company sends from, so long as you know what address they’re sending to, so you can easily have filters that e.g. automatically forward copies of the mortgage statement that come to firstname.lastname@example.org to your spouse, or automatically label anything coming to
email@example.com with the label “Shopping”.
- If you’re signing up just to get a freebie and you don’t trust them not to spam you afterwards, you don’t need to use a throwaway: just receive the goodies from them and them block them at the source.
I know that some people get some of these benefits by maintaining a ‘throwaway’ email address. But it’s far more-convenient to use the email address you already have (you’re already logged-in to it and you use it every day)! And if you ever do want a true ‘throwaway’, you’re generally better using Mailinator: when you’re asked for your email address, just mash the keyboard and then put @mailinator.com on the end, to get e.g. firstname.lastname@example.org. Copy the first half of the email address to the clipboard, and then when you’re done signing up to whatever spammy service it is, just go to mailinator.com and paste into the box to see what they emailed you.
A handful of badly-configured websites won’t accept email addresses with plus signs in them, claiming that they’re invalid (they’re not). Personally, when I come across these I generally just inform the owner of the site of the bug and then take my business elsewhere; that’s how important it is to me to be able to filter my email properly! But another option is to exploit the fact that you can put as many dots in (the first part of) your GMail address as you like. So you could put d…email@example.com in and the email will still reach you, and you can later filter-out emails to that address. I’ll leave it as an exercise for the reader to decide how to encode information about the service you’re signing up to into the pattern and number of dots that you use.
Go forth and avoid spam.
49 replies to GMail Tip: Use A Plus Sign To Avoid Spam
When setting up filters, search for ‘deliveredto:”firstname.lastname@example.org”‘
Thanks so much! I’ve been using the plus trick to create custom emails for years, but never did figure out what search term was needed to filter for them.
Great write up! If I didn’t already use my old yahoo to sign up for everything (since it’s already filled with spam), I would definitely take advantage of this. I’ve seen this before but I try to keep my gmail as isolated from the rest of my internet identity as possible and have yet to see one piece of spam in the 10+ years I’ve had it.
Dan Q mentioned this article on danq.me.
It’s also useful for avoiding accidentally misaddressed mail. For several months, I was getting lots of email intended for an American lady whose email is identical to mine apart from an initial in the middle. Unfortunately, the initial was the same as the last letter of our mutual first name and a lot of people just missed it out as a result, because they didn’t ‘see’ it.
I suggested she give out her email address with a dot on either side of the initial, and it seems to have worked like a charm. The initial stands out clearly and people are obviously remembering to use it now, as I haven’t seen an email for her in several weeks.
It’s slightly scary how much you can learn about someone just by getting random mail intended for them. Luckily, this lady seems a very nice person.
This is so useful, also for another reason: I’ve managed to set up a gmail account where I’m able to send emails from versions of it with a +, which has allowed me to have a shared gmail account for the board of a local board game club where we can use it to note who is the sender/intended receiver and also have emails sorted accordingly, which for us is important as it allows for transparent yet organized working.
oh, and capitalization is also something gmail doesn’t make a distinction between even though many websites do treat them as separate email addresses, also useful if you need multiple accounts on the same website.
As for how to on sending email from + addresses:
Go to “settings” -> “Accounts and Import”
at the “Send mail as” click “Add another email address”
a pop-up should appear where you can enter the display name you wish to connect to that version of your email and in the email field you write the altered + email adress; keep the “treat as an alias” checbox checked.
How did you convince it to send using the +? I want to use this trick when I send out my seasonal mailers so I can filter the responses to that specific variation of my address.
Interesting. cPanel hosting where you manage your own mailboxes etc, allows you to enable ‘Plus addressing’, a feature i’ve used for a while now. This allows you to have emails directed to folders based on the plus addressing. – see https://blog.cpanel.com/plus-addressing-in-cpanel/ for more.
This is awesome. Saw it as well in my cPanel settings, but didn’t give it much thought. Now after reading all these and doing a revisit, I think all the information on this post & comments section are getting to be quite resourceful. Thanks to you all.
