I have a unique email address for every single service that I sign up for, similar to this, though selfhosted. I've been doing this for years and it works wonderfully. If someone misuses my email address, or gets annoying, I can simply turn off the address. Bam!
It's the easiest Postfix config in the universe, essentially just:
I do a simplified version of this. I just use a catchall account with Fastmail and then pick email addresses in the domain randomly. If someone abuses the address, I block it. I specifically do not use addresses that make it obvious what my strategy is. I end up just using a name and number that would look right at home on gmail.
I'm also not trying to stop tracking, so much as I'm trying to have my own semi-permanent equivalent to mailinator that nobody will recognize as such, that I can use to cut back on the amount of spam I get.
I've been happily using fastmail for years and I think I'm going to be forced to stop. My outbound emails are constantly getting caught in spam and it recently cost me a job offer.
if you're having this issue I would reach out to Fastmail support. A real human will dig through the smtp logs and find out what the issue is. Based on my experience... Fastmail is very on top of spam, blacklists and other deliverability issues.
In my case, it costed me two offers. One from Google and one from GitHub. Come to think of it, yeah I will begin migrating everything away from FastMail and stop using it completely.
One event that pissed me off with them: Instead of forwarding an email to SPAM, they simply throw it away instead. Turns out the email was not SPAM (2FA) and I had to go through weeks of support to find out what happened (thank god that you get a human for support but still).
Also I think they are still based in Australia? Would be happy to hear about alternatives.
I use an @fastmail domain. The issue was how they handle RSVPs when your default calendar is an external one. RSVPing from within Fastmail attempted to Accept as my old Gmail address, who wasn't invited to the interview. On the interviewers end it looked like I didn't respond.
In some contexts, fastmail is viewed as a "throwaway" email provider. I ran into this when I was trying to provision a couple of VMs at a hosting provider. My fastmail email address was rejected. After contacting their support, they said they did not accept "throwaway" email addresses. I had to use a gmail acccount. The irony did not seem apparent to them.
My only scare with not using gmail and outlook calendars. However I moved to Zoho for mails and nextcloud self hosted for calendars. For mail delivery I make sure to verify again n again my SPF DKIM is valid or not but it’s a scare still :(
Isn’t it so bad that it’s overly hard to move away :(
With your own domain? Make sure you’ve got an the SPF, DKIM set up correctly, and register your domain with gmail’s postmaster tools. I moved my domain recently, and had completely forgotten about all that stuff I’d set up years ago. Started losing mails, redid the setup
I wonder if you can provide more context. I've only had issues when I tried to use external domains, e.g. gmail, as my reply-to when sending in fastmail.
I have tried this approach. Unfortunately, some services will not accept plus sign in the username no matter what RFC says. On top of that, some services seem to not like seeing the service name in the username. I.e. foo.tld will refuse sending email to mailbox+foo@mydomain.tld.
Shopify also flags orders (even if they are fully paid) when the customer's email contains the shop's name. I'm sure their logic is that it helps cut down on fraud.
I prefer the system of using a basic abbreviation in the email address to avoid these types of filters but still make the email easily traceable later. Say your name is joe smith and you're buying from Sports Online. Something like Joe_spo_smith@yourdomain.com works well for later confirming whom you gave the address to.
I like this approach because one doesn't have to track all of the catch-all emails made on the fly, since finding out who you originally gave that email to is just a matter of searching your past email and noticing that "spo" looks more like those old Sports Online emails and not the new spam from discounted wholesale fancy rugs.
Apart from seeing who a company has on-sold your information to (or more rarely had a staff member steal their database), it's also an easy way to see who has been hacked.
One other reason not to use something like SportsOnline@yourdomain.com is that some websites exist merely as credential honeypots and those types are usually aware of this approach and will then typically exploit the catch-all for spamming. The shady All on MP3 service was known for doing this. (I'm pretty sure that site existed solely to exploit the fact that most people used the same password for everthing.)
Some mail providers support receiving mail on arbitrary hostnames, so you can set up a wildcard MX record and then use mailbox@foo.example.com instead. This avoids email validation issues with plus addresses, spammers don’t try removing any parts of the hostname, and I think in the many years I have been using it I’ve only run into a problem with including the service name once or possibly twice.
AFAIK the only provider that supports that is Fastmail and it kinda defeats the purpose of using your own domain because if you are forced to migrate you are toast.
