As a victim of harassment, I may not want my email address disclosed every time I use Special:Emailuser. Github has a setting "Keep my email address private" that sets all publicly facing email addresses (e.g. in commit metadata) to, say, MER-C(at)users.noreply.github.com. A preference should be added to MediaWiki that, when enabled, sets all emails sent via Special:Emailuser to have a sender of, say, MER-C(at)no-reply.wikimedia.org. All emails sent to this address would be discarded silently.
Just set up a mailinator address or something. I can see how someone might want to send emails without exposing their real email address, but not receiving replies does not make any sense.
You do, but that doesn't mean other people should have to, especially if the topic of discussion is private.
Set up a what? (Rhetorical, I looked it up.) What the hell are you thinking? Their email boxes are publicly accessible. Also, I really want to trust a fifth party with my Wikimedia communications. And you can get replies through EmailUser—it shouldn't be hard to add a header to EmailUser messages saying "please reply with EmailUser, the sender has opted to hide their email address".
This seems a very broken way to use email, but I understand that many people don't care about having tidy mailboxes where threading works and so on. I'm not sure how increasing the messiness of emails (e.g. making the real sender harder to recognise or even absent from standard email headers) can help with harassment, but ok.
So the real summary of this task is "Allow to send private messages to a user via a special page while only allowing replies from the same special page"?
Whenever I had to do such a service it's getting done by a really simple mailforwarder. Every user have a hashed mailbox, say, email@example.com (and even the hash could be generated from the account name and not from the email, if one's worrying about deniability), do not even have to be created as it may be generated on the fly. Outbound email uses this sender, and all replies get processed and forwarded to the user's real email address. In theory I can do this for you if you have a spare CT/VM with access to user email addresses (or a copy of it) and have a net connection.
[Replies have to be made on the web form, though; I don't advise to create a full-fledged anonymiser framework, but it's still fairly easy to implement.]
Possible technical problems are a few, the resource requirements are low, the possible traffic is low (especially with strict limits on the content), possible spamming can be limited by rate limits and some ordinary spam scoring. Maybe requires a way to activate/deactivate it for more feeling of control.
So I see this rather a policy question than a technical one.
I think this should work the same for all users, not be something you have to opt into.
The simplest solution is to implement this task for everyone, and make it easy (e.g. a reply link) to reply by EmailUser, as @BethNaught suggested.
It might be useful to allow direct replies while hiding the email addresses; that's doable, but a little more complicated.
The problem with a forwarder is that when people start eg. sending emails with viruses attached (or simply spam) to @private.wikipedia.org addresses, they will go out from WMF IPs, which are then categorised as a source of virus/spam.
I understand the requirement of not wanting to disclose the email address, but what I see many people doing here is to create an email address specific to wiki matters (eg. hotmail or gmail, it doesn't need to be a temporary one¹). This not only works for Special:EmailUser, but also allows safely interacting with other members of the community in mailing lists without revealing the other email address.
IMHO this should be declined.
¹ Note that mailinator could actually be harmful, since unless you use the generated alias, the receiver could steal your account by doing a password reset immediately before the email is changed back.
The Community discussion from https://meta.wikimedia.org/wiki/2016_Community_Wishlist_Survey/Categories/Miscellaneous#Provide_a_dummy_email_address also raises some interesting points:
hmm... I'm afraid this would encourage harassment, instead: currently you can sometimes find someone who insults you, threatens you or otherwise disturb you, even if the interface tells them that their email address will be visible and their address has been confirmed. If you tell them they would be hidden, I'd bet they would feel more comfortable in acting badly. Also, at a legal level, this would bring the Foundation to be responsible of this correspondence, and any time a user should need to act against harassers, or police legitimately requires quick help, WMF would be bureaucratically called each time to reveal the hidden address, resulting in a useless heavy complication: someone should study each case, evaluate it, decide, and take a further responsibility when not revealing the address. Wikis are public by definition, when you need to exchange private messages you are not on wiki any more: in this case you can well bear giving your email address, maybe a dedicated secondary one (as above proposed). Afaik, email addresses are not disclosed in our wikis (and should never be, anyway). --g (talk) 01:03, 11 November 2016 (UTC)
This would just allow harassers to spam you emails that you could not easily block as it would all just be email from wikimedia. This could only work if we also had the "Allow users to restrict who can send them email" blacklist option as well. KylieTastic (talk) 14:24, 13 November 2016 (UTC)
When the voting phase starts, I would support this if there is also a sure way on the Wikimedia side of things (as opposed to the email client side) to block certain users from sending you emails. As others have noted above, this could provide spammers with extra security as well, because their email addresses would be anonymous, too. As a suggestion, I know that, when an email is sent using Special:EmailUser, the fact that an email was sent (nothing else) is recorded in a log somewhere. We could somehow use that log to monitor emails incoming to one of these anonymous email addresses. What the log records (that an email was sent) would not change. — Gestrid (talk) 19:26, 14 November 2016 (UTC)
Agree with KylieTastic that this has the potential to embolden harassers and it should probably only be implemented if we also have some sort of blacklisting feature. Ryan Kaldari (WMF) (talk) 01:28, 22 November 2016 (UTC)