Disposable email: when a throwaway inbox fits (and when it doesn't)

Your email address is one of the most durable things about you online. You will change phones, jobs, and passwords long before you change the address you have been typing into signup forms for a decade. That permanence is convenient, and it is exactly why handing it to every site that demands it is worth a second thought.

A disposable inbox is a throwaway address that catches incoming mail for a short window and then disappears. It is the right tool for a narrow set of jobs and the wrong tool for several others. Below is where the line actually falls.

Email is an identifier, not just a mailbox

Sites treat your address as a primary key. The same string ties your accounts together across services, which means a data broker or a leaked database can use it to link a profile on one site to a profile on another. It also tends to outlive the account it was created for. When a service is breached, the address is usually in the dump — that is what Have I Been Pwned indexes: billions of leaked records, searchable by the address that connects them. Once your real address is in one breach corpus, it stays there.

There is also the quieter problem of tracking. HTML email routinely contains a spy pixel — a 1x1 invisible image that loads from the sender's server when you open the message. Loading it reports back that you opened the mail, when, your IP-derived location, and your mail client; the tracking URL usually contains a tag unique to your address, often a hash of it. The same pixel-based plumbing has been pushed well past email. The EFF documented Meta exploiting localhost on Android to re-link supposedly anonymous web traffic to logged-in accounts, bypassing VPNs and incognito mode. The address you give out is the hook a lot of this hangs on.

When a throwaway inbox is the right call

Use one when the email address is a toll you have to pay, not something you will ever need again:

• One-off signups for a service you are evaluating and may never return to.
• "Enter your email to download" gates — the whitepaper, the sample dataset, the trial file.
• Catching a single one-time passcode to finish a flow, then walking away.
• Test accounts and throwaway environments where a real address would just be noise.
• Anything you expect to generate marketing mail you do not want correlated to your main address.

This is data minimisation in practice. The GDPR's Article 5(1)(c) says personal data should be "adequate, relevant and limited to what is necessary." That is a rule for the people collecting your data, but the logic runs both ways: if a service does not need a durable address to do the one thing you want, do not give it one.

When it is the wrong call

A disposable inbox is, by design, gone soon. That makes it actively dangerous for anything you might need to recover or rely on:

• Any account you care about keeping. If the address is the recovery path and the inbox has expired, you are locked out — permanently, for some services.
• Anything security-sensitive over time: banking, password managers, your primary identity providers, anything holding money or access.
• Receipts, licenses, or records you may need to produce later.
• Two-factor or login-link delivery for an account you intend to keep using. The codes are useless once the inbox is gone.

Rule of thumb: if losing the inbox tomorrow would cost you anything, do not use a disposable one today.

There are deliverability caveats too. Plenty of sites maintain blocklists of known disposable-email domains and will reject the signup outright. And an ephemeral inbox is best-effort by nature — held briefly, rate-limited, not guaranteed to be reachable when a slow sender finally gets around to delivering. If a message has to arrive, do not bet on a throwaway address.

Disposable vs alias vs plus-addressing

These three get conflated, and they solve different problems.

• Plus-addressing (sub-addressing): [email protected] routes straight to [email protected]. The convention shows up in RFC 5233 (Sieve's subaddress extension uses it as the worked example) and is handy for filtering and spotting who leaked your address — but stripping the +tag back to your real mailbox is trivial, so it offers no real anonymity.
• Aliases: distinct addresses that forward to your real inbox. Durable and recoverable, good for separating senders, but still chained to your main mailbox if the forwarding map leaks.
• Disposable inboxes: a genuinely separate, short-lived mailbox with no link back to you. Maximum separation, zero durability. That tradeoff is the whole point.

Wikipedia's entry on disposable email addresses is a fair overview; it pegs typical temporary-inbox lifespans at roughly 10 to 60 minutes, which is the right mental model for what you are getting.

How ours works

Our disposable inbox gives you an address, catches incoming mail via Cloudflare Email Routing handed to a single small worker, and shows it in the page. There is no separate mail server and nothing written to disk — messages are held in memory and the address auto-expires. If we spot a one-time code in a message, we surface it for one-click copy, which is the common case anyway. You can also drive it from a script:

curl https://exl.ink/api/inbox/new            # → address + secret

A throwaway inbox is the right place to receive a one-time code, but the wrong place to leave one sitting. If you then need to pass that credential to a teammate, send it through our one-time secret — encrypted in your browser, readable exactly once, gone after. Catch the code somewhere disposable, hand it off somewhere that self-destructs, keep nothing.

Further reading

• Disposable email address — Wikipedia
• Web beacon / spy pixels — Wikipedia
• RFC 5233 — Sieve subaddress extension (plus-addressing)
• GDPR Article 5 — data minimisation
• Have I Been Pwned — check breach exposure
• EFF: Meta's localhost tracking that re-links "anonymous" traffic