Nobody signs up for spam. It arrives because an address you handed over in a moment of mild need — a PDF download, a one-time discount, a forum you posted in once — got sold, leaked, or simply reused. Your inbox is the sum of every form you have ever filled in, and by the time it hurts, the damage is spread across a hundred sites you no longer remember.

You can fix this, but not by deleting harder. Here is what actually reduces the volume, roughly in order of how much it pays off.

Stop feeding the problem first

Cleaning your current inbox while still handing your real address to every form is bailing out a boat with a hole in it. So start at the source: stop giving your primary address to things that do not deserve it.

The rule that works is simple. If a site needs an address only to let you in the door — a whitepaper, a trial, a coupon, a one-off download, a forum registration — it does not need your address. Use a disposable inbox: you get a working address in one click, receive the confirmation mail, click the link, and walk away. The address self-destructs and any list it ends up on is a dead end.

Keep your real address for things with consequences: your bank, your employer, your government, your domain registrar, anything holding money or identity. If losing access would hurt, it gets the real address. Everything else gets a throwaway. Our guide to temporary email covers how it works under the hood.

Never unsubscribe from actual spam

This is the counter-intuitive one, and getting it backwards costs people dearly.

Legitimate newsletters — a shop you bought from, a service you use — have real unsubscribe links. Use them. That is the fastest way to cut the bulk of the noise, and it is legally required to work.

Actual spam — the pharmacy ads, the crypto pitches, the "your parcel is waiting" — is different. Clicking unsubscribe there confirms a human read it. That makes your address more valuable, not less, and it gets resold as a verified address. Do not click. Do not reply. Mark as spam and delete. The only signal you want to send a spammer is silence.

The same logic applies to loading images in a suspicious message: a remote image can be a tracking pixel that reports back that you opened it. Most mail clients block remote images by default — leave that setting alone.

Report as spam, do not just delete

Deleting removes one message. Reporting teaches the filter what you consider junk and helps it catch the next thousand — for you and for everyone else on the same provider. It costs the same click. Use the report button.

The reverse matters too: if real mail lands in spam, mark it "not spam" and add the sender to your contacts, or the filter keeps learning the wrong lesson.

Find out who leaked you

If your provider supports plus-addressing, you can hand out [email protected] and it lands in your normal inbox. When spam arrives addressed to you+shopname@, you know exactly who sold or lost your address. It is a useful audit trail — with one honest caveat: the trick is well known, and the sleazier list brokers simply strip the +shopname part before selling. It tells you who leaked; it does not stop the leak.

A disposable address does stop it, because there is nothing left to deliver to. That is the real difference between tracing the problem and ending it.

Keep your address off the open web

Spammers run crawlers that do nothing but harvest addresses from public pages. If your address sits in plain text on your site, a forum profile, a GitHub commit or a PDF, it is already on a list.

Publish a contact form or a link instead of a raw address. If you need something people can click from a bio or a poster, a link-in-bio page or a short link to a contact form does the job without exposing a harvestable string.

Check what has already leaked

Search your address on a breach-notification service. If it turns up in old breaches, that explains the baseline noise — and it means any account that reused the password from that breach needs a new one, urgently. Spam is the visible symptom; credential stuffing is the expensive one.

Consider a clean start for the important stuff

If your main address has been public for a decade, no amount of filtering fully rescues it. The pragmatic move is not to abandon it but to demote it: create a fresh address, give it only to the accounts that matter, keep the old one alive for legacy mail and let it rot. Pair that with disposable addresses for everything transactional and the flow drops to a trickle within months.

What to do this week

  • Unsubscribe from legitimate newsletters you never read. Report the rest as spam without clicking anything.
  • Use a disposable address for the next signup that just wants an email to let you in.
  • Take your real address off any public page you control.
  • Check your address against known breaches and rotate any reused passwords.

None of this is a filter you install once. It is a habit: decide, every time a form asks, whether this site has earned your real address. Most have not.