• DuckDuckGo Email Protection: First impressions

    When DuckDuckGo announced DuckDuckGo Email Protection on the 20th of July, 2021, I was thrilled about it. As a pi-hole user, the idea of blocking trackers (ads as well) for all emails excites me. The idea is simple: you give away your DuckDuckGo address instead of your actual email address, DuckDuckGo receives it, removes trackers and forwards the email to you.

    Note about replying to emails

    Replying to the email reveals your primary address to the sender. DuckDuckGo is not an alias service like SimpleLogin or Anonaddy.

    They promise to delete the email once they forward it, but we can never confirm as the service does not seem to be open source. Given DuckDuckGo’s track record though, I trust them with my emails.

    An image illustrating how the DuckDuckGo Email Protection service works. It shows two mailboxes, one being the DuckDuckGo alias, and the other being the actual inbox where the email is forwarded to, with trackers removed
    DuckDuckGo Email Protection

    At WWDC 2021, Apple announced a client-wide email blocking functionality, but that’s limited to the default Apple Mail client. I wanted something that works irrespective of what email client I use. pi-hole works in a way, because it blocks all DNS requests for these trackers, but I haven’t done a detailed analysis of what kind of email trackers it actually blocks. Perhaps there a blocklist specifically tailored to email trackers.

    HEY.com is another alternative and perhaps the trend-setter. I gave up after an year, because I wanted to use my email account on any IMAP client, vs being limited to proprietary web clients. The HEY.com web client is nicely done; just wasn’t what I wanted. The address remains mine forever though. I have configured [email protected] to forward to my DuckDuckGo address, which in turn sends to my primary email address, with all trackers removed.

    Signup and setup

    I signed up for DuckDuckGo’s on the day of announcement. Because they were rolling out invites in batches, I didn’t get my invitation until today.

    The service is straightforward. Once you receive the invitation, you choose your username and set an email address to forward to. The destination must be one that you reply from, not another email forwarding service.

    You can distribute this personal address, or generate unique aliases per site, newsletter or app.

    When you receive your emails, DuckDuckGo will prepend the number of trackers removed, with a privacy report link attached to it, or a notice that there weren’t any trackers.

    Image showing an email with DuckDuckGo's notice about the number of email trackers removed, and it has a link to a privacy report
    Image showing an email with DuckDuckGo’s notice about the number of email trackers removed, and it has a link to a privacy report
    Image showing an email with DuckDuckGo's notice about the email not containing any trackers
    Image showing an email with DuckDuckGo’s notice about the email not containing any trackers

    The arrow next to the notice points me to a privacy report web page, where details of the domain removed is listed. It also allows me to turn off the throwaway DuckDuckGo alias if needed.

    Image showing DuckDuckGo Email Protection service's privacy report page for an email that I received. It shows details of the tracker removed and an option to turn off the throwaway DuckDuckGo alias
    Image showing DuckDuckGo Email Protection service’s privacy report page for an email that I received. It shows details of the tracker removed and an option to turn off the throwaway DuckDuckGo alias

    There’s a dashboard where one can look at the number of addresses generated (but not the actual addresses or an option to turn them off), address being forwarded to, and some links to submit feedback or download browser add-ons. I was hoping to see an option to change the address being forwarded to, but that doesn’t seem to be available. Guess one has to go through support to do that.

    My setup: SimpleLogin + DuckDuckGo Email Protection + HEY.com

    I am a very happy SimpleLogin user today. While it doesn’t block trackers, I have found a way to use the two together.

    I will continue generating SimpleLogin aliases for all websites, but configure my DuckDuckGo address as the receiver, which in turn forwards to my primary address.

    Because DuckDuckGo sets the original sender in the Reply-To header, my response to the email reaches the original sender, not DuckDuckGo.

    To: [email protected]
    Subject: Test email sent to [email protected]
    Date: Mon, 09 Aug 2021 17:13:30 +0000
    Duck-Original-Sender: DuckDuckGo <[email protected]>
    From: "DuckDuckGo (via duck.com)" <[email protected]>
    Reply-To: [email protected]

    This part is tricky because the address in the Reply-To header in my setup is a SimpleLogin reverse-alias, rather than the actual sender.

