Back to Blog

How to Find Out Who Sold Your Email Address: The Ultimate Guide

The most reliable way to find out who sold your email address is to give each company a unique email alias. When spam arrives, the alias that received it identifies the signup source, leak, or data broker path. From there, suspend that alias, report the sender, and use a new private address for future accounts.

April 1, 2026

Updated

Email PrivacySpam PreventionData BrokersEmail AliasesCybersecurity

The most reliable way to find out who sold your email address is to give each company a unique email alias. When spam arrives, the address it was sent to identifies the leak — the signup source, breach, or data broker path. Suspend that alias, and the spam stops with it.

Updated 2026-07-02.

The quick version

  1. Create a unique email alias for each company, app, newsletter, or marketplace.
  2. Label each alias with the exact source before you use it.
  3. Watch which alias starts receiving unrelated spam or unexpected marketing.
  4. Suspend the leaking alias — and if you still need the account, switch it to a fresh address.

That's the whole technique. The rest of this guide covers the three ways to do it — Gmail plus addressing, a custom domain, and dedicated email aliases — including where each one breaks down, and what to do once you've caught the company that sold you out. Already drowning in spam and not sure where it came from? Start with the sudden-spam diagnostic — five questions that narrow down the likely source.

Why Do Companies Sell Your Data?

To understand how to fight back, you first need to understand why your data is being shared in the first place. The internet operates largely on a "free" model. We use search engines, social media platforms, and mobile apps without paying a dime. However, as the old tech adage goes: If you are not paying for the product, you are the product.

Companies monetize your existence through the hidden economy of data brokers and third-party marketing. When a business collects a massive list of active, verified email addresses, that list becomes an incredibly lucrative asset. Marketing agencies, advertising networks, and even malicious actors are willing to pay top dollar for direct lines of communication to consumers.

You might be wondering, "Isn't selling my data illegal?" In most cases, unfortunately, it is entirely legal because you technically agreed to it. Terms of Service and Privacy Policy agreements are notoriously long, filled with dense legal jargon that the average user never reads. Buried within these documents are often clauses stating that the company may share your information with "trusted partners," "affiliates," or "third-party marketing services." By checking the "I agree" box, you are legally authorizing them to profit off your inbox.

It is also crucial to distinguish between a company selling your data and a company suffering a data breach. Sometimes a business has every intention of keeping your data private, but their security fails and user lists end up on dark web forums. Whether your address was sold legally through a ToS loophole or stolen in a breach, the result is the same: an avalanche of spam. The tracking methods below work for both scenarios.

Method 1: The Gmail Plus Addressing Trick

The oldest and most accessible way to track your data is a technique known as "plus addressing" or subaddressing. If your provider supports it (Gmail, Outlook, and iCloud all do), you can insert a plus sign (+) followed by any tag right before the "@" symbol. The provider ignores everything from the plus sign onward and delivers the message to your primary inbox.

Step-by-step:

  1. Identify your base address: say your normal email is john.doe@gmail.com.
  2. Append a unique tag: when you sign up for a shoe store called "SneakerWorld," enter john.doe+sneakerworld@gmail.com.
  3. Complete the registration: SneakerWorld accepts it as a valid address, and their welcome email arrives in your normal inbox.
  4. Monitor your incoming mail: months later, a spam email promoting an online casino arrives — and the "To:" field says john.doe+sneakerworld@gmail.com.

You have caught them red-handed: SneakerWorld either sold their mailing list or suffered a breach. You can also set up filters so any mail to a burned plus address goes straight to the trash.

The catch: spammers know this trick. Automated spam tooling routinely strips the "+tag" from an address, leaving your bare, real inbox on their list — your tracking evidence is gone and the spam lands anyway. Your real address was visible inside the tagged one the whole time.

Plus Addressing vs a True Email Alias

 Gmail plus addressingEmail alias
Shows your real addressYes — it's right there before the "+"No — the alias is a separate, random address
Can spammers strip the tag?Yes, trivially — scripts remove "+tag" automaticallyNo — there is nothing to strip
Shut off a leaked addressFilters only; your real inbox still receives the mailSuspend or delete the alias in one click — delivery stops
Survives a data breachNo — the breach exposes your real inboxYes — only the isolated alias is exposed
Cost / setupFree, built into Gmail, Outlook, iCloudFree tiers at dedicated alias services; no DNS or extension needed

Method 2: A Custom Domain with Catch-All Routing

A more robust do-it-yourself option is a custom domain with a catch-all rule: buy a generic domain (around $10 a year), enable catch-all forwarding, and give every service its own address — netflix@myinboxroute.com, localgym@myinboxroute.com, and so on. Spam to localgym@ tells you exactly who leaked it, and there is no "+" for spammers to strip.

