Tagged Email Addresses Copyright (C) 2022, James Seymour (jseymour@LinxNet.com) "Tagged," or "plussed," email addresses are email addresses to which the username part has a tag appended, separated by a "+" (plus) sign. They are a security feature that allows users to give each Internet contact a unique email address for them. E.g.: A user named "somebody" whose email address is "somebody@example.com" might give PayPal an email address of "somebody+paypal@example.com," eBay an address of "somebody+ebay@example.com," Amazon "somebody+amazon@example.com," and so-on. Here's how tagged email addresses improve security (and why you should use them): 1. They make it more difficult for bad actors to break into accounts. A bad guy has to guess not only the password, but the email address as well. (The tag doesn't have to obviously relate to the site. E.g.: User "somebody" could give Amazon an email address of "somebody+4m4z0n@example.com" or "somebody+foobarbaz@example.com".) I almost never get "Somebody tried to log into your account" warning emails since I started using tagged email addresses for all site registrations. 2. They make so-called "phishing" attacks less successful. If a user has given the Foo Company a tagged email address of "somebody+foo@example.com" and receives an email claiming to be from Foo Company but was sent to their un-tagged email address, or a differently-tagged email address, they can be pretty sure it didn't come from Foo Company. I regularly get such things. Some startingly realistic. All I have to do is take one look at the email address to which it was sent to get a clue as to whether or not it's valid. 3. They can alert one to the fact a database has been breached. If the user starts getting unusual email, such as spam, scams, etc., to a tagged address it means either the site to which the tagged address was given has been breached or they sold the users contact information. I have twice informed vendors their databases had been breached, which they had not known, because I started receiving spam or scam emails to tagged addresses I'd given them. How Tagged Email Addresses Work When a mail server receives an email for a tagged email address it strips-out everything from the "+" up to the "@" and tries to deliver the email to the remainder. Thus, email sent to "somebody+foo@example.com" will be delivered to "somebody@example.com". Not all email servers support tagged email addresses. Googles and Apples do. Last I knew, Microsofts did not. Most Internet hosting services' email servers do. You can test this by sending yourself email to a randomly-created tagged email address, or, better yet, having somebody using a different email service do so. The Pitfalls Of Tagged Email Addresses Some site software incorrectly treats the "+" sign as an invalid email address character. It is not. (You can try reaching out to ask them to fix their software. I've actually had some occasional success doing that. Feel free to reference them to this page.) Some sites will accept a tagged email address for registration, then do random wonky things like fail to allow it when logging in, refuse to recognize it during the execution of certain operations (such as updating your user or customer information), or, worst of all: Accept it and later refuse to recognize it, locking you out of your account entirely. (I had that happen with A Certain Bookseller who has since gone out of business. And deservedly so, IMO.) Thus, for email services that provide for it, separate email aliases are sometimes preferable to tagged email addresses. About The Author Jim is a retired Systems, Network, and TelCom Administrator with over twenty-five years in the field--mostly for a $50M/year international corporation that had several facilities in North America, as well as branches in the U.K. and China. He was responsible for specifying, installing, configuring, and maintaining everything from desktops and laptops to Enterprise-grade servers and LAN, WAN, and WLAN network infrastructure, and for managing telecommunications contracts. Document Created: 2022-09-05, Last Updated: 2022-09-05