    Since reverse-alias can accept emails only for the mailbox that it is delivered to (in this case, the DuckDuckGo address), I had to add my regular email address to be an authorized sender too.

    Image showing a setting on the SimpleLogin website's mailbox settings page, to add an authorized sender address
    Image showing a setting on the SimpleLogin website’s mailbox settings page, to add an authorized sender address

    With this in place, my incoming email setup looks like this:


    Sender to SimpleLogin alias to Duck address to regular inbox.

    And here’s how my outgoing email setup looks like:


    Regular inbox to SimpleLogin “reverse alias” to sender (sender sees the SimpleLogin alias, not my regular address or the “reverse alias”)

    I also configured my HEY.com address to forward to my Duck address, rather than my regular inbox.

  • Hydroxide as a headless bridge for ProtonMail on Tailscale

    I had fun setting up Hydroxide on the Tailscale network so that I can access my ProtonMail inbox from any IMAP client. If you are not familiar with ProtonMail, it’s an encrypted email provider. Given the nature of this product, they do not offer IMAP access as other standard email providers do. Rather, they require a paid account and a connector by the name ProtonMail Bridge for desktop IMAP clients to work.

    That works great for most users, but what about IMAP clients on mobile devices? Access on the mobile devices is limited to the official ProtonMail app. As a ProtonMail customer of over 3 years, I haven’t seen any significant improvements in the mobile front. They did promise an update to the ProtonMail Android app, seemingly with support for threaded conversations, but that was a long time ago.

    My favorite IMAP clients on Android are Nine Mail and K-9 Mail at the moment. I have been using K-9 Mail only since a week, and my experience so far has indicated that the two are not any different. Nine Mail has a free trial, but the latter is free forever and is donation-supported.

    Tailscale to the rescue

    Since I previously set up pi-hole on the Tailscale network, I started exploring the idea of using ProtonMail on the Tailscale network.

    While ProtonMail Bridge is open source, it’s limited to Windows, Mac and Linux at the moment. That’s a GUI version. ProtonMail Bridge is not available in a headless format, but it appears to be planned.

    I wanted the headless version to run on my Raspberry Pi so that it’s accessible from any Tailscale-authenticated node.

    In exploring for third-party Bridges, I found Hydroxide which seems open source and popular among users. It also seems to support any ProtonMail account, while the official ProtonMail Bridge is only for paid users.

    Setting up the bridge

    Setting up Hydroxide is rather simple, but I ran into some challenges along the way.

    For starters, it appears Proton recently modified their authentication API endpoint that prevented generating the Bridge password on Hydroxide. Some users found workarounds, but updating to the old endpoint didn’t quite work for me.

    I found another workaround that involves using a SessionID from a web-authenticated ProtonMail session, and that worked for me.

    Secondly, I had to get Hydroxide listening on the Tailscale network instead of, which would be a local address. There are flags that allow configuring a different network interface, but entering my Raspberry Pi Tailscale node address didn’t quite work. So, I ended up updating the default network interface within the Hydroxide code. The lines below had to be replaced with my Raspberry Pi node address.

    An image that describes replacing the local host and ports with Tailscale node address.
    Replacing the local host and ports with Tailscale node address

    With this done, all that I had to do was enter my Raspberry Pi Tailscale node address as the IMAP and SMTP server on my mobile IMAP clients. The official ProtonMail Bridge documentation recommends adding a SSL exception for desktop clients. I couldn’t quite figure out how to configure a similar exception on the mobile clients. Also because both devices (my mobile device and Raspberry Pi running Hydroxide) are within the same Tailscale network, I chose to authenticate without SSL. That means my Bridge password being visible somewhere along the communication between the device and Raspberry Pi, but that’s alright as it’s a private network.

    Preventing Hydroxide bridge access for others on my Tailnet

    Since my friends and family use my Tailscale network (I share my pi-hole ad blocker with them) as well, I configured access control rules (Tailscale ACLs) on the Tailscale web admin.

