Top 10 things never to use a disposable inbox for

We are very fond of disposable email. We're also realists: every privacy-helpful tool can be misused. The list below is the top ten ways we see people accidentally hurt themselves with disposable inboxes. Read it as a friendly warning. The pattern in every entry is "you wanted convenience now and traded away access later."

1. Banking and brokerage accounts

The recovery email on your brokerage account is the single most sensitive piece of metadata in your life. It gates resets for everything: trading authorisations, beneficiary changes, transfer requests. If you can convince a bank that an attacker is you because they control your email, you can also convince yourself you'd be fine if your email "just went away for a bit." It would not be fine. Your bank's email goes to an inbox you fully control, ideally with two-factor authentication via app or hardware key.

2. Government, healthcare, and tax communications

Tax authorities, social-security portals, immigration services, and patient portals all email things that are time-sensitive and legally important. Many also expire login links after a few hours. Use a real address, ideally one not shared with marketing signups.

3. Two-factor authentication

Email-based 2FA is already the weakest factor — it's vulnerable to email account compromise. Layering it onto a public, ephemeral inbox makes the chain even weaker. Use an authenticator app (Aegis, Raivo, 1Password's TOTP) for all 2FA you control. Reserve email-based 2FA for the systems that demand it, and only with addresses on your primary account.

4. Anything you'd be sad to lose

If the answer to "what happens if this account dies" is "I'd be upset," don't use disposable email. The list of things people accidentally lose this way: GitHub repos, Steam game libraries, Twitch follower lists, cloud-saved Notion docs, Google Drive links, gym memberships. Years later they hit "Forgot password" and the reset goes to abc@grr.la, which is, of course, gone.

5. Domain registrars and hosting providers

Especially insidious. Lose your email and you can't manage your DNS. The site goes down on the next renewal. Auto-renew protects you for one cycle; after that, the domain auctions to a squatter. We've watched this happen to a small business; the lawyer's bill to recover the domain ran into five figures. Use an email account at a different provider than your registrar (so a single account compromise doesn't take both).

6. Cryptocurrency exchanges and wallets

Withdraw confirmations, suspicious-activity alerts, fee-policy changes, mandatory KYC documents — exchanges send all of it via email. If your address dies, you might literally not know your account is locked. Crypto exchanges also rotate pretty aggressively (gone in 12 months: FTX, Voyager, BlockFi, Genesis); you may need to access "the account at the dead exchange" years later to participate in a bankruptcy claim. Disposable email makes that almost impossible.

7. Job applications and recruiting platforms

Most ATSes (applicant tracking systems) reject applications with addresses on common temp-mail domains. Even if the application gets through, the recruiter can't follow up. Worse, if you get an offer, the offer letter goes to an inbox that may already be gone. Use a real address — preferably a "professional" one separate from your personal mail — and an alias if you want to track which boards leaked your address.

8. Subscriptions you actually want to read

Substack writers, mailing lists, course providers, YouTube channel emails. If you want the content, use a real address (or an alias, which is even better — see our comparison). When the inbox expires, you'll spend more time hunting for the unsubscribe-and-resubscribe loop than you saved.

9. Relationships with humans you might want to message later

Dating apps. Local meetups. Old college friends who only have your email. Disposable email kills the social tail of an interaction that has emotional value. The tradeoff isn't worth it.

10. Anything illegal

We say this in our disclaimer too: disposable email is anti-spam infrastructure, not anti-law-enforcement infrastructure. Most providers log IPs and timestamps. Most respond to lawful requests. Disposable inboxes do not anonymise you. If you're trying to escape consequences for serious wrongdoing, you're using the wrong tool, and we hope you stop.

Borderline cases worth a word

App Store / Google Play purchases

Don't. Refunds, family-sharing transfers, and account-recovery flows all rely on email.

Streaming services

Don't, especially with shared-account culture. Account recovery and "device unauthorised" emails are frequent.

One-off file shares ("send me the link")

Disposable is fine here, especially for short-lived links. Just remember to download before the inbox expires.

Test accounts you'll abandon next week

Disposable is great. This is the canonical good use case.

The recovery story

If you're reading this and realise you've already done one of the above, here's the salvage flow:

1. If the disposable inbox still exists, log into the account and change the email on file to a real address you fully control. Do this now; the inbox could expire any minute.
2. If the disposable inbox is already gone, contact the service's support team with whatever proof of identity you can produce: the original signup IP if you remember it, a credit-card transaction ID, screenshots, anything. Brace for friction.
3. Going forward, audit your "important accounts" list and standardise on a real email for each.

The pattern, summarised

The single rule that keeps you out of trouble: use disposable email only when the verification email is the entire transaction. If you'll never log in again, never receive another email about it, never need to reset anything — disposable. Otherwise, use a real address (or an alias, which is the better default for the in-between cases).

We'll keep building the cleanest, fastest disposable-email aggregator we can — for the cases where it really is the right tool. Generate one now if your case fits.