Using a catch-all domain is a mistake
A few years ago, I set up a free Google Workspace account on my domain and configured a catch-all email. Anything in the username field of the domain routed to my user account, for example, firstname.lastname@example.org ended up at email@example.com.
I wanted to see who shared my email and give myself a way to block those bad actors. If Uber started selling my email, I could just trash everything to firstname.lastname@example.org. A lot of people do this with the "+" character, appending something to the end of the username part of their email (e.g. email@example.com), but this is easily identified and removed.
I started using it everywhere for every business I dealt with: hilton@, marriot@, hyatt@, delta@, comcast@, citi@, banana@, jcrew@, etc.
It was all a huge mistake.
What happened is a decade of awkward interactions.
[At a Hilton check-in]
Hotel Clerk: I see you're a Hilton Honors member with us under.... firstname.lastname@example.org?
Me: Yes, that's correct
Clerk: Do you...do you work for Hilton?
Clerk: Oh you must be a huge fan then!
At one time, I may have tried to explain it but it's never less embarrassing.
[At J.Crew, trying to do a return]
Employee: Can I have an email to look up your order details?
Me: Yeah, it's jcrew...at
Me: Yeah, jcrew at notcheckmark.com
Employee: hold on, jcrew at no checkmarks dot com?
Me: Can you look me up by phone number or name?
For other companies, like Gap, my email on file is banana@ because I signed up in person at Banana Republic and used a shortened version to make things smoother. Gap and Banana Republic are the same company and share rewards and customer information systems. Do I remember that when I visit Gap? Largely no. If I do remember they're the same company, do I remember that I'm using banana@ and not bananarepublic@ or br@? Definitely not.
I also have a bunch that I've misspelled. My GrubHub account is gruhub@. I use a password manager for passwords but I also need to use it to remember the associated emails.
[Trying to log into a website I know I have an account for]
Website: Please enter the email address you used to register
/me tries a dozen variations and hits rate limit before discovering the correct one
Every so often I need to email a company from one of these emails which requires me to configure my email client to match what they expect. If I don't, I risk the email getting routed wrong or having to prove it's actually mine.
Has it been worthwhile? No, not really. The only benefit is that I'm able to tell when companies are breached before wider disclosures because I start getting spam emails sent to thatcompany@.
The truth is no one really sells your email – at least no legitimate companies. The one outlier is political campaigns: they'll share your email till the end of time. No matter what I do I can't get bernie@ purged from any lists. Every level of government has that email and they share it as widely as they can. I'm pretty sure I only gave him $20 a decade ago.
It's been a decade of trouble and totally not worth it. Especially since all these companies ask for and verify your cell phone number – which is way more static than any email address. It's basically your digital SSN.