Two or more consecutive dots in an email address are definitely invalid! So, d..a..email@example.com will NOT work.
Harold: you’re right that many, perhaps most email clients seem to reject multiple consecutive dots in a row, but I can’t find anything in the standards that would require this to be the case: interesting! Thanks for sharing.
I feel like I’ve been using GMail for far too long to just be discovering this tip about using the “+” symbol in addresses today. danq.me/2017/09/26/gma…
Holy crap. How did not know about this.
Account-specific email is easy, valuable, and under-used. It also helps companies that have been hacked.
I once discovered 300,000 email addresses had been compromised thanks to 8 accounts that did this.
We learned to use bait accounts as a result.
I did know about the dots. I’ve been receiving emails addressed to someone with the same name, but people using gmail instead of hotmail or some other provider. And they also don’t know about the fact that putting any number of dots in doesn’t change a thing.
But I only recently learned about the + sign, when my wife found that out by accident, using +1 after the first part of her email address. So I tried that with my own email and used +2, +A and a few more options. When all that worked, I wanted to find out if this was a general feature, which was how I arrived at this site.
Thanks, Dan, for sharing!
HUGE gmail tip! I never knew how powerful the + could be! I knew about this, but this application of it is next level! danq.me/2017/09/26/gma…
Great article, still relevant. But here is a situation – let’s say I created myName+Amazon@Gmail.com to signup to Amazon. Now they send me an email to which I want to reply using the same email (with the + sign) I signed up with. Now I hit a brick wall. Can’t do it or I don’t know how to. Can you help?
Yes, you can do this Tommo! In your GMail settings, hit “Accounts”, then “Add another email address”. Put your special “plus” address into the list as an alias. You’ll be sent a test email to that address (which will come straight back into your Inbox): click the special link in that email. You can now send “from” your other address by using a drop-down next to the From: address when composing email. You can also optionally configure GMail to automatically prefer to reply from the address on which you receive an email, if you do this a lot.
You can use this technique to send mail “from” almost any address at which you’re able to receive mail, which is especially useful if you have multiple email accounts forwarding to the same place.
That was a great article Dan thank you
do any sites remove the stuff after ‘+’ in a gmail address to stop this trick from working? danq.me/2017/09/26/gma…
am paranoid about this so i use a catch-all forwarding address instead and generate a new email (ex: firstname.lastname@example.org) for each service. namecheap.com/support/knowle…
Actually I learned this recently!
All are equal to *email@example.com*
I just saw a thread on that and wanted t give credit to this site explaining the plus sign in gmail #infosec danq.me/2017/09/26/gma…
Thanks for the guide! I have a concern, if I am a spammer or marketer, and I see an email with plus sign (e.g. firstname.lastname@example.org), I might also email another copy to email@example.com knowing that the primary email should be whatever before the plus sign.
You’re right that spammers _could_ copy in the addresses pre-plus sign. This could, of course, be a different person (plus signs are valid in email addresses!), but spammers rarely care. Indeed, some spammers are probably doing this!
But everything you do that adds effort to what a spammer has to do is valuable. Spammers are generally pretty lazy: sending email is cheap but the number of people who respond to your mail is low, so it’s usually in a spammer’s interest to send a message to a million people and then move on. If they have to spent an extra 5 minutes sorting out a filter for plus signs only to copy in a _few_ extra people… none of which will probably take the bait anyway… then it’s a waste of their time and they needn’t bother.
If that’s insufficient reassurance, you can can go further! So long as you ONLY give out your email address with a plus sign in it, you can reject any mail that DOESN’T have a plus sign in it. So a spammer not only needs to notice the plus sign – they need to replace the bit afterwards with a different bit, ideally one that you’ve already used elsewhere.
Or – my favourite technique – you can get your own domain name and set up a “catch-all” email address: i.e. “everything to anything @danq.me comes to me, EXCEPT these addresses”. Then you can give a completely different email address to everybody you deal wth (no plus signs needed) and get all the same advantages. But it does involve buying a domain name (which isn’t a bad idea regardless).
Choose the right approach for you! Good luck!
