The Plus-Address Trick (And Why It No Longer Works)

Plus addressing was one of the cleverest tricks in early email privacy. The convention, supported by Gmail and most modern providers, is that “you+anything@yourdomain.com” routes to “you@yourdomain.com.” Users could give different services unique tagged versions of their address and track which service leaked or sold it.

In 2010, this was a useful technique. In 2026, it is mostly broken against the senders it was supposed to deter, and partially useful against the senders that always behaved well anyway. This post is the honest read.

How Plus Addressing Was Supposed to Work

The original use case:

• You sign up for Service X with the address you+servicex@gmail.com.
• The mail arrives in your normal inbox at you@gmail.com.
• You can filter on the +servicex tag to organize mail from this specific service.
• If the address ever shows up in mail from a different sender, you know Service X leaked or sold it.
• You can disable that alias by setting up a filter that auto-trashes mail to that tag, effectively neutralizing the leak.

The mechanism was clean. The privacy benefit was real. The barrier to entry was zero (just type the tag in the address). For privacy-aware users in the early days of bulk-email harvesting, plus addressing was a meaningful tool.

What Changed

Spammers learned about plus addressing. The response was straightforward: when harvesting addresses for spam lists, strip the plus tag before storing the address. The base address (you@gmail.com) is what the spammer keeps. The tagged version is normalized away.

This evolved into common practice across the spam-tool ecosystem. Modern email-sending platforms used by spam operators have address-normalization steps that handle plus addressing as one of several normalization rules.

The result: when a spammer sends mail to your address, they send to you@gmail.com, not to the tagged version you originally gave to a leaky service. The leak is real, but the tag is gone. You receive the spam, but you cannot determine which service leaked the address by looking at the To: field.

The trick still works against legitimate senders that respect the tag. Those are not the senders you want to track. Legitimate senders usually do not leak addresses to spammers in the first place; the senders you wanted plus addressing to catch are the ones that learned to defeat it.

What Plus Addressing Still Does

Plus addressing has not become useless. It has just become useful for a smaller set of cases:

Organizing mail from legitimate senders. A filter on “to:you+servicex@gmail.com” still routes mail from Service X to a specific folder if Service X uses the tagged address you gave them. Useful for inbox organization.

Detecting legitimate-sender leaks. A legitimate service that shares or sells your address to another legitimate marketer typically does not strip the tag. If you suddenly get mail at you+servicex@gmail.com from a different sender, you know Service X shared it.

Quick disposable signups. For one-off services where you might want to disable the address later, a plus-tagged version lets you set up a filter that auto-trashes mail to that tag if you decide to break the relationship. Better than no separation but weaker than a true alias.

Some forms of fraud detection. If you give a tagged address to a service and later receive a phishing email at the tagged address, the phishing was likely targeted using that service’s leaked data. This is forensically useful even if not preventive.

What Replaced It

Dedicated alias services emerged to fill the gap left by plus addressing’s reduced utility:

SimpleLogin (now part of Proton). Generates random aliases like apf9j2k4@simplelogin.io, forwards to your real address. Aliases can be disabled instantly. Cannot be normalized back to the underlying base address by an attacker.

AnonAddy / addy.io. Open-source alternative. Similar functionality.

Apple Hide My Email. Generates random @icloud.com aliases for users on Apple’s ecosystem. Tightly integrated with iOS and Safari.

DuckDuckGo Email Protection. Generates @duck.com aliases that strip tracking pixels and forward to your real address.

Firefox Relay. Mozilla’s offering, similar to the others.

Custom-domain catch-all addressing. If you own a domain, you can configure unlimited aliases without depending on a third party. Most modern email hosts support catch-all addressing or wildcard aliases on custom domains.

The common property: these services provide genuinely unique addresses that cannot be normalized to a base. Spammers who harvest the alias get the alias, not the underlying address. Disabling the alias contains the leak completely.

We covered alias strategies in detail at email address hygiene: should you use aliases.

Why the Address-Layer Game Has Limits

Even with modern alias services, the address-layer approach has structural limits.

Aliases compartmentalize but do not filter. A spammer who has your alias still reaches your inbox. The alias contains the leak (you can disable it) but does not stop the mail before it arrives.

Maintenance overhead. Maintaining hundreds of aliases for hundreds of services has operational cost. Most users do not actually maintain the discipline.

Recovery friction. When an alias gets compromised, you have to update the service that uses it (sometimes that is your bank, your government, your employer’s HR system). Switching is friction.

The address-layer approach is the right tool for compartmentalization and post-incident attribution. It is the wrong tool for the volume problem.

What Solves the Volume Problem

The volume of unsolicited mail reaching the inbox is the structural problem that plus addressing was originally trying to solve at the address layer. The address layer cannot solve it.

The structural answer is to invert the question. Instead of trying to obfuscate or compartmentalize the address, change the cost of reaching the inbox at all.

Rythm does this by asking unknown senders for a small cover charge (default about four cents). Senders on your auto-built guest list (people you have corresponded with) walk in for free. Unknown senders pay or wait in a separate folder for your review. The cover charge collapses the economics of mass outreach regardless of which address the sender is using.

The mechanism does not depend on the recipient managing aliases or hiding the address. The recipient’s address is freely visible. The filter operates on what the sender is willing to do (pay the cover charge) rather than on what the recipient is willing to obfuscate.

We covered the broader frame in what is an email paywall and why am I getting so much spam.

A Practical Workflow

For users who want a reasonable approach in 2026:

Step one: do not rely on plus addressing for spam tracking. It does not catch the senders you wanted to catch. Move on.

Step two: use plus addressing for inbox organization where it is convenient. Filtering on tags for legitimate-sender mail is still useful.

Step three: use a dedicated alias service for new signups. SimpleLogin, Apple Hide My Email, DuckDuckGo Email Protection, or custom-domain catch-all. The compartmentalization is real value.

Step four: rely on structural filters for volume. A cover charge gate handles the volume of unsolicited mail in a way that no address-layer technique can. The two layers compose well.

A Specific Honest Note

Plus addressing was a good idea that defeated itself. The clever became common, the common became known, the known became defeated. The trick that 2010 power users relied on is mostly broken in 2026.

The senders who respect plus addressing tags are the senders you did not need to track. The senders you wanted to track strip the tags. The asymmetry makes the trick less useful than it was.

What replaced plus addressing in the modern stack is dedicated alias services for compartmentalization and structural inbox-layer filters for volume. Rythm fills the second role. We are not in the address-layer business; we are in the filter-cost-structure business.

For the related guides, see email address hygiene: should you use aliases, why am I getting so much spam, and the newsletter bloat problem. For the broader frame, see what is an email paywall. Rythm is $1.65 per month, cancel anytime.