addy.io

addy.io (formerly AnonAddy) is the *email-aliasing service for people who refuse to hand out their real inbox* — an open-source, self-hostable forwarder that gives every signup, newsletter, and shady checkout its own disposable address, all funnelling to a mailbox the other party never sees.

Background. The project launched as AnonAddy around 2016 and rebranded to addy.io under the same maintainer (Will Browning), who still develops it in the open. It is a PHP/Laravel application you can run yourself on a cheap VPS, or use via the maintainer's hosted tiers — the same codebase either way. Longevity plus single-maintainer continuity is part of why it earns an A in /email: it has survived the years that killed most "burner email" startups, and the rebrand didn't fracture the open-source lineage.

What you trust. The trust model rests on three pillars. First, it's *open source* — the forwarding logic, the alias handling, the encryption code are all auditable, and you can run the exact same software yourself if you don't want to trust the hosted instance. Second, *self-hostability* is real, not theatre: a $4 VPS and your own domain give you a fully independent deployment with no dependence on the operator. Third, *PGP support* — addy.io can encrypt forwarded mail to your public key before it leaves the server, so even the forwarder can't read the contents of messages in transit to your real inbox. That combination (open code + self-host escape hatch + E2E option) is the strongest trust posture an aliasing service can offer.

Operational specs. You create aliases on demand — either explicit ones or shared/standard format addresses generated on the fly — and mail to any of them forwards to your real address with the sender's identity intact but your inbox hidden. Crucially it supports *replying and sending from aliases*, so the disposable address works as a two-way shield, not just an inbound filter. Custom domains are supported (point your own domain's MX at it). The hosted service runs free and paid tiers; paid annual plans accept crypto, and the free tier carries bandwidth/alias limits that the paid tiers lift. Self-hosters get unlimited everything bounded only by their server.

Philosophy. Email is the master key to your digital life — it's the reset-password endpoint for every other account — and yet it's the identifier people scatter most freely. addy.io's premise is that you should be able to give a *different* address to every counterparty, so a breach or a data-broker sale at one of them can't be correlated back to you or used to spam your real inbox. The open-source-and-self-hostable stance is the philosophical core: a privacy tool you can't inspect or escape is just a different party to trust, and addy.io deliberately refuses to be that.

Grade rationale. A in /email. The grade reflects open-source auditability, genuine self-hosting, PGP encryption of forwarded mail, two-way alias send/reply, custom-domain support, crypto payment on paid plans, and a multi-year maintained track record. It sits at the top of the category alongside SimpleLogin; the choice between them is mostly ecosystem preference and whether you want Proton's bundle or a leaner single-maintainer tool you can self-host on a VPS.

Useful when. Reach for addy.io whenever you're about to type your real email into a form you don't fully trust — a newsletter, a one-time checkout, a forum, a service with a sketchy privacy policy. Give each its own alias; if one starts spamming or shows up in a breach, you deactivate that single alias without touching anything else. Power users put it in front of *every* signup so their real mailbox address is effectively never disclosed. Self-host it if you want zero operator dependence.

Caveats. Forwarding is not anonymity from a determined, lawful adversary: the hosted operator (or your own server) necessarily sees envelope metadata, and unless you enable PGP it can see message contents in transit. The free tier's bandwidth limit can clip large or high-volume mail — heavy users should pay or self-host. Self-hosting email well (SPF/DKIM/DMARC, deliverability, staying off blocklists) is genuinely hard, so the "run it yourself" escape hatch carries real operational cost. And as with any forwarder, replying from an alias still routes through the service, so it's a privacy tool against profiling and spam, not a shield against a subpoena to the operator. None of these dent the A — they're the normal trade-offs of email — but they're worth understanding before you treat an alias as true anonymity.