Email privacy 101 — what your address actually reveals about you

Email looks like a private channel — you write a message, the recipient reads it, nobody else is involved. In practice, email is one of the leakiest protocols still in regular use, and the address you hand to a website encodes more about you than you probably realise. This guide walks through what your email reveals, who sees it, how the most-cited tracking techniques actually work, and what you can do to give away less.

We're going to keep this grounded. Most "email privacy" guides veer into PGP and threat modelling against state actors. Ninety-nine percent of people are not being targeted by a state actor; they are being processed by an advertising stack. We'll focus on that.

What your address itself says about you

The local part of an email address — the bit before the @ — frequently leaks identity even before any mail is exchanged. A few common patterns:

• Your name. [email protected] tells a recipient your full name without you ever filling in a "name" field on their form. List brokers buy and sell these mappings.
• Your birth year. [email protected] is a generation of internet user — created around 1995–2000, often by someone who couldn't get [email protected]. Marketers segment on this signal.
• Your employer. [email protected] tells everyone you give it to where you work, with no further effort on their part. Anyone scraping the page that address appears on knows.
• Your hobby, your favourite band, your dog's name. [email protected], radioheadfan99@, rufus.is.a.boy@. Each of these is a free attribute, attached to every signup.

None of these are inherently bad. They're trade-offs you might have made deliberately when you picked the address fifteen years ago. The point is that the trade-off has been made, and it's worth knowing before you hand the address to a site that doesn't need to know any of those things to deliver you a discount code.

The Received: chain — your IP, every relay, every timestamp

When you send an email — not when you receive one — your mail server adds a header to the message recording where it came from. This is the Received: header, and there is usually a chain of them, one per relay between you and the recipient. The first one often includes the IP address of the machine that originally submitted the message.

For most people sending from Gmail web or the Apple Mail app, the visible IP is the mail provider's outbound relay, not your home connection. For people sending from a desktop client configured against their ISP's SMTP server, or from an old WordPress install, or from a script using a transactional sender misconfigured to expose the originating IP, the first Received: header can leak your home IP directly. Every recipient sees it. Every spam filter logs it. Anyone with archived inbox access — your employer's IT department, a future data breach — has it.

The takeaway: sending email leaks more than receiving does. A disposable inbox like tenmin.app is receive-only by design, so this particular leak doesn't apply to mail flowing through us — but it absolutely does to any mail you send from your real address afterward.

Tracking pixels: the everyday leak

Marketing email almost universally embeds a tracking pixel — a one-pixel transparent image hosted on the sender's server, with a URL that encodes your identity (or a hash of it). When your mail client renders the message, it requests that image. The sender's server logs the request, along with your IP, your user-agent, and the timestamp. They now know that you opened the email, when, and from where.

Each "open" event is small. Aggregated over months across hundreds of senders, the picture is detailed. You can build a daily activity model — when this person is at work, when they take breaks, when they travel, when they're sick — entirely from open data. Email-marketing platforms ship these dashboards as standard features.

Mitigations, in rough order of effectiveness:

1. Read mail in a client that proxies images. Apple Mail's "Mail Privacy Protection" feature (default on, modern iOS) routes image requests through Apple's servers and fetches them in advance, hiding both your IP and the timing of the actual open. Gmail's web client does something similar via Google's image proxy. ProtonMail and Fastmail both offer per-message and global image-blocking. Outlook desktop on Windows is the worst common case — it loads images eagerly from your IP, by default.
2. Block remote images entirely. Every modern client has a "load remote images" toggle; default it off, click to load only when you specifically need to. tenmin.app renders received mail with remote images allowed (because stripping them would break too many legitimate emails), so if you want maximum paranoia for a single message, switch to the plain-text view by collapsing and re-expanding it.
3. Use a disposable address for any signup whose mail you don't expect to read carefully. If the only mail going to the address is a coupon code you'll glance at once, the sender never gets a useful behavioural profile because there isn't enough interaction to profile.

Link tracking — every URL is a referral

Even with images blocked, the links inside marketing email are typically wrapped through a click-tracking domain (links.somesender.com/abc123 redirects to the real URL). The wrapper logs every click, along with the same IP / user-agent / timestamp data the image pixel would have captured. Some senders also append unique query parameters to the underlying URL, so even if you copy the link out, the destination still knows which recipient clicked it.

The robust defence here is the same as for the rest of the surveillance stack: don't click the link if you can avoid it. If the email is "your verification code is 482910," you don't need to click anything. If it's "click here to read your weekly digest," that's what the sender wants — declining to click is the strongest possible signal that you don't actually want the digest.

List trading and the data-broker pipeline

When you hand a marketing-focused site your real address, three things happen:

1. It enters their CRM and they email you whatever frequency their playbook calls for — weekly, daily, eight times a day in pre-Christmas season.
2. It gets matched against advertising stacks. Most large advertisers can hash your email and find you on Facebook, Google, TikTok, and ten other ad platforms — even if you've never set foot on the advertiser's site beyond submitting that one form. This is the "audience match" feature; it's how a podcast you listened to once starts following you around the web.
3. It may enter the list-broker ecosystem. The legitimate version: the sender belongs to a coregistration network and your address is shared with "partners" whose terms you agreed to in line eleven of the signup. The less-legitimate version: a data breach, a deliberate sale to a third party, or a "growth hack" that exfiltrates the list to a spammer's database.

A disposable address breaks the first link and weakens the other two. The site never adds a long-lived address to its CRM (because the address dies before they queue up the next send), the hash they pass to ad platforms is worthless because no one else has it, and the broker ecosystem can't sell what they don't have.

What disposable email solves and what it doesn't

A disposable inbox is a good answer to one specific question: how do I receive exactly one piece of mail without entering anyone's funnel? It's the right tool when the value of the signup is delivered in the first email and you have no expected interaction beyond that.

It does not address the leaks specific to sending — your home IP in the Received: chain, the metadata your real provider has about you, the way your ISP can see what mail providers you connect to. It does not give you anonymity against law enforcement, against your employer, or against a determined investigator. For those threat models, you need different tools — Tor, an anonymity-focused mail provider like Tutanota or ProtonMail behind Tor, and a different threat model conversation.

For the everyday "I want to get the PDF without joining the funnel" case — which is what most people actually want when they reach for "email privacy" — a disposable inbox solves it cleanly. The home page generates one for you on every visit.

A short hygiene checklist

Things you can change today that meaningfully reduce how much your email leaks:

• Switch your mail client's default for remote images to "off" or "proxy through provider."
• If your mail provider supports plus-addressing, use it for every signup. The tag tells you which sender leaked your address when (not if) it happens.
• For any signup where you don't expect ongoing contact, use a disposable address.
• For any signup where you do expect ongoing contact but want the ability to turn it off, use an aliasing service.
• Audit your existing inbox once a quarter. Unsubscribe ruthlessly from anything you haven't opened in three months. Senders treat lack-of-opens as a signal to email more, not less; the only stable state is "subscribed and reading" or "unsubscribed."
• Run your address through Have I Been Pwned once in a while. If it's in a recent breach, assume the bottom-feeders have it and consider whether the address is worth keeping for your important accounts.

Further reading

• Disposable email vs. email aliasing covers when to reach for which tool in concrete terms.
• How to sign up for newsletters without drowning in marketing follow-ups applies the principles in this guide to the single highest-volume privacy decision most people make.