DuckDuckGo Email Protection: First impressions

When DuckDuckGo announced DuckDuckGo Email Protection on the 20th of July, 2021, I was thrilled about it. As a pi-hole user, the idea of blocking trackers (ads as well) for all emails excites me. The idea is simple: you give away your DuckDuckGo address instead of your actual email address, DuckDuckGo receives it, removes trackers and forwards the email to you.

Note about replying to emails

Replying to the email reveals your primary address to the sender. DuckDuckGo is not an alias service like SimpleLogin or Anonaddy.

They promise to delete the email once they forward it, but we can never confirm as the service does not seem to be open source. Given DuckDuckGo’s track record though, I trust them with my emails.

An image illustrating how the DuckDuckGo Email Protection service works. It shows two mailboxes, one being the DuckDuckGo alias, and the other being the actual inbox where the email is forwarded to, with trackers removed
DuckDuckGo Email Protection

At WWDC 2021, Apple announced a client-wide email blocking functionality, but that’s limited to the default Apple Mail client. I wanted something that works irrespective of what email client I use. pi-hole works in a way, because it blocks all DNS requests for these trackers, but I haven’t done a detailed analysis of what kind of email trackers it actually blocks. Perhaps there a blocklist specifically tailored to email trackers.

HEY.com is another alternative and perhaps the trend-setter. I gave up after an year, because I wanted to use my email account on any IMAP client, vs being limited to proprietary web clients. The HEY.com web client is nicely done; just wasn’t what I wanted. The address remains mine forever though. I have configured [email protected] to forward to my DuckDuckGo address, which in turn sends to my primary email address, with all trackers removed.

Signup and setup

I signed up for DuckDuckGo’s on the day of announcement. Because they were rolling out invites in batches, I didn’t get my invitation until today.

The service is straightforward. Once you receive the invitation, you choose your username and set an email address to forward to. The destination must be one that you reply from, not another email forwarding service.

You can distribute this personal address, or generate unique aliases per site, newsletter or app.

When you receive your emails, DuckDuckGo will prepend the number of trackers removed, with a privacy report link attached to it, or a notice that there weren’t any trackers.

Image showing an email with DuckDuckGo's notice about the number of email trackers removed, and it has a link to a privacy report
Image showing an email with DuckDuckGo’s notice about the number of email trackers removed, and it has a link to a privacy report
Image showing an email with DuckDuckGo's notice about the email not containing any trackers
Image showing an email with DuckDuckGo’s notice about the email not containing any trackers

The arrow next to the notice points me to a privacy report web page, where details of the domain removed is listed. It also allows me to turn off the throwaway DuckDuckGo alias if needed.

Image showing DuckDuckGo Email Protection service's privacy report page for an email that I received. It shows details of the tracker removed and an option to turn off the throwaway DuckDuckGo alias
Image showing DuckDuckGo Email Protection service’s privacy report page for an email that I received. It shows details of the tracker removed and an option to turn off the throwaway DuckDuckGo alias

There’s a dashboard where one can look at the number of addresses generated (but not the actual addresses or an option to turn them off), address being forwarded to, and some links to submit feedback or download browser add-ons. I was hoping to see an option to change the address being forwarded to, but that doesn’t seem to be available. Guess one has to go through support to do that.

My setup: SimpleLogin + DuckDuckGo Email Protection + HEY.com

I am a very happy SimpleLogin user today. While it doesn’t block trackers, I have found a way to use the two together.

I will continue generating SimpleLogin aliases for all websites, but configure my DuckDuckGo address as the receiver, which in turn forwards to my primary address.

Because DuckDuckGo sets the original sender in the Reply-To header, my response to the email reaches the original sender, not DuckDuckGo.

To: [email protected]
Subject: Test email sent to [email protected]
Date: Mon, 09 Aug 2021 17:13:30 +0000
Duck-Original-Sender: DuckDuckGo <[email protected]>
From: "DuckDuckGo (via duck.com)" <[email protected]>
Reply-To: [email protected]

This part is tricky because the address in the Reply-To header in my setup is a SimpleLogin reverse-alias, rather than the actual sender.

Since reverse-alias can accept emails only for the mailbox that it is delivered to (in this case, the DuckDuckGo address), I had to add my regular email address to be an authorized sender too.

Image showing a setting on the SimpleLogin website's mailbox settings page, to add an authorized sender address
Image showing a setting on the SimpleLogin website’s mailbox settings page, to add an authorized sender address

With this in place, my incoming email setup looks like this:

Incoming

Sender to SimpleLogin alias to Duck address to regular inbox.

And here’s how my outgoing email setup looks like:

Outgoing

Regular inbox to SimpleLogin “reverse alias” to sender (sender sees the SimpleLogin alias, not my regular address or the “reverse alias”)

I also configured my HEY.com address to forward to my Duck address, rather than my regular inbox.

Leave a reply