You can avoid this by never using the base email address, and having a filter that deletes anything sent to it.
You can further secure by not using meaningful tags and instead use firstname.lastname@example.org and having a filter that moves things tagged with randomstring specifically to . Only you and the people you shared ‘randomstring’ with will then be able to get through your filters, neither deleting the + nor altering it will cause emails to land in your inbox.
This is awesome! I am having a problem though. I’ve tried to update my email with Kohl’s and DSW; neither will accept my email address with the +. email@example.com
Yeah, some companies (wrongly) treat email addresses with plus signs in as invalid.
You could try to persuade the company to fix their systems, e.g. by complaining that you couldn’t enter your email address “amy+sam@” or something. But they probably won’t fix it. And then the best you can do is shop elsewhere and tell them why… or cave in and do things “their way”.
I don’t use the plus-sign technique any more. Instead: I use my domain and set up different email addresses for every organisation I deal with, but have them all configured to land in the same Inbox. But that’s harder to set up, unfortunately. You can do it with GMail, just about, though: set up e.g. firstname.lastname@example.org (hyphen, not plus sign) as a new email address and configure it to forward all mail to email@example.com (so you never need to log in to it). A bit clumsy, but it works.
Up to you if it’s worth it!
Just learned of this trick, I think this is brilliant!
If your Gmail address is “firstname.lastname@example.org” you can use “email@example.com” and it will still go to firstname.lastname@example.org.
Great way to see who is selling your email
GMail Tip: Use A Plus Sign To Avoid Spam
“This technique’s about a decade old, but a lot of people still aren’t using it, and I can’t help but suspect that can only be because they didn’t know about it yet, so let’s revisit”
I wanted to drop you a note and say people like me are still finding your fabulous post and finding value in it. I really appreciate your taking the time to write all of this. Truly helpful as I transition to a more private email provider than Gmail.
This would be useful only if you could disable incoming email to your primary address (without any +). Otherwise, spammers can just remove the + and you are stuck. I have done just that with my own home grown email system.
Dan this is a great article! I do have a question, and I apologize for being a bit thick I’m not following what you’ve said. In your 11 September 2020 comment, you said:
“ Or – my favourite technique – you can get your own domain name and set up a “catch-all” email address: i.e. “everything to anything @danq.me comes to me, EXCEPT these addresses”. Then you can give a completely different email address to everybody you deal wth (no plus signs needed) and get all the same advantages. ”
Could you please elaborate on this? I don’t fully follow it. You have a domain like mydomain.com. Then what do you do? Thanks!
You need to configure your mailserver to send all mail (possibly EXCEPT some) to a particular Inbox. You can’t do this with Gmail (alone}, but if you don’t feel comfortable configuring Postfix or whatever then check with your domain registrar who might be able to help if they offer catch-all forwarding. Or consider a better email service (ProtonMail can handle catch-all for domains, for example.)
If you are concerned that spammers will just strip the + part from the address just make an alias and trash that address. Only the mail for that alias containing the + part will get through. I am using modoboa for this so gmail is not the only one with this feature…
My concern isn’t that spammers will strip the +… bit, but that the companies I give my email address to legitimately won’t treat it with care and respect (e.g. they’ll add me to mailing lists without my consent, sell my details, or their database will get compromised). That’s why I give a different email address to every company I deal with. Setting up a throwaway address for all of them would take time, so I have a catchall set up and have a program that checks the inbound addresses against an allowlist and a blocklist to decide whether to pass them on to my inbox. The set-up took some time but it pays off over the many years I’ve used it since: I just wish I’d had it for my entire 27 years of email history!
I found this and it was enlightening.
A plus “+” sign. I used the equals sign to show the two email addresses are “equal” as far as gmail is concerned. It is all explained here…
Never knew this before… pretty handy gmail spam tracking tip… danq.me/2017/09/26/gma…
This article talks about using a + to detect which companies are selling your information
Okay, I followed everything and yet when I tried to use the email on a site…it keeps giving me “Invalid email”.