I do this with ProtonMail. I have it set on a subdomain, though: my regular email is email@example.com, while my account email is hackernews@email.example.com. This avoids the spam sent to asdf@everydomain.
Some MTAs (Postfix at least) allows other characters. I use an underscore, which seems universally accepted. For the second problem, there's usually some alternative mangling that would still be unique-enough, or just flee because they seem too aggressive on the data harvesting.
not only can you not sign up to many services, customer support can often get confused when you need to email reply to them and you cannot email from your aliased email. they see you as a separate user not in their system, or the wrong person replied to the support ticket, etc.
On Fastmail, at least, this isn't a big issue. For a catchall account, if I reply to an email[0] it automatically addresses the reply as from the alias. It is editable in place, too, in case I want to give it some other name.
But why would you not be able to reply with the aliased email? I do this regularly. Of course your mail client needs to support this, but using Mutt this is absolutely no problem (just change the FROM header) and I have heard from other users who use Thunderbird that they can also create new identities (just not as easy on the fly). In fact I wrote a small script for Mutt that would automatically set the correct sender if I reply to an email that contained a wildcard. Works pretty well.
Can you not reply from a user+foo@example.com alias? I use the catchall approach (so just foo@example.com when signing up for foo), but if I need to email customer support I'll just send the email from foo@example.com. I've never tried that with a + in the account though to see if my client supports it.
There is nothing secure about email. It's less secure than Telnet.
You can email anyone on the internet as anyone and it will be delivered with NO validation. Clients may/may not validate any DKIM signature and the may/may not validate that it actually came from the domain. It's literally the easiest thing on earth to spoof.
Email is sent over cleartext, it is not encrypted. Anyone can read email if they can inspect packets.
>You can email anyone on the internet as anyone and it will be delivered with NO validation. Clients may/may not validate any DKIM signature and the may/may not validate that it actually came from the domain. It's literally the easiest thing on earth to spoof.
That might be true for some systems, but for most services out there, having missing/invalid anti-spoofing measures will result in your mail ending up in spam or not delivered at all.
> but for most services out there, having missing/invalid anti-spoofing measures will result in your mail ending up in spam or not delivered at all.
You would think so.. but its remarkable how easy it still is to forge email.
My mum was recently the target of such a campaign. She's in the executive team at an international NGO. An attacker found her email address and a bunch of her contacts via the NGO's webpage. Then they forged emails from her email address, with a gmail address set up in the reply-to field. The emails all said it was an emergency, and asked for her colleages to transfer money.
As far as we can tell, most of the emails were delivered and lots of people were fooled - at least for awhile.
Her email address has DKIM and SPF set up, but (like most email providers) it has a lax DMARC policy. It turns out thats all it takes to be vulnerable to this sort of attack.
Are you being serious right now? You understand that that'll never happen in our current technology landscape, right?
Outside of a few niche hardcore technologists, nobody knows what PGP is or how to use it. It would be hard enough getting my mum set up to PGP sign her own emails in Outlook, on the desktop and from her phone. (Is that even possible?). Let alone require anyone emailing her PGP sign their email too? Thats never going to happen for so many reasons, both technical and social.
I'm a software engineer and I tried setting up PGP years ago in thunderbird and it only worked for a few weeks, then it somehow broke. And then later I lost my PGP key. Oh, and then I started using webmail and PGP didn't work there at all.
And then later still I realised my public PGP key (signed by my web of trust) leaked details on the identity of my social network; which bothers me a lot more than any problems I've personally ever had with a forged identity.
> That's obviously false if you bothered to do a bit of searching
Technically correct, best kind of correct.
Sure, it is not plaintext, but anyone with the access to the wire could MITM the connections. Maaaaybe something changed in the last ten years, but I never seen someone not accepting a connection with a self-issued certificate and any warnings (to the end user) if the receiver uses self-issued cert. Which makes the whole point quite moot.
For this attack to be mitigated everyone should implement it. Gmail and Live.com has MTA-STS records, Fastmail doesn't, one regional provider with millions of accounts doesn't have it too.
And finally your MTA should support it and be configured to deny the delivery if MTA-STS validation fails (and adversary, who is happily MITMing your traffic, shouldn't fiddle with DNS and HTTPS and of course blocking HTTP/S from the MX would be considered cheating!).
All in all, SMTP traffic is encrypted, but it is not secured.
