email-verification-protocol icon indicating copy to clipboard operation
email-verification-protocol copied to clipboard
Published 2 months ago verified publisher icon WICG

Support of email aliases

Open kdenhartog opened this issue 3 months ago • 5 comments

It's becoming more common for people to utilize email aliases and forwarding addresses for privacy and management these days. Has there been any thought into how that would fit within this protocol or would you be open to some improvements that add this?

For example, I use mail forwarding (e.g. [email protected]) to track who I'm giving my email to and it's helped me detect phishing attempts a few times now. Similarly, SimpleLogin is used behind the scenes for email aliases in ProtonPass and likely would be useful here too.

kdenhartog avatar Sep 06 '25 08:09 kdenhartog

Thanks for the feedback!

I don't think there is anything in the protocol that prevents myemaildomain.com from adding a DNS record that points to an issuer that the user has cookies with to issue the SD-JWT.

Is there something I am missing that would prevent that?

dickhardt avatar Sep 06 '25 15:09 dickhardt

Adding explicit support for this in Section 2.2 is the only thing I think might require a change. For example, a browser that supports an email alias service could automatically generate one for them. However, if the browser doesn't support that or isn't aware the user is using an email alias service, it might not suggest an alias for them.

In that case, extensions may be able to polyfill to capture the request and override the browser UX to solve for this (kind of like proton pass does for passkeys). I think in the case where the user manually is entering an alias (like in the [email protected] case) it's not clear how that case should be handled.

kdenhartog avatar Sep 08 '25 07:09 kdenhartog

Got it. How 1 & 2 work will likely evolve based on UX and privacy as well as use cases such as you are describing.

dickhardt avatar Sep 08 '25 07:09 dickhardt

Is this related to people who own [email protected] and use stuff like [email protected] to register at servicename.com?

It might be similar in terms of verification by the issuer, but different in terms of UI?

stefan2904 avatar Nov 09 '25 19:11 stefan2904

I'm not seeing how email aliases support is possible in this proposal, though maybe I'm missing something.

Examples are helpful. Say I'm using Apple Hide My Email, which lets me create email aliases like [email protected] for shoes.com, and [email protected] points to my actual email address, which is a Gmail email ([email protected]). I'm logged into [email protected] on gmail.com in my Chromium browser. How could Gmail (my email provider) know that Apple should serve as the issuer for my emails?

ShivanKaul avatar Nov 15 '25 19:11 ShivanKaul