All names are fictional and obfuscated to not reveal identities or entities. The event is real.

So how do I even begin?

Meet Willy. Willy knows what email wildcards are.

john.doe@email.com
john.doe+provider@email.com
john.doe+whatever@email.com

When sending an email to any of the above addresses, johndoe@gmail.com receives all of them. In theory, according to the email specifications you can place a dot anywhere in the address and it is the same email address. You can also add a + and write whatever you want after it and still receive it. It can be used as a way to filter out spam, mailing lists signup. A lot of use cases.

When I signup for a service I usually add +provider before the @ so I can know if I they sell my email address. I signed up for a service which facilitates paying taxes. I use the email john.doe+provider_name@email.com, where provider_name is the service.

Years go by, I want to reset my password. I try to recover my password but don’t get the email to reset it.. I notice, the form resets to john.doeprovider_name@email.com. After many attempts it hits me. They don’t support wildcards.

So what do I do? I create a new email. john.doeprovider_name@email.com, reset the password and it arrives. I manage to reset my password and change my email to john.doe@email.com.

Lesson? Use an email validator. And don’t fuck with peoples taxes, its ridiculous to have to create an email address which matches what they wrongly stored in their database so one can actually use the service.

It could have been way worse though. At least I could change my email to remove the wildcard..