TLS is unaffected by any government laws. What I assume OP is referencing is a law that makes end to end encryption problematic in Australia but Fastmail has never offered end to end encryption. Neither do most email providers so it doesn't matter.
If you get a PGP browser extension they all do. It’s pretty inconvenient to use though, sending encrypted attachments and giving the password offline is probably the only thing most people are up to.
The location of the fastmail office has zero impacts on this. If the complaint was that the PGP extension was developed in Australia then that would be a valid complaint. But email hosts themselves are not private against government requests.
Nice! I do something similar, but using an automatic aliasing scheme so that I don't have to manually configure an email address for each service and other users can use this without me knowing their aliases. In my setup, aliases can contain wildcards, represented as percent signs. If an alias phil.%@domain1.com is set up, all your examples will be sent to the respective aliased address. I use Postfix Admin with a MySQL database. Hence the Postfix setup looks like this:
The first file is just regular aliases, and is basically a simpler version of the second file (no SQL selections/filters) and could also be merged into a single query with the second file:
user = mail
password = <password>
hosts = 127.0.0.1
dbname = maildb_postfix
query = SELECT a1.goto FROM alias a1
LEFT JOIN alias a2 on (a2.address = '%s')
WHERE '%s' LIKE a1.address
AND a1.active = '1' AND a2.address IS NULL
This works, because the percent sign in the alias is picked up by the LIKE keyword. A setup like this allows me to configure many aliases through Postfix Admin's web admin page, including optional wildcard aliases (depending on which users wants that). It has been working very well for me over the past 15+ years. Also, I haven't looked at that SQL query since then and would likely write it in a nicer way today.
Note: with the above code SQL injection could be possible through an alias name, but given that in this setup I am the only one managing the mail accounts, I was willing to take this risk. :-) Postfix Admin might do some cleaning/validation, but I haven't checked on it.
Because it's not as effective if the goal is to catch spam. Spammers are already wise to the meaning of + and will strip it automatically when selling data in bulk. Plus, some services block creating accounts with the + or with their name in the address.
How do you mean? This is exactly what I can do with my setup. If you are referring to the use of Gmail: I prefer to run my own infrastructure as long as this is possible.
> It's not as shiny as Apple's thing, but it's 100% selfhosted and I own the domain.
Apple's system is "shiny" because it provides near total anonymity, whereas your setup has all the deliverabilty issues of a self-hosted domain and rather uniquely identifies you...at the domain level?
I'm not sure why you are maintaining a hundreds-of-lines virtual table and a web UI, instead of just using a regex or two to capture phil.*@domain2.com or something along those lines (maybe you want to do one including a year or something to cut down on spam), or blacklisting as needed by having postfix reject during the SMTP session so the email is marked as invalid and is removed from the spammer's database.
Or, I dunno, just use VERP? I don't think I've yet run across anyone smart enough to drop VERP from email addresses.
Apple's system will only work until they decide to shut you out or shut down this service for whatever reason. Anonymity is not really a concern for most uses, privacy, longetivity and reliability of reception is though.
I still want to use random unique addresses even for important and trusted services, not just for throwaway uses. So third party domain is not an option.
I use self-hosted unique addresses mostly for registering to services, so forwarding those messages in both directions through Apple's service would expose all those services to a silent takeover via password reset by Apple's employees in control of this service. So this service is exactly as useful as those random throwaway email inboxes available on the web. More polished maybe.
I imagine Apple would come down on them pretty hard in the App Store if they did that so for most applications it's enough of a deterrent that most places would not do it. I also think that because Apple can mostly control which addresses and how many of them there are it can control the spam issues enough to avoid that problem. If not... then yea that's gonna happen in a few years. Would be short sighted for Apple to not do it though.
I'm doing the exact same thing. Built a small web app that lets me manage all my email aliases for the domain. Unfortunately there are a couple of websites that do only allow a select list of whitelisted domains meaning I cannot use my own, but for the other 99% it works wonders.
I wish I had had this idea ten years ago, it would have saved me so many headaches.
The most recent incident I remember was with a debrid service. I opened a ticket with their support and was told that the point of the policy was to combat abuse of their service. Not entirely sure why a paid service that accepts cryptocurrencies would care about email addresses.
Not as of right now, but I could put it on GitHub. It's essentially just a front end for the Gandi.net email management API. Manually editing the alias list gets cumbersome really quickly.
