A month ago I switched to “Google Apps For Work” from a bloated and old MediaTemple instance, and I’ve not looked back since. I now have a single email account in Google Apps costing £33 a year. With this I can handle all of my emails to the padolsey.net domain.

My only gripe: Google imposes an email alias limit of 30. I’m a person who tends to use a new alias for every new subscription, store, account or occasion, so 30 aliases simply doesn’t cut it. More than 30 seems silly to many people; they opt to just use their primary alias and a + separated suffix, like '[email protected]'. This works fine, and depending on the client you can also use other separators, but there are three major hindrances as far as I see it:

  1. Many apps don’t allow emails containing + before @, usually because they've blindly adopted the first (incorrect) email validation regex they came across.
  2. Many people don’t understand emails that go too much adrift from [a-zA-Z0-9_-] in the alias portion. I’ve often had people literally writing down my email as jamesplusfoo@... instead of james+foo@..., which is understandable, but means I have to always say “james, << the actual PLUS character >>, foo, at, …”.
  3. Apps that understand the + suffix trick will also understand that it can, with many email clients, be eliminated or replaced. This means nasty spammers could automate the generation of additional + aliases to avoid you blacklisting any single address.

Number 3 isn’t much of a concern, really, but I reckon of all address aliasing tricks, the + suffix technique is one of the most transparent and therefore one of the most open to abuse by spammers.

Gmail in Google Apps does provide a “catch-all” option, so {anything}@yourdomain.com would get received. The problem with this is that it leaves you totally exposed to random-alias-spewing spammers. They can scatter-gun your email very successfully. I’ve experienced this at least once before, when I wasn’t on Google, but even without precedent I’d be worried enough. Google makes it quite clear that they’ll readily close accounts that go over their receiving limits.

For aliases, it’s probably better to have a well constructed whitelist than a blacklist that requires constant maintenance. In this spirit, I was pleasantly surprised to find that Gmail does provide a way to modify “default routes” if you’re the domain admin. So, really, the 30 alias limit never applied to me, I just didn’t know it. The routing configuration also supports regular expressions, which is fantastic!

(Go to Apps > Google Apps > Settings for Gmail > Advanced settings > Default routing)

screenshot of advanced settings in Google Apps \/ Gmail

This means, in addition to my regular aliases (up to 30 of them), I can configure it such that specifically formatted recipient addresses flow into my inbox quite naturally, while addresses that don’t fall within my stringent format will get rejected.

What format? It doesn’t matter. As long as its obscure enough to avoid automated scatter-gunning, I’m happy. If it’s also obscure enough to avoid real-human malice then I’d be over the moon.

Unfortunately, Google only allows a limited subset of the regular expressions we’re used to (they use a regex implementation called RE2). No backtracking or backreferencing of any kind is allowed. This makes it near-impossible to construct overly clever formats… And this is a shame, because my dream in life is an email alias format so mathematically confusing that even sober-me cannot solve it unless I'm sufficiently invested in the provision of an email address. This would, for example, prevent me from politely giving out my address, willy nilly, to store clerks, websites, and random people on the street.

Alas, given this limited subset of regex I’ve had to construct a much more lenient format. This is the kind of thing I'm talking about:

  • -.+\d\d@: Must include at least one dash and end in two digits.
    E.g. [email protected].
  • ^[a-zA-Z].*\d@: Must start in a letter and end in a digit.
    E.g. [email protected].
  • ^(store|account|legal|banking)-.+@: Must start in one of the listed prefixes.
    E.g. [email protected].

After deciding on the format you can choose to 'modify message' and simply set the envelope-recipient to your primary email address.

If you wanted to be super paranoid you could set-up additional MX records for a wildcard subdomain, and then just have a fixed alias of your name with infinite subdomains:

You could also construct yourself a little bookmarklet or addon that spits out hashes or numbers of a specific type that can be checked in your regular expression. And for when you get the rare joy of sharing an email address in real life you could take inspiration from 2FA and have a card of a dozen ready-to-go addresses. I think this may be a step too far though…

Thanks for reading! Please share your thoughts with me on Twitter. Have a great day!