Gmail aliases deep-dive — plus addressing, dot tricks, and why services don't fall for them anymore
Two of the most-googled email-privacy tricks for Gmail are plus addressing (you+anything@gmail.com) and the dot trick (y.our@gmail.com, yo.ur@gmail.com, etc., all routing to the same inbox). They work — but in 2026, they increasingly don't fool the services you're trying to sign up to.
Plus addressing: how it works
Gmail (and many other providers — Apple, FastMail, ProtonMail with config) supports subaddressing, an RFC-5233 feature. The local part of the email is split on +; everything before the plus is the "real" address; everything after is a tag. Mail to jane+amazon@gmail.com is delivered to jane@gmail.com with a header preserving the original recipient.
Why people use it:
- Track which service leaked their email (filter by tag)
- Per-service subaddresses (give Amazon
jane+amazon, give NetFlixjane+netflix) - Set up auto-archive Gmail filters for each tag (e.g., all newsletters → archive, everything else → inbox)
The dot trick
Gmail ignores dots in the local part. jane@gmail.com and j.a.n.e@gmail.com route to the same inbox. The Google docs explicitly say so. So technically you have ~2^n different addresses for an n-character local part, all delivering to one inbox.
Why people use it: same as plus addressing, but the address doesn't contain a giveaway plus sign.
Why services started catching on
Anti-fraud platforms now normalise email addresses before storing them. The normalisation:
- Lowercase the whole address
- For Gmail/Googlemail addresses: strip dots, strip the plus suffix, normalise the domain to
gmail.com - For Apple iCloud: strip dots, strip plus suffix
- For Outlook / Hotmail: just strip plus suffix (dots matter on Outlook)
After normalisation, j.a.n.e+netflix@gmail.com and jane+amazon@gmail.com both become jane@gmail.com — the same canonical identity. Duplicate-account checks now catch you on the second signup.
Where it still works
- Newsletter signups. Newsletter senders rarely do canonical-address normalisation. Plus addressing for tracking still works fine here.
- Personal organisation. Use them for filters and tagging within your own Gmail; they're still useful internally.
- Smaller / older services. Plenty of services haven't implemented normalisation. Try and see.
- Forms with weak validators. Some forms reject
+entirely (which is technically against RFC 5233). Workaround: dot trick.
Where it fails
- Anywhere with serious anti-abuse: Stripe, PayPal, Coinbase, most banks
- Free-tier signups on services that limit one-per-user
- Anywhere using NeverBounce / Kickbox / ZeroBounce — they all do canonicalisation
What to use instead
For the use cases plus addressing was supposed to solve:
| Use case | Better tool |
|---|---|
| Multiple-signup-bypass | Disposable email (PocketInbox) or aliasing services (SimpleLogin, Apple Hide My Email) |
| Long-term aliasing | SimpleLogin, Addy.io, Apple Hide My Email — proper alias services that route to your real inbox via independent alias domains |
| Email-tracking who-leaked-what | Per-vendor aliases on a service-specific domain, or subaddresses on a domain that doesn't normalise |
| Quick burner for one-time signup | Disposable email, throwaway in 10 minutes |
The honest summary
Plus addressing and the dot trick are still useful as organisation tools inside your own Gmail. They're much less useful in 2026 as fraud-prevention bypass tools because the anti-fraud industry caught up. For real email privacy, use a proper alias service or temp mail.
Related: Disposable vs alias email · Temp mail vs VPN vs aliases.
Continue reading
- The best temp mail services in 2026 — a developer-friendly comparison
- Temp email for developers — automating signup flows, OTPs, and email-based testing
- Temp mail vs VPN vs email aliases — what each one actually does for your privacy
- How to receive email without a phone number — every legal way that actually works