Setting up aliases takes time. You’re right that it’s easy to figure out my real email address, but what they can’t figure out is the plus-address kluge I used on my other accounts.
Sure my Adobe email account was david+dishs@weintraub.name, but what plus-addressing email address did I use for my bank account or my Apple ID?
Thanks for that. I was bewildered when I received email addressed to firstlast when I use first.last as the gmail account name.
I try to remember to use plus addressing, but I often forget. Also, some entities will not accept it—and I’ve found at least one that will accept it but then not use it. I kept asking where my confirmation email was, and I kept getting told that it would be resent, but I never received it. (I did receive a manual confirmation from a rep to the plus address, which made me think that the automated system simply discarded the message.)
How do you remember to use the correct return address when you send email to a service where you signed up using a plus address? With gmail, it appears that I would need to create an SMTP server entry for each plus address. Do you think using a Reply-to address on individual messages would work?
I did a test, sending myself a plus address email to my icloud address, and it went through. My concern is that Apple might decide to stop honoring such. Thoughts?
This was about using a password manager like 1Password. Most Internet accounts use your email address as your account name. Having unique passwords for everything is only 1/2 the problem. All of your Internet accounts still use your email address. Using plus addressing allows me to use unique email accounts for all of my Internet accounts too.
However, I’d say this is a lower property then using two factor authentication with an app. I use 1Password which does this just like Google Authenticator. However, 1Password automatically fills in that 2FA for me.
Thanks for the tip. Never knew that worked on iCloud mail.
I don’t use a password manager — I store passwords coded indirectly into another language in a text file — the three keys I need for all variants are in my head.
Mind you, I’m not recommending this — but it works for me.
One thing I do recommend though is something like ProtonMail’s encrypted email.
I’m slowly moving across from Gmail used in Apple Mail to ProtonMail — €5 per month but worth it for the added security.
Proton, run by people from CERN, can be ‘bridged’ into Apple Mail or Outlook; though it does need its own app under iOS or iPadOS.
So far, it’s excellent. Can’t speak too highly of ProtonMail, though of course everyone’s needs are different, YMMV… 
Sub-addressing is an IETF standard (RFC 5233 (2008), which superseded RFC 3598 (2003)). At this point in time, over 17 years later, I would expect most mail servers to support the feature.
If you answered my question, I didn’t understand, sorry. My question was not about login credentials; it was about sending email to an entity for which you have a plus address on file. For example, you sign up for a service at xyz and create an account name+xyz. Then you need to send email to xyz. Does the email you send to xyz use the plus address? If so, how do you implement that? Does 1Password handle that? Sorry if I wasn’t clear.
I’m delighted to contribute something after getting so many questions answered. But what are the chances of Apple breaking this?
That’s impossible for anyone who does business on the web. You need to set up an account, e.g. You select a user ID and password and you get a message that they will email you a link to confirm your email. If you don’t click the link to confirm, you can’t establish the account. There are lots of examples. My collaborator wants to share something with me, so she emails a link. I click and the collaboration is accomplished.
I need to click on emailed links multiple times each day, I have never clicked a malicious link.
The bottom line: Learn how to look at an email and determine if the sender is legitimate. Know that a legitimate email will never ask for a password.
And know how to examine a link to determine where it goes before you click on it. Most of the time (and nearly all the time for mail from legitimate sources), it is pretty easy.
With most mail clients (including web-mail interfaces), you should be able to hover your mouse pointer over the link and see its destination appear in a tool-tip popup or a status bar. If your mail client doesn’t do this, see if it’s an optional feature you can turn on or switch to another mail client.
Although this self-identification is not perfect, most spam/malware has pretty obvious telltales. Like links where the destination URL goes to a domain belonging to a free-mail service or something other than the alleged source of the mail. (e.g. legitimate mail from Apple always comes from apple.com and will have links to pages hosted by apple.com).
There are, of course, exceptions (e.g. links to files on CDN servers), but when you see these, you can be extra paranoid and do additional research before deciding whether or not you should click.