Yes, you are correct.
If you’re using your aliasing-service to “blend in the crowd”, just like how TOR works, you may not want to use a custom domain.
For me, the purpose of AnonAddy is first, and foremost, to help me combat spam. Any privacy improving aspects I see as purely bonuses.
I will use the shared domains from time to time though, if I consider the risks to be too high. This goes from posting an email in a public forum, to signing up for a particularly suspicious newsletter for one-time benefits.
As always, you should take your own threat model in mind.
Yes, that is a core aspect of how these “aliasing services” work.
You are able to simply hit the “reply” button, in which ever email provider the emails are routed to, and whatever you write will be delivered exactly like that to the person who sent you an email. From their perspective everything will look exactly as if they were talking to a regular email address.
This is a feature of both AnonAddy and SimpleLogin.
Regarding catch-all, that is basically also how I configured my usage of AnonAddy. Usually you would go and create a new alias, before you want to receive incoming mails on that address. All emails to aliases that are not already created will be dropped. But they also offer a, to me at least, superior version, where aliases are automatically created once the first email arrives on it.
This way you basically have a catch-all address, but with the benefits of being able to respond as all “identities”, as well as toggle off individual ones if you start receiving spam. If you read below, avoiding spam is my ultimate goal with all of this. Your use-case may be different.
I have written a small add-on for Firefox, which will automatically generate a random
forename.surname@domain.com
for me, and create that alias in AnonAddy with the current URL as a note. But yesterday I was checking in to a hotel, and the reception asked for an email, so I just typedhotel-name@domain.com
, which will clearly indicate to me that it was created for that hotel only. The downside to this is that it’s easier to spot that it is indeed an alias address, but I’m also well aware of how spammers just buy active email-addresses in bulk, without caring about where the leaks come from, so I’m not too scared that it will stick out too much. You shouldn’t do stuff likefacebook@domain.com
orgithub@domain.com
though. That’s gonna stick out like a sore thumb.