    An image from my Tailscale admin that shows access control rules for my Hydroxide ports.
    An image from my Tailscale admin that shows access control rules for my Hydroxide ports

    This setup is safe in my understanding, as Hydroxide runs on a hardware that I control. And, it is available only within my Tailscale network. To authentication on this Tailscale network, one requires my approval. I use a GitHub organization as a multi-user tailnet. Even if someone manages to get in, ACLs must prevent them from accessing the Hydroxide IMAP and SMTP ports.

    I am not a network engineer but enjoy hacking on things by self. Don’t treat this guide as a bulletproof workflow if you value secure, encrypted communication.

    Whoogle on Tailscale

    Access ad-free, tracker-free Google search results.

    libreddit on Tailscale

    Self-host a private, ad and tracker-free reddit frontend UI with libreddit.

    Pi-hole on Tailscale

    Install pi-hole on Tailscale, to get ad-blocker functionality on all devices

  • I joked that I wouldn’t sleep without a win

    Good thing we clutched that last game, after multiple back-to-back loses. I can sleep now.

    A screenshot of the VALORANT gameplay. It shows the shooter clutch a win by killing the opponent.
  • macOS Monterey, iOS 15: My Apple betas experience

    macOS Montrey and iOS 15 are the latest versions of macOS and iOS. They were announced at WWDC 2021. The public beta was released a couple of days ago, and I downloaded it as soon as they were available. I wanted to download them when the developer beta was announced, but I don’t have an Apple developer account. And, admittedly, I was worried about how developer beta may fare. Glad I decided to wait for the public Apple betas.

    I am quite happy with the experience so far. I installed both betas on my personal devices and on my work Mac as well. They seem rock solid, and I don’t see a hit on battery life either, which I hear is often the case on Apple beta rollouts.

    I blogged about my favorite iCloud+ features previously, which I will be focussing on in this article.

    Mail Privacy Protection

    I have enabled it on my Mail app for now, but haven’t found if there are stats/analytics of how many trackers are blocked. As I am a pi-hole user, that must cover DNS-level blocks throughout my home but I am curious on seeing how this new feature complements pi-hole.

    A screenshot from iOS 15 that shows the new Mail Privacy Protection feature. It blocks trackers on your mailboxes.

    Private Relay on both Apple betas

    Private Relay is Apple’s double-hop VPN-like service that prevents networks from monitoring your traffic, and prevents trackers and websites from identifying your IP addresses. It’s available on both Apple betas as of today.

    My original understanding was that this is basically Apple-backed VPN service, but that doesn’t seem to be the case.

    Is it basically a VPN service?

    From a technical reading (I don’t have the link to it at the moment) of this service, it appears this is a double-hop tunneling system. Think of Tor, where there are 3 hops involved — entry node, middle node and exit node.

    In Apple’s Private Relay case though, the first hop gets you an anonymous, shared IP address, while the second hop decrypts the website address. In this fashion, none of the parties in these tunnels are able to fully map the original address of the requester and the website address.

    DNS leaks with Private Relay on these Apple betas?

    Private Relay has assigned me a Cloudflare and Fastly address so far. I hear there are other providers that Apple has partnered with, but my experience so far has been limited to the two of them.

    I have also noticed that my pi-hole on the Tailscale network doesn’t work when Private Relay is active. That’s alright in my opinion, because the very purpose of tunneled connections is to prevent leaks to other networks. Think of using a VPN, which assigns its own DNS resolvers, vs using the one assigned by your DHCP on the router. That’s precisely what’s happening here.

    A screenshot from iOS 15 that shows the Private Relay functionality's settings.

    Private Relay is limited to Safari. That works great for me. When I need to browse websites from my regular, ISP-based IP address, I can use a different browser like Firefox.

    My pi-hole setup continues to work normally on other browsers, and other apps throughout the device.

    A couple of other things that I noticed:

    • Private Relay on iOS 15 allows me to choose servers from the same geolocation, or from other areas of my country. That’s just a feature of iOS 15 though. I don’t see it on macOS Monterey.
    • Private Relay was enabled by default on my WiFi network. That wasn’t the case for a friend though.
    • As expected on a beta software, Private Relay disconnected a few times as I was browsing.

