This is why I own my own domain and have a catch-all email address. When I give a company my email address, I use (companyname)@domain.com.
They all forward to gmail; where it is very easy to filter out (companyname)@domain.com once shenanigans like this happen. It's also easy to track down and shame companies for doing this, too.
Even for Gmail users, the + notation will handle this well. foobar@gmail.com and foobar+SearsSoldMyEmail@gmail.com will both direct to the same location, and relatively few resellers have the sense to strip the extra data.
The problem with the + notation is twofold: First, not all places accept the + character; second, you've now revealed your actual e-mail address (since foobar@gmail.com is just as valid as foobar+dontspamme@gmail.com).
I use a subdomain with catch-all, like me.example.com. Everybody is fine with subdomains and then I can use companyname@me.example.com. Using that format doesn't expose my actual e-mail address and makes it easy to filter (if match companyname, immediately bin and never tell me).
Additionally you cannot send an email from foobar+dontspamme@gmail.com. If you aggressively use the + character for legitimate signups but need customer support they may not be able to find your account as easily (e.g. "we couldn't find an account associated with e-mail foobar@gmail.com").
For me, the actual email problem isn't huge - my first line of defense is giving out a burner email unless I want the primary site to be able to contact me. So I don't expect to get truly hammered with spam, and just want a way to know what happened if someone does sell the address.
The invalidation issue is a bigger one, and a subdomain is certainly a better solution for it. Disposable emails and the + notation are nice for people who either don't want to leave gmail, or are bound to it via college or company email system. They aren't the best cure, though.
I do this but note that '+' will invalidate your email on some sites and can't be used to begin with. Yay for poor email validation! Gmail ignores `.` in email addresses so you could also try `y.o.u.r.e.m.a.i.l@gmail.com` which will validate in more places - but then you can't pinpoint where exactly unless you start keeping track in a complex spreadsheet. But you will know that somewhere you signed up for sold your email address.
> unless you start keeping track in a complex spreadsheet
The spreadsheet doesn't have to be that complex. Just treat the spaces between letters as bits. Dot is 1, no dot is 0. Suddenly, an e-mail temporal@example.com has 128 different variants, and your spreadsheet may just be a numbered list of companies :).
If you run your own mail server you can set it to be any character you like. I have mine set to a dash, which tends to be accepted everywhere and less likely to be discovered as an alias (although certainly not impossible)
That does not work because anybody who has your email address knows to remove anything after '+'. The only case it can work is if you were to only use addresses where there was a + sign, and throw all other emails to the trash.
I have thought of a similar technique but this time using a period that would float between all the letters I have in my username. Any emails sent to an address without the period gets autodeleted.
Yahoo offers a similar service and is the only reason I use them still (though of course all yahoo emails then get forwarded to gmail).
Yahoo's implementation gives you a secondary email address of the form [fakeemail]-*@yahoo.com where you get to add in anything after the dash and only email addresses you create are valid and will be sent to you. You can also delete these email addresses at any time. Also you're able to respond to emails from using these temp accounts so you don't have to worry about revealing yourself.
I don't think you even need to bother with this. Do you use categories? I do, and stuff like this always ends up in the "Promotions" folder, which I look at approximately never because it's all spam.
They all forward to gmail; where it is very easy to filter out (companyname)@domain.com once shenanigans like this happen. It's also easy to track down and shame companies for doing this, too.