Some sites (incorrectly) detect plus signs as invalid in email addresses. A superior technique, which requires more set-up, is to own your own domain name and give aliases to each corporate sender. For example, I use a technique where I give concatenate the company name with a secret key and hash it, then concatenate THAT between the company name and the @ sign in my email address, to give a first part that looks like e.g. amazon-a1b2c3d4e5f6@ (but with the actual hash) in front of danq.me. Then I can use filters to let through only email aliases whose hashes match those generated by my secret key.
But you can’t do that with plain old GMail, I’m afraid. I’d already moved-on by the time I wrote this article, in 2017, but wanted to share the “plus sign” approach for those people it would help, on those sites it would help on. Good luck!
Thanks Dan for this article and responding to so many comments. Like quite a few people in the comments section I am confused about the system that you use. Is there any chance that you could provide a detailed explanation of your approach to email as I read every answer you wrote above but I still don’t understand how you set up your email system. I understand it involves having new email addresses for each entity that you give out an email address to but wouldn’t this be burdensome having to do this each time – presumably it’s not which is why you prefer your system, which is why it would be so helpful if you could provide a detailed explanation of your approach.
Thanks so much for your articles!
I’ve not blogged about it because, frankly, the code I’ve hacked together is embarrassing, hacky, and probably insecure, so I don’t want it published on the open Internet until I get a chance to improve it. And if you’ve seen some of the code I HAVE published on my blog, you’ll know that it must be especially bad for me to talk so ill of it! But here’s the skinny:
1. Set up a domain for “catch all” email. If your domain was example.com, that means that email@example.com gets delivered to one mailbox. I’m using my domain registrar for this, but you could happily run Postfix and dump everything to an mbox or something.
2. Set up a script to filter your mail based on recipient address, and spam everything that fails the test. This is the clever bit. I require that the bit before the @ sign either matches (a) a specific address in an allowlist, for legacy reasons, or (b) an address that matches a very specific format, detailed below. It also must NOT match (c) a blockist of addresses I don’t want to receive mail to any more. I do (c) in code but I should move it to my MTA.
3. Write a userscript/browser plugin and/or other tool to help you generate addresses that match the format in (b), above, so you can come up with them on-the-fly.
4. Make free output available to your mail client via SMTP/IMAP or whatever, so you can carry on using your usual tools (I love ProtonMail, maybe you like Gmail or whatever).
So, the magic format! I have a secret key (strictly speaking, it’s a salt). My protected email address are always of the form [string][hash]@example.com, such that [string] is any string (but I tend to use the name of the company in giving the address to our some variant of it, eg including the current date if I might sign up multiple), and [hash] is the first 8 characters of the result of concatenating [string] with my secret key (salt) and then running it through a hashing function (for this purpose, basically any will do: it doesn’t need to be collision-resistant: I’m using SHA1). Tada!
So when I sign up somewhere, I type eg “amazon” into a box, click a button in my browser, and it becomes eg “firstname.lastname@example.org”, where “a1b2c3d4” is the irreversible result of running SHA1(“amazon” + my secret key). That email address works, but if you change even a single character you get marked as a spammer. And to any machine it looks like a perfectly reasonable if unusual email address.
Some day I’ll publish some code. But for now that’s enough for an enterprising nerd to have a go!
Still super relevant in 2022 for the sites that allow it. Sadly, I just had a web programming class where the professor tried to tell me that + signs really are invalid.
I actually wanted to drop another usage I found and didn’t see in the comments, just in case someone else comes by. For websites where you might need multiple accounts (semi rare, but not unheard of) the + sign or full stop in an email address will not get recognized by the website as a duplicate email, so you can create accounts as needed without having to use up or create new email accounts.
I only recently learned that if you have a Gmail account, you can add +email@example.com, so whenever I have to sign up to anything I do firstname.lastname@example.org so you can see who’s sold your details. Learnt from this article danq.me/2017/09/26/gma…
Some (very few) newsletters/automated messages I *do* want delivered. So I use a plus sign in my email address and then filter accordingly.
Funny you mention… LinkedIn actually has been hacked before. Luckily I give a unique email address to every site I sign up to, so I could just block all the spam I started getting, but I’m sure most people don’t do that.