The trade-offs: the annual domain cost, the DNS and MX-record setup, and one structural weakness — if a spammer notices your domain, they can bombard random prefixes at it, forcing you to turn the catch-all off entirely. It is a solid method for people who enjoy running their own infrastructure, and unnecessary for everyone else.

Method 3: Email Alias Tracking (the method built for this)

Dedicated alias services — Emcognito, SimpleLogin, addy.io, and Firefox Relay all work this way — generate a unique, random forwarding address for every account you create. An address like x8v9q2@emcognito.com forwards to your real inbox, but nothing about it reveals who you are, and there is no tag to strip.

This gets you the custom domain's security without owning a domain, and plus addressing's convenience without its weakness. The label you attach to each alias is the tracking layer: when an alias you created only for one store starts receiving casino spam, the verdict is instant.

The real power is control. If x8v9q2@emcognito.com ends up on a spam list, you don't just know who leaked it — you suspend that one alias with a single click. The spam stops immediately; every other alias and your primary inbox are unaffected. If you're new to the concept, start with what an anonymous email is.

What to Do When You Confirm a Company Sold Your Email

1. Do not click "Unsubscribe" on the spam email. If the email is from a malicious spammer, clicking unsubscribe (or loading its images) confirms your address is active and monitored, which makes it more valuable. Only use unsubscribe links in mail from legitimate, legally compliant businesses.

2. Cut off the source. If you used an alias, suspend it — the spam ceases instantly. If you used a plus address, filter it to the trash (knowing the stripped version may still arrive).

3. Delete the compromised account. If they cannot be trusted with your email address, they cannot be trusted with your passwords, payment details, or personal habits.

4. Submit a data deletion request. Under the EU's GDPR ("Right to be Forgotten") or California's CCPA, you can formally demand a company delete your data and stop selling it. Companies face real fines for ignoring these requests.

When It Wasn't Sold — It Was Stolen

Sometimes the trail leads not to a sale but to a breach. Check your address against Have I Been Pwned (haveibeenpwned.com), which cross-references thousands of known breaches and shows which companies were hacked, when, and what data was taken. The companion tool haveibeensold.app focuses specifically on mailing-list sales. If you find yourself in a breach, work through our data-breach checklist.

Breaches are also why unique addresses matter beyond spam: when hackers steal an email/password pair from one site, they immediately try it on banking apps, PayPal, and Amazon — credential stuffing. If every service has its own alias and its own password, a breach at one site exposes an isolated alias that works nowhere else.

Trace and Stop the Next Leak Automatically

Tracking down who leaked your information is satisfying; keeping them away from your real inbox permanently is the goal. Emcognito is an email forwarding alias service built for exactly this workflow: unlimited aliases on every plan (the free tier includes 100 forwarded emails a month), a label on each alias recording who you gave it to, reply-from-alias on every plan, and one-click suspend when an address starts attracting junk.

If a company sells your data or gets breached, you don't abandon your primary email address or spend hours updating accounts. You open your dashboard, see exactly which alias — and therefore which company — leaked, and shut it off.

Frequently Asked Questions

Can spammers remove the "+" tag from a Gmail address?

Yes, trivially. The tagged address contains your real address in plain sight (john.doe+tag@gmail.com), and spam tooling routinely strips everything from the "+" to the "@" before mailing the list. That defeats the tracking and lands the spam in your primary inbox. A true alias has no tag to strip and never exposes the underlying address.

Is it illegal for companies to sell my email address?

Usually not, because you agreed to it — most privacy policies include third-party sharing clauses. But in regions with strong privacy law, such as the EU (GDPR) or California (CCPA), you have the right to demand deletion and opt out of data sales, and you can report violators to regulators. Selling data stolen in a breach is a different matter entirely.

How do I stop the spam once I know who sold it?

Suspend or delete the alias that received it (or filter the plus address), never click unsubscribe in malicious spam, delete your account with the offending company, and — where GDPR or CCPA applies — send a formal deletion request. Then use a fresh alias for anything you still need.

What is the difference between a disposable email and an email alias?

A disposable email (like 10-minute mail) is a temporary public inbox that self-destructs — if you ever need a password reset later, you're locked out. An email alias is permanent but controllable: it forwards to your real inbox indefinitely, and you can pause or delete it the moment it starts receiving spam. Full comparison: disposable email vs email alias.

How do data brokers get my email address in the first place?

They aggregate it from many sources: scraping public web pages, buying user lists from free apps and services, purchasing transaction data, and harvesting public records. Those breadcrumbs are assembled into a profile of you and sold to advertisers — which is why starving them of your real address is more effective than cleaning up afterward.

Stop wondering who is selling your data. Create a free Emcognito account to generate a unique alias for every service, see exactly who leaks your info, and cut off spam with a single click.

Sources and further reading

Ready to protect your email?

100 forwarded emails a month at no cost, no credit card, passwordless sign-in.

Create anonymous email now →