How To E-Mail Me (And Why It Has To Be This Way)

Preface

I realize this article is quite lengthy, and not everyone will want to read it all. If you have a short attention span, or you simply don't feel like reading the entire article just to send me a single message via e-mail, you can skip ahead (please finish this paragraph first, though) and read at least the first two sentences in the section called For The Nonce. If you don't read both the first and second sentence, don't blame me if your e-mail doesn't get through. The e-mail addresses you'll find there are not guaranteed to work indefinitely even if modified as instructed, so don't bother saving them for future use. They're only intended to be used by people with whom I haven't corresponded recently, or at all (by e-mail). If you want an address you can save for future use, you'll need to read the rest of this article. Sorry, but it has to be that way. Blame the spammers.

Introduction

Spammers have ruined e-mail for all of us (I personally think they should all go to prison for the rest of their lives^[1]). Most people have had to resort to filtering their mail, or having it filtered for them, in order to make their e-mail usable.

Unfortunately, this has issues:

false positives, where non-spam mail is identified as spam and ends up in your spam folder, resulting in missed or delayed communications
false negatives, where spam fails to be identified as such, and ends up in your inbox

I used to filter my e-mail, but I no longer do. Instead, I've adopted a system of whitelists and tags (AKA "plus addressing"), and I no longer have a spam problem.

I have two whitelists:

one for e-mail addresses
one for IP addresses

All mail coming from an address on my e-mail address whitelist or from an IP address on my IP address whitelist^[2] will be delivered regardless of content. Everything else will bounce^[3], unless the address it's sent to—my address—includes a tag which I've authorized and added to a list of authorized tags. If it does, then again, it will be delivered regardless of content. The bottom line is, if you're not on my whitelist, you need to use a tag—one that I've authorized—or your mail will bounce.

There are very few IP addresses in my IP address whitelist, but if you happen to have an account at either sdf.org, sdf-eu.org, or nyx.net, and you send your mail through one of these services, then your mail will be whitelisted due to the IP address of the mail server. I also temporarily whitelist any e-mail address I've sent mail to recently (more specifically, any address found in my sent mail folder is automatically whitelisted unless and until I purge the folder of all mail containing that address).

What Are Tags?

Most e-mail addresses consist of two parts: a username and a domain. These are joined together with an "@". A tagged address has a third part—the tag—that comes between the username and the "@", and is joined to the username with a "+" (which is why this is sometimes referred to as "plus addressing"). In other words, instead of username@domain, a tagged address takes the form username+tag@domain.

The way most people use tags, the tag is optional, and mail will be delivered even if the tag is removed. The way my e-mail is set up, however, the tag is mandatory for any sender who sends me mail from an address that's not in my e-mail address whitelist through a mail server that's not in my IP address whitelist. Only those who have been whitelisted may send me e-mail (successfully) without a tag.

I have two kinds of tags: dated tags and undated tags. Undated tags may be used as-is, and everyone I provide an undated tag to gets a different tag, so if I get spammed using a certain tag, I know who to blame, and I can easily stop the spam by removing that tag from my list of authorized tags. Of course, this also blocks all mail from the person or organization I originally provided the tag to.

Dated tags, on the other hand, must have the current six digit date appended in YYMMDD format in order to be delivered to my inbox. These are for posting in public places (like this web page), since if they're harvested by spammers, they won't work for very long without modification, and they may be revoked or changed at any time.

For The Nonce

Having said all that, if you want to send me e-mail, but you're not on my whitelist and I haven't given you your own personal tag, for now you can send it to either unicorn+xyz240423@sdf.org or cmartin+xyz240423@nyx.net. Both of these addresses include dated tags, as described in the previous section, so you need to make sure that the numeric part of the address matches the current date in YYMMDD format (two digit year, two digit month, and two digit day, in that order), or your mail will bounce^[3]. The timezone doesn't matter, as the algorithm that does the date comparison allows for timezone differences (the timezone used in the above addresses is UTC), as well as potential mail delays, as long as they're relatively short. This means that there's actually a four day window of allowable dates that will get through: the current date UTC, one day forward and one day backward to cover timezone differences, and a second day backward to cover potential mail delays.

The above addresses should simply work, since they're dynamically generated. If they happen to be more than one day off, you can either try refreshing the page in your browser, or just edit the address manually to reflect the current date before sending your e-mail. Although this might be inconvenient if you had to do it every time you want to send me e-mail, once I reply to your e-mail your address will automatically be added to my whitelist (temporarily), and then my regular, untagged address (i.e., one of the above addresses with everything from the + through the end of the date removed) will work. Tags will also work if you're whitelisted, even if they don't appear in my list of authorized tags. They just aren't necessary. I do try to keep my whitelists synced between accounts, but since the temporary whitelist is based on your e-mail address being found in my sent mail folder, it will only apply to the address I've replied from.

Getting Whitelisted or Requesting a Tag

Anyone who asks nicely may be added to my permanent whitelist, and then the tag will no longer be necessary even if I purge your mail from my sent mail folder, but only if you e-mail me from the address I've listed in my whitelist (my whitelist uses something called "regular expressions", which means it can include pattern-matching so, for example, if you use tags, as I do, I can whitelist your address both with and without tags without even knowing what tags you might use).

