When a site rejects email "sub-addressing" – USA TODAY
Q. I tried to sign up at a site using the plus-sign trick to create a custom e-mail address, but the sign-in page rejected me. Whatâs going on there?
A. The reader who raised this issue was trying to use a tip I shared here last July — creating a bonus e-mail address by adding a plus sign and the characters of your choice to the username part of your e-mail address.
Googleâs Gmail and such competitors as Microsoftâs Outlook.com allow this âsub-addressingâ option. Itâs a handy way to generate a new e-mail address–to register a second account at a site, to ease filtering messages from that company, or to track which firms sold your address to third parties–without changing any settings in your mail account or having to look anywhere for new messages but your usual inbox
This practice may also reduce the amount of spam you get, although at least some spammers know to strip out the plus sign and everything after it. And itâs not against the rules of the Internet, such as they exist: Thereâs an entire specification documenting the finer points of sub-addressing.
But sub-addressing wonât work if a site rejects a âplus-edâ e-mail address as invalid.
(Yes, Experian is the company that recently lost the records of 15 million T-Mobile customers to a hacker. The irony of that firm hindering customers from cloaking their e-mail addresses is duly noted.)
âTransUnion does not accept special characters in e-mail addresses,â a spokesman said. âOur system requires an e-mail format that is compatible with all e-mail services.â
But the core Internet specification for e-mail doesnât ban plus signs in usernames or other special characters. This problem is only about TransUnionâs mail system; if it canât handle usernames that arenât just letters and numbers, the company might want to shop around for something more tolerant.
Experian had a more helpful response.
âWe are aware of the issue and addressing it,â ProtectMyID PR manager Sandra Bernardo e-mailed Thursday. âThese types of email addresses should be accepted by early next week.â
Itâs unclear how many other sites have this hangup, although itâs not hard to find discussions in which people complain about it without naming the offending Web properties.
Facebook used to be among them but changed its practice “several years ago,” spokeswoman Melanie Ensign said Thursday. Plus-ed addresses are now fine to use when setting up an account there.
If, however, you try to use one e-mail address to open a second account (for your business, for your cat, for whatever), Facebook wonât be fooled. Instead, it will pop up a notice saying âSorry, it looks like [your e-mail] belongs to an existing account.â
Tip: Two-step verification no longer requires cooking up batches of per-app passwords
One of the traditional hassles of setting up two-step verification — an effective but under-used security measure in which you verify any unusual log-ins with a one-time code sent to your phone — has been having to generate extra passwords for desktop apps like e-mail clients.
These long, randomized app passwords work well enough, but they also add multiple clicks to the process of setting up an account. And if they ever get compromised, two-step verification wonât stop an impostor from logging in as you. (Google presents app passwords as if theyâre only good for one use, but Iâve been able to save them in multiple apps.)
Google now strongly encourages app developers to build in direct support for two-step verification, using a standard called OAuth2 that lets an application ask for a one-time code and then send it back to the service involved.
Appleâs Mail programs for iOS and OS X began supporting this option in the spring, and Microsoftâs Mail app for Windows 10 also lets you type in the verification code generated by Googleâs Authenticator app or a third-party equivalent.
If your mail app allows this option — it should say so in its help file or release notes — I suggest you exercise it. Itâs less work upfront and itâs more secure afterwards.