I use 33mail.com (33m.co) which does the same thing (it has a link on the email to disable the address). You can use a subdomain or custom domain. It has a generous free tier, and ridiculously cheap paid tier. (Paid is required if you want to be able to reply to inbound emails though.)
It's worth a lot of money for the ad-tech (consumer tracking) industry to understand.
If a domain only occurs once in a user database, it's likely to be a personal domain. A data broker that sees the same domain in a few different datasets (once in each) can be quite confident that the domain is an individual's.
I used to do this too, but it's a considerable amount of effort, and doesn't really prevent much: many domain hoarders/resellers know the trick, so they'll try to match other data they get from you, and sometimes build a fuller "profile" on you than they would if you only had gmail/other generic domain (eg if they have your name, which often leaks along email, they'll try your first name, first name + last name, initial + last name, first name + last initial, etc).
I'm doing it the other way around, which is slightly less work because you don't have to create new email addresses explicitly: Catch-all by default, with a recipient blocklist as part of smtpd_relay_restrictions that I update whenever some service gets breached.
For those who do not wish to interact with their webserver config (or can't) there is AnonAddy, which can be self-hosted (https://github.com/anonaddy/anonaddy) or paid for (https://anonaddy.com/). It's really convenient, with the added benefit (for the paid version) of having a domain, that is used by many people, which makes it easier to hide behind an email address.
I've just started doing this and it's so nice. "Gee who signed me up for a newsletter... why, it's that hotel chain I stayed at 3 months ago! Naughty, naughty." Makes the management much nicer, and I can maintain my fun username for silly projects and a slightly more professional one for business inquiries and such. Highly recommended! Domains are cheap and Fastmail makes the process absolutely painless.
I wrote a simple script[0] which generates a new address for each site I register. Then a simple script to look up what the generated address was later. It is written for OpenBSD, but should be easy to adapt.
I've set up a catch-all SMTP server for my domain and now I make up unique addresses on the fly. It simply forwards everything to gmail. Was too lazy to set up sending.
Thanks to this setup, I've already encountered one instance of a company either leaking or selling their customer information.
I did this too for many years. I recently reversed the filter logic from whitelist to blacklist since spam filters nowadays seem efficient enough that passing through `name*@domain.tld` by default and only blocking those few addresses that leak and start sending spam is less work.
I did this with my own domain. Then sold the domain, and it was an absolute nightmare to go change my email registration everywhere because asking the buyer to forward a bajillion emails to me was overbearing. Never again!
And, if the email service is also self-hosted, it prevents Apple from collecting more data about your interests and purchases through your email, which it uses to profile you (to determine how to extract more money from you).
I tried to do this but my dentist’s receptionist got confused and cancelled an appointment because “I used their email address”.
Square also makes this incredibly difficult because if you enter a merchant specific email they permanently tie it to your card. So now any time I ask for an email receipt I get an email to my hairdrstylist’s “unique” email.
> I tried to do this but my dentist’s receptionist got confused and cancelled an appointment because “I used their email address”.
Never had it go that far but I definitely had some odd reactions e.g. a support agent thinking I was a colleague.
On the other hand, if you have a relatively common name it avoids people giving your email address then behaving aggressively when you tell them to stop. I’ve had a few friends hit this issue.
> On the other hand, if you have a relatively common name it avoids people giving your email address then behaving aggressively when you tell them to stop. I’ve had a few friends hit this issue.
I’m sorry, I can’t parse this. Can you try again?
I used <dentistbusinessname>@<mydomain>. My name was never involved in the address.
> I used <dentistbusinessname>@<mydomain>. My name was never involved in the address.
That's the point, if you don't use your name in your address, you can't be <genericname>@<genericdomain>, which third parties will provide as their email,
Because I use the same scheme you do I've never had that issue, but several friends with common names have hit the issue having registered to more "normal" hosts, often as somewhat early adopters and thus having gotten their pick.
I have a very uncommon name (though not unique) and I've had people mistakenly signing up for services with my firstname.lastname@gmail.com (which I don't usually sign up to services with).
The annoying thing is the number of services these days that don't seem to require you to verify your email. Examples of the above included eBay and Spotify. On both occasions I had to contact support to ask them to delete the account.
> That's the point, if you don't use your name in your address, you can't be <genericname>@<genericdomain>, which third parties will provide as their email,
I’m still not following. Who is this third party and what does it have to do with a confused receptionist?
