Fastmail and Gmail support a local suffix of the form [email protected]. That's a plus character between the local name and local suffix. If you use a password manager, you can replace a predictable suffix like "amazon" with random hex value.
Unfortunately, many sites borked their e-mail address validation and do not accept the plus character. (Amazon permits it.) Also, you'll ocassionally find a customer service ticketing system that expects replies to come "From" your account's e-mail address. (Many mail clients can alter that header, but it's a pain.)
Panix.com supports this, plus an alternate that works almost everywhere. You can use "[email protected]", and it ends up in your inbox, filterable by the "To:" address. I create a new email address for every company I sign up with.
Gmail also supports [email protected] (add random dots to the local-part). (Almost?) every system considers '.' a valid character. However, you need to keep track of which tagged address goes to what service, much like the case of a tag with random hex digits.
I fear that customer support might still accept emails without the suffix from the "customer". These are people, not robots, so if the address is close or in the vicinity of being correct, they might accept it. Same goes for the dot characters allowed in gmail addresses.
I strongly second this concern. I generate random strings as answers to my recovery questions. When I recently got asked one of the questions the support rep let out a sigh when asking (presumably because he saw the "crazy" answer) and then said "yeah yeah, alright" when I was about half way through the answer. That any company even suggests these insane security questions that anyone can trivially research is completely beyond me.
An idea I just had which is buried in a deep thread lower down...
Not that I trust the "security questions", but if Amazon lets you use freeform questions as well as answers, it might help to make your first security question "Have you noticed this account has two factor authentication turned on?" with an answer like "Yes, so Amazon Customer Service will take additional care when being asked to reveal account information, right?"
Even if you can't do freeform questions, perhaps the answer to "What's your mother's maiden name?" could be something like "Have you noticed this account has two factor authentication turned on? Please take extra care before disclosing account details to anyone, Thanks."
I would recommend strongly against that. You'd be far better off picking something plausible, so if someone does impersonate you it's obvious.
Remember it's a human verifying this. The attacker just needs to answer: "oh, yeah i just spammed the keyboard with some jibberish" and he's in.
The other thing I noticed by the attacker going after me, sometimes he'd call/contact the service multiple times in a row. All he needs to do is find out from 1 support rep that the reset password is randomly generated. Then tell another support rep that its "some jibberish" and he's in.
For those sort of "mother's maiden name" type questions, I generally use a fake but plausible name. Probably not as secure as a random string (especially as the name is reused across a few services), but makes it near impossible to research, and avoids a random string not being accepted/treated as an error/truncated like your example etc.
I'll try to avoid ranting here, but anything is a legal email address per the RFC (even an @ sign in a username, or an email address without any @ sign).
RFC 821 is the original and 2821 summarizes it plus the few that came after to add and clarify.
The only true "RFC email validity check" is to send an email to whatever address they provide.
Unfortunately, many sites borked their e-mail address validation and do not accept the plus character. (Amazon permits it.) Also, you'll ocassionally find a customer service ticketing system that expects replies to come "From" your account's e-mail address. (Many mail clients can alter that header, but it's a pain.)