A tactic I have used for a long while is to give out site-specific email addresses. This allows me to determine of the site has been  compromised or my email has been resold because I have not given that email to anyone else. For example, I use South Jersey Gas, and the email address I used when I signed up was sjg@mydomain.com. I now get a lot of spam to that email address – my guess is their email list has been compromised a long while ago. When I notice this, I can easily disable that one address to reduce the spam.

With Outlook 365, this can be (somewhat) easily done through Powershell scripts. Each time I want to add a new email address (prior to signing up on another site) I run the following script with the domain name (minus the extension).