Yeah, I'm too lazy so far to set up email properly with my own domain, so this sort of works in the meantime. The goal is to give every person/org a completely different address of the form theirname000000@mydomain.tld (zeros being random digits) all forwarding to the same inbox. Once that's done, it'll be clear who can't/won't do data protection.