The four mailbox system: one email for everything is a trap

Here's the whole thing in one line: one email address for everything means one password reset stands between a stranger and your entire life. Bank, super, shopping, newsletters, tax, conversations, all hanging off one inbox with one password and one recovery path. The fix isn't a better password. The fix is structural: four mailboxes with four different jobs, arranged so the address that leaks in a shopping breach is never the address that can reset your bank. It costs nothing, the first move takes an afternoon, and it removes a single point of failure most people never chose to carry. Here's the system, why it works, what it costs in convenience, and how to move across without chaos.

One inbox is one point of failure

Count what hangs off your main email address. Banking. Super. Government services. Every shop, subscription, app and mailing list you've ever touched. Now notice the part that matters: that same address is also the recovery path for all of it. Whoever controls the inbox can press "forgot password" on everything downstream and catch the reset links as they arrive. They never need your bank password. They need your email, once.

And that address is not a secret. You hand it to every checkout page and wifi portal, so it sits in breach dumps next to whatever password you used there. One address doing every job means the most exposed thing you own is also the most powerful. That's a design flaw, and no password fixes a design flaw.

The system: four mailboxes, four jobs

Four addresses, ideally spread across two providers. Each one does a single job and never does the others.

  • MONEY. Banks, super, government, investments, anything that moves dollars. This address is never given to a shop, an app or a newsletter, so it never ends up floating in a breach dump. Nobody emails it except institutions. It gets the strongest two-factor authentication you can manage, and a hardware key if you use one anywhere.
  • IDENTITY. The recovery address. It exists to be the "backup email" for the other mailboxes and your most critical accounts, nothing else. Told to almost no one. Checked rarely. Secured hardest of all. If MONEY is the vault, IDENTITY is the key cabinet.
  • LIFE. The everyday address, the one humans actually write to: family, friends, the school, the plumber. It can afford to be semi-public because it can't reset anything that matters.
  • JUNK. Shopping, newsletters, sign-ups, competitions, loyalty cards. This is the address that gets breached, and when it does, it doesn't matter: nothing valuable recovers through it.

That's the whole system. Nothing to buy; free providers do the job. What matters is the separation, the same way you don't keep the house deed in the letterbox.

Why it works: the blast radius shrinks

Every breach has a blast radius. Today the radius of any one leak is your entire life, because everything shares the one address. Under this system, JUNK leaks, and it will, and the attacker holds an address that resets nothing and banks nothing. The address that leaks is never the address that resets your bank.

The second payoff: phishing filters itself. A "your account is locked" email from your bank arriving at the JUNK address is instantly fake, because your bank has never been given that address. No squinting at sender names, no hovering over links. Wrong mailbox, delete. The hardest question in phishing, "is this real?", becomes an easy one: "could this even be real, here?"

The recovery chain rule

One rule holds the whole thing together: the recovery graph must not be circular. If MONEY recovers to IDENTITY and IDENTITY recovers back to MONEY, an attacker who takes either one takes both, and you've built one mailbox with two names on it. IDENTITY should anchor to something that isn't email at all: printed backup codes in a drawer, a hardware key, a phone number you actually control. Map who recovers whom before you trust the setup; almost nobody has looked at their own recovery chain. That blind spot is the recovery gap: a strong lock on the front door while the back door, the reset path, swings open.

How to migrate without chaos

Don't try to rebuild your whole digital life in a weekend. You'll burn out around account forty and abandon it half-done. Start with MONEY only. Create the new address, lock it down with the strongest two-factor authentication available, then spend one afternoon moving the critical logins across: bank, super, government, investments. For most people that's ten or fifteen accounts. Treat it like any changeover: write the list first, move them in one sitting, and verify each login and each recovery setting before you tick it off.

Then create IDENTITY and point the recovery of your mailboxes at it. LIFE can simply be the address you already have, since it's the one people write to anyway. JUNK is a fresh free address you hand out from today, migrating old shop accounts lazily, at the next login. The changeover doesn't have to be total to work: the day MONEY is separated, the worst outcome is already off the table. If your current address may already be compromised, deal with that first: our guide to recovering a hacked email account.

The honest costs

More mailboxes means more checking, and we won't pretend otherwise. Here's how to keep it liveable. Forward LIFE and JUNK into one view if you like; they're low-stakes and convenience wins there. Never forward MONEY or IDENTITY anywhere, because forwarding rebuilds the exact single point of failure you just dismantled. In practice MONEY gets a handful of emails a month; check it weekly or when you're expecting something. IDENTITY is nearly silent, and that silence is a feature: mail arriving there unexpectedly is itself an alarm worth hearing.

Aliases and plus-addressing: the lightweight version

Most providers let you write yourname+shop@ or mint aliases, and they're worth using: give every shop its own tag and you'll know who leaked your address when the spam starts. But be honest about what an alias is: the same mailbox with a different name on the door. One password, one recovery path, one blast radius. Plus-addressing is also stripped trivially, delete the tag and the real address remains. Run aliases on top of JUNK for sorting and leak-tracing, but don't mistake them for compartmentalisation. Separation is the security; aliases are the bookkeeping.

Separate email addresses: common questions

Should I use a separate email address for banking?
Yes. A banking-only address that has never been given to a shop or a newsletter doesn't appear in breach dumps, so stolen credential lists don't have it and phishing rarely reaches it. Give it the strongest two-factor authentication your bank supports. Of the four mailboxes, the money address is the one to build first: it takes the worst outcome off the table on day one.
How many email addresses should I have for security?
Four covers it: one for money, one as a recovery address, one for everyday life and one for junk. Fewer than that and jobs start sharing an inbox, which rebuilds the single point of failure. More than four is usually maintenance without benefit. The number matters less than the rule behind it: the address strangers have must never be the address that can reset the accounts that matter.
What is the risk of using one email address for everything?
One password reset. Whoever controls your inbox can request a reset on your bank, your super and everything else, then catch the links as they arrive. They never need your bank password. And because that address is on every shop and mailing list you have ever used, it is the most exposed thing you own as well as the most powerful.
Which email address should I use for account recovery?
A dedicated one that does nothing else. It exists to be the backup address for your other mailboxes and your most critical accounts: told to almost nobody, checked rarely, secured hardest of all. Its own recovery must not point back at the mailboxes it protects, or an attacker who gets one gets both. Anchor it to something that isn't email, such as printed backup codes or a hardware key.
Are email aliases or plus-addressing as good as separate mailboxes?
No. An alias is the same mailbox with a different name on the door: one password, one recovery path, one blast radius. Plus-addressing is stripped trivially, delete the tag and the real address remains. Aliases are genuinely useful for sorting mail and spotting who leaked your address, so run them on top of the junk mailbox by all means, but they compartmentalise nothing on their own.
Does a bank email arriving at the wrong address mean it is fake?
Yes. If your bank has only ever been given your money address, a bank email landing in your junk or everyday mailbox cannot be real, and you can delete it without reading it. That is one of the quiet payoffs of the system: phishing stops being a judgement call about links and sender names and becomes a simple question of which mailbox the message arrived in.

Your email is the master key to everything else you own; the four mailbox system stops you carrying it on one ring. Want a second layer under the resets themselves? That's the job we built for: tell us what you're protecting and we'll help close the reset path too. No jargon, no scare tactics.