Also, not as granular, but instead of the + suffix, add a dot in a weird place. So
n.ame@gmail.com or nam.e@gmail.com . Many SMTP servers respect periods as differentiating emails, so services can't delete them. It doesn't help you stop spam, but you can add a gmail filter that n.ame@gmail.com is put in a separate label. And it's very fast to type, easy for non tech-y people
It’s almost as trivial with this format too, at least to guess what address is used for other services, though it has a strong advantage over using ‘+’ in GMail in that nothing will try this automatically. It’s hard to believe anyone would intentionally try to guess a different service’s email to spam to it, but even so in my setup I prefer to eliminate this possibility completely by adding a random number to the service name: experian12322@example.com, and so on, with no catchall for invalid addresses.
So far the most spam I’ve gotten has been to the address I used for Amazon (probably leaked by a third‐party seller there).
I mean you can pick any format you want before the "@", but yeah my format is trivial. Nobody has tried to do it automatically yet though, as far as I can tell.
Though I had originally made this because with the "+" approach, you can easily get the original address by simply removing everything after the "+", while with mine you cannot. On top of that, sometimes "+" does not work in services that do "strict email validation".
I signed up for Comcast Xfinity using a brand new “hide my email” address and three months later I started receiving phishing emails at that address. (I’ve gotten over half a dozen so far). Made me realize that either Comcast was hacked (without disclosing it) or they’re selling people’s emails.
I’ve experienced the same with comcast and have contacted their support. They claim there was no data breach or they aren’t selling emails, but that obviously isn’t the case.
Well, it could also be the case that everything is working as designed, and that they gave your address to someone else who did have a data breach or is themselves sending the phishing emails.
Additionally, they spend a ton of money lobbying and otherwise unfairly impeding competition, so in many places in the US, they are the only option, so it's give up your civil rights to lawsuits, or stay offline (or pay a wireless carrier who does the same anticompetitive scumbag shit a heinous price per gigabyte).
The state of both wireless and wireline broadband in the US is totally broken, and it's not getting fixed because it's broken by design, as part of the general attitude by large corporate interests and cooperative legislatures and regulatory bodies to treat the US population as a sort of natural resource like a flock of sheep to be fleeced rather than as legitimate customers to be serviced (or a legitimate market to be participated in on merits).
They do this by ensuring that there is no meaningful competition, and ensuring that if you do "willingly" engage in service with them, you have no meaningful legal recourse if they abuse you.
"We're the phone company. We don't have to care."
You have no real power against them because the people who control the system have decided that you should not have any real power against them.
I’m no lawyer, but I wonder if this is more of a “go away” clause and if it would survive a real courtroom. Your lawyer would undoubtedly say “don’t waste your time and money”, but I question how many of our rights we can really, actually give up in a contract.
> but I question how many of our rights we can really, actually give up in a contract.
Theoretically, probably none. Otherwise, you'd be able to hire a hitman on yourself, have slaves, or restrict a person's free speech because they're an employee.
Arbitration costs companies far more than lawsuits do. There was a guy that used to make tons of money off Arbitration clauses. Basically, the company is on the hook for hotel stays, transportation, food, etc. for the arbiter as well as anyone else that may not be local to the venue in question.
The reason companies went with this approach was to stop class action lawsuits from happening, which is where the real damage happens. One enterprising law firm started doing pooled Arbitrations (filing for hundreds or thousands at a time), which costs the company more than a class action would. Some companies have removed such clauses because of this.
Knowing how they're hijacking my bandwidth for their Xfinity hotspot service, the dark patterns to enable it, and the hiddenness of disabling it - it doesn't seem implausible.
I do that the old fashioned way with a catchall mail address and forward them. If they start smelling weird, I filter the address and change the mail address with the service provider.
If relay gets popular, won’t some services simply start to block relay subdomain for registration to make it ineffective? Just like 10minutesemail etc are blocked in many places.
Sites already have started blocking the mozmail.com domain name. I'm considering moving over to fastmail given that their domain is already established for email purposes. I would imagine the same is true for icloud emails
I don't know how much I can trust Mozilla with my privacy. I know it's not Mozilla's fault, but 90% of my millions of DNS requests that leave my house go to Mozilla tracking services. It's kind of scary how much information Mozilla has on people, just based on what leaves my house (and no one uses Firefox). I have no idea if Mozilla does any aggregation on that data, but it's a bit worrying IMHO.
