Question How Many Email Addresses Should I Really Use for Optimal Privacy and Security?

Please provide comments and solutions that are helpful to the author of this topic.
I follow a similar email strategy to @Marko :) Here on MT, I have a dedicated email address that I registered on the forum, and I don’t use that email anywhere else. In Outlook, I have several email addresses/aliases, but only one that I created myself—and only I know what it is—which I use exclusively to log in to my Outlook account. Emails from banks and other important matters are split across services like Protonmail, Tutanota, Mailfence, Outlook, Gmail, Yahoo Mail,AOL and GMX. For newsletters, I use Proton aliases/SimpleLogin, @duck.com, Firefox Relay, and Addy. And for disposable stuff, I use temporary email addresses like those from AdGuard Temp Mail. ;)
 
  1. How many email addresses do you personally use, and what’s the purpose of each?
  2. Do you recommend aliases vs. separate accounts, and why?
  3. What’s the minimum setup that still provides strong privacy and security without becoming unmanageable?
  4. Any tips on managing recovery emails and avoiding lockout risks?
  1. One hidden email account that I actually use. Another is a forwarding account that serves as the "actual email" I give — in the past to everything, nowadays only to very specific things including financial accounts and email alias accounts. The third is a rarely used recovery account that has no further email or phone recovery options.
  2. I like aliases because all the emails end up in a single account. I filter on the aliases, etc.
  3. I don't find aliases burdensome, because my password managers keep track of them. I think the rarely used recovery account is important for security.
  4. For any circular dependencies, I put the credentials (username, password, 2FA recovery codes) on a piece (or multiple pieces) of paper. Backups are critical. Security keys (Passkey, FIDO2 2FA) can be used for recovery in some situations too.
 
In my opinion, the key is balancing security with usability. Managing dozens of accounts isn’t sustainable, but relying on just one creates a dangerous single point of failure.
The sweet spot is 2 to 4 main addresses to compartmentalize risk—separating banking and government from everyday stuff—and using aliases or temp emails for the rest.
It’s not about hoarding inboxes; it’s about managing the blast radius with common sense. A few well-managed accounts give you strong security without turning email into a second job. ⚖️📧🛡️
 
IMG_2533.jpeg
IMG_2532.jpeg

I think you should create 5 aliases, for different uses
  • Primary/personal communication.
  • Sensitive accounts (banking, government, healthcare).
  • Online shopping and social media.
  • Throwaway/temporary sign-ups.
  • Professional/work use.
You can try iCloud’s Hide My Email, this function allows you to create unlimited email aliases. And you only need to manage one iCloud account. However, this function is paid.

In my opinion, the most important thing is to enable TOTP or use Passkeys. For the sensitive and important accounts you mentioned, the top priority is to prevent them from being hacked, so these measures are very effective. I even use only one Outlook email address to register for all my accounts, but I enable TOTP and Passkeys on every single one of them, and I have never had any security issues.

You can use these to protect your accounts:
Bitwarden or ProtonPass — Free, and syncs across all devices
Gmail or Outlook — Enable Advanced Protection Program (Google) or Passwordless (Outlook, Microsoft Account)
For personal use, these are enough, and free

And I think you can try Outlook, Microsoft Account support aliases, and you can even control which aliases are allowed to sign in. For example, you can create a random, scrambled alias that only you know, and never use it to register for any other services. That way, this alias won't exist in any external databases. As for your main Outlook email address, simply disable it as a sign-in alias. Even if hackers obtain that email address, they won't be able to log into your account.

This is the principle of least exposure.
 
And I think you can try Outlook, Microsoft Account support aliases, and you can even control which aliases are allowed to sign in.
I think this is one "good" feature that my Microsoft account has, but Google doesn't (at least globally). It really keeps hackers away because they have no handle on how to log into my account; that is, as long as my computer isn't compromised by malware.

What I always wonder about is, because Microsoft doesn't have the same "work-for-7-day-after-change" recovery options like Google does, if a hacker is able to get both my session cookies and my password, they theoretically can completely change any security options I have in my account. They can also change the login alias as well, at which point I might not even be able to begin to recover my account because I don't have any handle on it either. A security feature can lock out the legitimate owner if not sufficiently knowledgeable or prepared. I wonder if this would be the case here as well. 😕🤪

ps: I think generally, if it gets to the point of malware compromising my system, the only hope for my Microsoft account is that if the security/recovery options are enough to confound most people, it would also confound some hackers. So as long as I have many options to log into my account, they might neglect to wipe out some of those options (like passkeys and Windows Hello passkeys, for example).