    All in all, I am happy about this functionality, which is one of the many first steps that Apple is taking in privacy.

    Hide My Email

    Hide My Email is basically an email alias service that generates new addresses on demand. These aliases forward incoming email to your primary address, thus avoiding exposure of your actual email address from spam. I am a huge fan of this concept. I use SimpleLogin already for which I am a paying customer.

    It is limited to 100 aliases per account (read so on a beta thread on reddit.) That can be limiting for power users. On SimpleLogin, I have over 1000 aliases, spread across website and apps signups, newsletters, shopping and everything in betwee.

    A screenshot showing the new Hide My Email functionality on Apple's iOS 15.

    If you start using Hide My Email, consider saving them on a password manager like 1Password or Bitwarden. Otherwise, it’s very easy to lose track of your alias usage across sites.

    iCloud Mail with a custom domain

    This is probably my most favorite feature announced at WWDC 2021. It’s not available on the beta just yet. Fingers crossed for its availability in the next release!

    Safari re-design on both Apple betas

    I hate it. Multiple things about this design are distracting:

    • The box-like layout of the tabs resize as I change tabs.
    • The background of the tabs change colors depending on the website’s background color. While it seemed interesting initially, I have noticed that it comes with illegible reading, especially on my non-retina MacBook Air.
    • The position of the search/address bar changes every time I navigate between tabs.

    I am not a fan.

    Other things I noticed

    • I was late to learning that Shortcuts is available as well! As someone that automates a lot of things with Keyboard Maestro, I am curious to see how Shortcuts can work with it, or how it can complement the former’s features.
    • Universal Control is not available on this beta either. It allows one to use the same input devices (mouse and keyboard) across multiple macOS or iOS devices. I can imagine myself using my MacBook Air’s (2015 model) keyboard for MacBook Pro (2019 model). The latter doesn’t have a butterfly keyboard, which is a good thing, but I still prefer my MacBook Air’s keyboard. There is a mechanical typing sensation which makes the typing experience rich.
    • Tailscale works okay on both betas!

    If you want to enroll your devices for Apple betas, the signup program is available here.

  • Mac fn key: Remap to emoji picker

    Great tip from Sindre. Apparently Mac OS settings allow one to map the fn key to the emoji picker. I use the emoji picker many times a day. This remap must be a fantastic time saver. Control + Command + Space is the default shortcut for those curious.

    A stock image showing an illustration of a conversation bubble. In this post, you can learn about a Mac OS setting to replace Mac fn key as an emoji picker.

    I like Slack-style emoji picker though, where I can type : followed by the emoji name. That displays a horizontal list to choose from, vs Mac fn key popup display. It’s considerably faster, but not all apps support that. I know only of Slack, Flock, Telegram and Signal as apps that support it.

  • Snowball fight is back on VALORANT!

    Snowball fight is back on VALORANT! The mode is different from the regular modes, in that the primary gear is replaced with a snowball shooter. It does not offer agents the abilities though, and is based on the same maps as regular ones. My first game of the day was based at Icebox, where I clutched the MVP title with 15 kills.

    An image of the post-game screen of the VALORANT snowball fight game. The screen shows two players, each clutching the MVP title for the respective teams.

    Along with this update, a new agent by the name KAY/O is announced. Apparently they can block the enemy agents’ skills! I cannot wait to unlock them.

  • Day One: My new private blogging app

    I am a Day One user now!

    The team joined Automattic this month. The acquisition is perfect. Automattic is a pioneer in the web publishing and blogging space, while Day One champions the private journaling experience. I am excited to see what the future holds for Day One, and how Automattic integrates its products with it. Publishing from the app to a WordPress site, the other way around and Gutenberg on the app are few examples of great things that can happen.

    An image of the Day One app on a white iPhone
    Day One on iPhone

    Today on the company-wide townhall, the Day One team met the rest of Automattic. We had a quick overview of the Day One apps. They also offered a premium subscription for everyone working at Automattic. That’s very cool!