Any thoughts on improving the situation on self-hosting? I've written about the situation for Firefox Accounts (FXA, a dependency of Relay if you don't want to use third-party hosted services) here before[0][1] and Relay looks kind of similar.
When comparing Relay with the other two, I get the impression that SimpleLogin/AnonAddy actually interact with the community and understand that self-hosting is something people want to do and provide approachable documentation and support for that, whereas Firefox Relay seems built only with a single global prod deployment in mind and is more like "well theoretically you could but you're on your own and who would do that anyway?". Even if it's public and under an open license, the intended audience is Mozilla internal, e.g. [2]
Like, if a user signs up for Relay today and in 2 years Mozilla sunsets it, the way things looks today I think it wouldn't be viable even for most seasoned self-hosters to migrate to their own deployment.
I do appreciate the work you guys are doing and I think the engineers seem to have good intentions, so don't want to be overly critical. But mentioning it as open source alongside SimpleLogin and AnonAddy comes with some major caveats IMO, and I'd wish that some more priority is put on keeping docs complete and up to date and making the stack realistically approachable for outsiders.
I can only speak for myself, but my honest answer would be that indeed, self-hosting probably won't be easy to do any time soon. We're trying to get a less technical audience to benefit from privacy protections too, and I don't think there's a good approach to get them to self-host as well, so focusing our limited time on other things is probably more effective. But who knows, actual use and user research do influence our roadmap, so nothing's set in stone.
But you're absolutely right, the caveat is indeed that the reason you care about open source does matter. If you want to self-host, you're probably better off with another product. If you want to be able to see what code is running, or even be in control of the running code yourself (even if it's running on someone else's servers), then Relay might be interesting too.
No 100% certain way, I think, but you can see that there are deployment scripts in place and are actively being touched. Combine that with what the cost of doing that while instead using an alternative method would be, and the way Mozilla is organised, and you can be pretty confident that it is, IMHO. But here, too, it still holds that that does not give the same level of assurances as self-hosting.
I use mozmail and on the fly emails are great but so easy to exploit and spam.
For example, my custom domain is foo.mozmail.com. I enter my on the fly email address bar@foo.mozmail.com on attackers website. Voila. Now they know my custom domain name "foo" and can use it to send email to all possible on the fly addresses. e.g. 1@foo.mozmail.com 2@foo.mozmail.com so on and so forth.
Now my custom domain name as a whole is compromised but I can not change it anymore and lost all benefits of Firefox relay.
You don't have to use the custom @domain.mozmail.com address with Firefox Relay—you can use @mozmail.com with one of the auto-generated random aliases.
Your complaint is similar to using RFC 822 "me+site.com@domain.com" style emails and then worrying that sites are going to learn that your real email is "me@domain.com" by stripping off the part after the plus sign. Call me optimistic or naive, but I don't think that sites are doing that...
Yes, it is recommended to use a completely random email by default, and only use your custom domain as a fallback when you can't use the random one (e.g. when you have to give up your email somewhere in-person). We're looking into ways to make that clearer, because people's intuition tells them to use their custom subdomains by default.
That's right. Thanks for correction. I have been doing exactly that. Using custom domain email everywhere I needed. Will use generated emails from now.
Huh, hadn't heard about Proton buying Simple Login.
I'm not sure how to feel about that. I really like SimpleLogin, but Proton always felt kind of "icky" for lack of a better word. Guess we'll see.
Another advantage not mentioned is that '@icloud.com' is a generic domain that has been (and still is) used for a lot of real e-mail addresses for years. That means that most registration forms cannot just simply block '@icloud.com' because that would lock out a lot of real '@icloud.com' addresses.
Hide My Email is very good and I'm using it a lot.
Hang on, though: doesn't this essentially hand Apple a big list of which domains you communicate with and how frequently? There's also nothing stopping them reading the emails on the way through. I know a lot of people trust Apple more than Google, but you're essentially signing up for a vendor-locked product that you're hoping Apple will continue to support, with no guarantee they won't collect - even at an aggregate level - your communication preferences.
They're even slightly pre-filtered for Apple's convenience, as the times you're likely to use Hide My Email are for shopping and social media - nice, ripe marketing targets.
If you use Gmail, there's also nothing stopping them reading the emails on the way through.
If you use Outlook, there's also nothing stopping them reading the emails on the way through.