If you change addresses often, you may want to request a personal, undated tag to use in place of one of the dated ones above, since a tagged address can be used from any e-mail address you happen to be using at the time. I'll even allow you to choose your own tag if you like. If you choose to create your own tag, you can include not only letters and numbers, but also any of the following characters: ._?+-/*^={}|`'#$&~ (yes, surprisingly, all of these are valid characters in an e-mail address, but you should be sure your e-mail provider allows you to use them, since it's possible some e-mail providers may use improper methods of "testing" the validity of an e-mail address before allowing you to send e-mail to it, as some other types of web sites have been known to do—I don't know if any do this or not, only that I've experienced it when trying to create an account some places where an e-mail address is required). The only limitation is that the period, or "dot" (".") cannot appear twice in a row, or at the end of the tag. Also, letters in tags, like letters in any other part of an e-mail address (most addresses, anyway), aren't case sensitive, although there's technically nothing stopping me from making them so if I want.

Please note that if I have provided you with a tagged address, you are responsible for that address. Do not share it with anyone. Do not enter it into a web site in order to have that site send me something. If I get spammed using that tag, I will hold you responsible, and you will no longer be able to use it, since I will disable it (i.e., remove it from my authorized tags list).

Conclusion

Since switching to this system, my spam problem has been almost completely eliminated. I don't even have a spam folder^[4], and I get almost no spam—maybe one or two a year, if that ^[5]. The most likely source of spam now comes through mailing lists I'm subscribed to, since spam there will use the same tag as all other mail from the list, but most mailing lists do a pretty good job of filtering out the spam.

In addition to eliminating spam, it also makes phishing attacks difficult, since it will be obvious to me whether a given message is really from who it says it's from. After all, my bank's e-mail address (to use an example) would not be in my whitelist. Instead, they would be using a tag I provided them. If I get mail purporting to be from my bank, but it doesn't have the proper tag, I'll know there's something "phishy" about the mail. The only way a phishing e-mail would have the proper tag is if they got my e-mail address from my bank. If they got it anywhere else, it would have a different tag. If they got it without a tag, or if they removed the tag to try to hide where they got it, thinking my use of tags was the same as most other people's use of tags, their mail will bounce, and I'll never see it. The same goes for Amazon, or EBay, or PayPal, or any other company I deal with^[6].

All in all, it's been a good system, and it makes managing my e-mail a lot simpler. My only problem now is incompetent idiots who refuse to accept an e-mail address with a "+" in it as a valid address, and they try to enforce that with faulty JavaScript on their web pages. They could at least educate themselves about how things work before implementing such a braindead idea that just exposes their ignorance and incompetence. The only proper way to check the validity of an e-mail address is to attempt to send mail to it and see if it gets through. If you request a confirmation and get it, the address must be valid, right? Morons.

^a If you think that's too harsh, then how about incarcerating them for one hour for each item of unsolicited e-mail sent out? Then consider that the typical spammer sends out millions of spams during each mailing. That should put things in perspective. (For those who can't or don't want to be bothered with working out the math, a million hours is just slightly less than 114 years and two months—and that's just for one mailing of one million spams.)
^b I'm referring here to the IP address of the mail server that handles your outgoing mail, not the IP address of the computer in your home or office or wherever it is that you read and write your e-mail.
^c ^d Since spammers like to falsify their e-mail addresses, sometimes even using the legitimate address of some innocent party who will then receive all of the bounces, I first try to verify (at least to some extent) whether the address they've provided is not only legitimate, but actually belongs to them before bouncing the mail (the actual method is beyond the scope of this article, and although it may not be perfect, it's good enough to prevent bouncing mail to innocent parties or clogging outgoing e-mail queues). The result is that most spam doesn't actually bounce, but is instead silently dropped, while anyone who uses their real address to send me e-mail will still get a bounce if they haven't been whitelisted and aren't using an authorized tag. I do this because I feel bouncing mail is preferable to just silently dropping it, since bounces are useful. I certainly want to know if mail I've sent was rejected for some reason, and I think others would as well. The idea that mail should never be bounced due to "backscatter" is just plain stupid. Just bounce intelligently, and backscatter shouldn't be a problem.
^e Actually, I do, but nothing ever goes into it unless I'm experimenting with improvements to my configuration, in which case I temporarily drop things there instead of bouncing them, just in case I made a mistake, so I don't bounce something important. Once I know it's working correctly, however, I disable the spam folder and start bouncing things again.
^f Actually, I think my most recent change has stopped even those. I believe my system is now likely to be at least 99.99% effective at stopping ALL spam and ALL phishing e-mail. That would mean less than one spam or phishing e-mail in 10,000 might get through. Of course, that's just a guess. Nothing has gotten through since that change, and it's been months, as of the writing of this footnote.
^g Actually, PayPal is dealt with a little differently. The tag they've been given is "paypal", but only mail from mail servers known to be used by PayPal can send me mail using that tag, since it's the same tag used to send money to my PayPal account. That means anyone can send me money using the paypal tag (with either the @sdf.org or the @nyx.net address), but only PayPal can send me e-mail using it. Anyone else who tries will see their mail bounce right back.