    I have not been into private journaling most of my life. I have written pieces on and off though. The first time I started private blogging, it was during my college days. I remember maintaining a notebook. That was my first time away from home/neighborhood and writing was a great way to cope with the change. I remember moving to a Dropbox later, where I stored them as text files, encrypted with Cryptomator.

    Day One, on the other hand, is a fully encrypted, cross-platform app. Android is an exception though. It does not support end-to-end encryption. I published a copy of this blog post as an entry as well. The Mac app seems polished with a great deal of features. I will not be using the Android app just yet. Hopefully an end-to-end encrypted version is available in the near future.

    Download the app

    If you are looking forward to trying the app, they do offer a 7 day free trial of the premium subscription. The premium version offers unlimited media storage, sync, and backup, amidst a whole bunch of other features. Get it on Google Play Store or the App Store.

  • First look at Among Us 15 players update

    The popular, cross-platform, LAN and internet-based social deduction game Among Us is dropping a big update today! They are finally supporting lobbies with upto 15 players. This is a big news to me, as my team at work has 11 members. I know teams that are larger as well, and someone always had to sit out, or had to create two different games.

    Along with the update to player count, there are a few other changes that I have noticed on the team stream that Innersloth is hosting at the moment.

    Changes that stand out immediately:

    • New voting screen.
    • Voting animation gets a new look as well (video below)
    • Dead bodies look different. Is it the backpack which the beans carry that gives the rectangle appearance?

    I got a chance to record the new voting animation as well. I think it’s a welcome change as it significantly improves the time taken to show all the votes, especially important in a lobby that’s sized 15.

    Besides these, the team announced support for mobile controllers and a certain new “honk” system on Airship. I am not curious about the mobile controller as I am a desktop player, but I am keen on seeing what the honk system is about. The update drops by 3PM EST, which is 12.30am IST. I am hoping to download the release tomorrow morning the first thing. 🎉

    Among Us is available for Windows, Android and iOS.

  • Opt out WiFi from Google and Microsoft location tracking

    I was reading a Hacker News piece about Amazon opting out of Google’s FLoC and I learned something even more interesting. Google and Microsoft have been using information of WiFi networks, including residential properties, for location tracking purposes. It’s mind blowing that companies are able to make decisions as such. These requests must be opt-in, vs being an opt-out which is the case today.

    A stock image showing a lock on a fence

    Apparently this has been a thing for over a decade, and the earliest article that I could find on this is this blog post from Google where they outline a way to opt-out one’s access points and routers from this location tracking service. It’s fairly straightforward — one has to append _nomap to their router SSID.

    As for Microsoft’s equivalent of opting-out, one may add _optout to any part of the router’s SSID.

    To chain both opt-outs, _optout_nomap must do the trick. I did so on both bands on router – 2.4 Ghz and 5 Ghz.

    This is generally done by accessing the web-based software for your WiFi router and somewhere on the settings menu, you will see an option to change its name.

    Related: Setting up pihole on the Tailscale network to block ads and telemetry on the go.

  • VALORANT: I like this post-kill effect

    An image showing the post-kill animation VALORANT, a 5v5 character-based tactical shooter.
    This makes a great background for a desktop, right?
    An image showing the post-game victory notice on the popular tactical shooter, 5v5 character-based game, VALORANT.
    Clutched to secure the game

    On my latest VALORANT game, we had the lead at 4-3, and it was our final plant. 5 Viper agents vs 5 Yoru agents. My team sped to site A while I took the other direction. Besides one agent B, everyone else were A. Tackled the one at B and ran fast to the other site, via their base. We were 3-1 agents by that time.

    The other 2 die. I backtrack a bit, reach mid ground, walk to site A, clutched with a final headshot. A nice blue background appeared as well, which apparently is a skill from Yoru. I am yet to try Yoru.

    On that note, Replication is back on VALORANT! If you are yet to try, the game is available on Riot’s website.

Hey there! I am a Happiness Engineer at Automattic, working on WordPress.com support. If you enjoy discussing online privacy, encryption, and fediverse like I do, you can reach me by commenting on my posts, or by email.