Skip to content
Tech News
← Back to articles

My burner email blocklist blocked me

read original more articles

My burner email blocklist blocked me

A few days ago I tried to sign up for a public open-data service (the ECMWF, if you care) using a Proton Mail alias, and the form rejected my address as “potential spam”. My frustration was mixed with a bit of guilt: in 2018 I published Burnex, an Elixir package that compared emails against a large list of known burner domains, temporary inboxes like yopmail.fr that exist to receive a confirmation link and disappear. The library itself was relying on the fairly popular wesbos/burner-email-providers list.

At the time, I was working on a collaborative fact-checking platform where account authenticity mattered, and we needed some confidence that users were not fake or batch-generated. A domain blocklist felt like a cheap heuristic for a broader trust problem.

I may be late to the party, but let me put it clearly: I no longer recommend systematically blocking burner domains at signup.

TLDR;

If you are deciding signup policy today, do not automatically reject users for using privacy email services. Distinguish between public shared inboxes and personal aliases, and only block the former. The person behind an alias is more likely protecting themselves than trying to scam you, and the spammers have already moved on. If you maintain or consume a blocklist, consider splitting the categories and encourage good practices in your documentation.

Burners and aliases are not the same thing

A distinction that we often forget when it comes to email blocklists: a classic burner email is a public, short-lived inbox anyone can access, useful for clicking a verification link once and walking away. An email alias is the opposite: a permanent forwarding address tied to your account, that you control, can disable, and can trace back to a specific signup when your password appears in a breach.

Nowadays, tools like Firefox Relay and Apple Hide My Email are mainstream products, not edge-case hacker tools. Mozilla markets Relay as a way to keep your identity private when signing up for new accounts, and Apple sells Hide My Email as a way to share an address without sharing your real one (though they may be overselling that promise).

Blocklists that treat alias providers like throwaway inboxes end up blocking people who are trying to protect themselves. That matters beyond signup friction: aliases limit cross-site tracking, reduce spam after breaches, and let you know exactly which service leaked your address when junk mail starts arriving at a forwarding address you gave only to them. We should want more people using aliases, not fewer.

... continue reading