If you use Yahoo, there's also nothing stopping them reading the emails on the way through.
If you use virtually any email provider this is true.
Oh, absolutely that's true; even with privacy-focused, hosted systems like Proton or FastMail there's always that tiny shadow of doubt that they're doing what they're saying they do.
With google, even if you’re encrypting. Gmail, even in the shiny incarnation, only supports server-hosted private keys. A private key that you must give to your service provider is about as useful as a chocolate teapot, imho.
The only thing really holding me back from wanting to use iCloud mailing services is the current implementation of MFA on Apple services.
It would be fine if you were allowed to use normal MFA options, but no, that is not possible. Instead, you MUST confirm your logins via already signed in Apple-devices only. There is no other way. Cannot use phone number (for good reason, but that is besides the point), cannot have a secret key based TOTP.
Google on the other hand… I’ve seen two people lose their Gmail accounts even they knew the password because google required verification from a mobile device that no longer existed. :|
I think Google also has recovery keys. I have a slip of paper with ten long strings on them that Google told me could be used to regain access to my account.
Google seems to have changed their MFA stragagry recently where normal TOTP apps are a backup measure while the already signed in device is the primary. It wouldn't shock me if they don't prompt you to set up the app or recovery keys anymore.
I don’t think that they do [prompt you] anymore. I recently had to setup gmail with google Authenticator and there was no mention of recovery keys. Not sure if I could go in after the fact and generate any.
Google supports MFA apps. I use Microsoft's and I've been able to recover after switching to a brand-new phone without moving data over because Microsoft syncs with cloud services. (iCloud on iPhone)
I wish they'd let users decide what they want to use as additional factors. I would like to ban phone calls, emails, SMS, and TOTP entirely from all my accounts, especially those that hold credentials for other services, and use only WebAuthn.
I'd love to use Apple's keychain for credentials for convenience but it can quickly become the weakest link, when it should be the strongest.
TOTP is not as secure as WebAuthn, because if you enter the TOTP code into a phishing site, the phisher can now successfully authenticate as you. WebAuthn was specifically designed to be immune to this case: if you were to use your WebAuthn key in a phishing website, the phisher would not then be able to authenticate as you on the real site.
You have to have the generator somewhere to get the code. If it's in software, you must have access to that software, and it must be secure. With WebAuthN, it can be a hardware token and usually multiple of them stored in various locations that only you can access (safe deposit box, physical safe, etc).
You can have multiple accounts on one "trusted phone number". Trusted phone number is where Apple sends the SMS 2FA code. I have several Apple ID's on 1 phone number.
This is different than "Reachable at" phone number which must be unique and is used for iMessage and Facetime, and if it's blank other people can only reach you via iCloud account email.
(It makes sense if you think about it, parents setting up iCloud accounts for their children's iPads who might not have their own phone).
Huge fan of this, started using it for practically every signup. I've already had the opportunity to shitcan an alias because it obviously got dumped to some advertisement list.
Now I just need to work on untangling 15 years of other services from my main account.
In macOS Mail and iOS Mail, when you reply to an email or send a new one, you can choose the "From" address: The options are the usual accounts you have set up, plus, now, a "Hide my Email" proxy generated on-the-fly. I've found it very handy on several occasions.
* accidental semi-spam (people sending emails to someone at one of the domains I own, mistakenly) where I wish to notify them that they got the wrong email, but don't want to divulge my main email (and name).
* support emails from services that I signed up with using "Hide my email". When replying, the "From" defaults to my main email, but again, I can switch to "Hide my email".
I don't use Safari but I still use this feature a lot even though I have to do a few extra steps because it does not integrate with anything other than Safari, its that useful for me.
Some sites have never worked properly with the email+tag@gmail.com thing and some have even become wise to it and wont accept addresses like that (car dealers are the worst).
I hope someday apple allows 3rd party integration with this feature.
They could, but they don't. Spammers cast a wide net and usually aren't concerned about the crumbs that fall through. Not to mention the people that do the plus or dot tricks are going to be extremely low value spam targets.
Yup, but assuming these spammers want to keep their lists of leaked emails fresh, it’s kind of silly that they’re so unconcerned about it: they’re very much helping to expose their suppliers. I feel that they must realize that can’t be good, but maybe I overestimate them.
Agreed. You can get to it through Settings > Apple ID > iCloud > Hide My Email, but it’s a pain to navigate.
I tend to use it when signing up for something IRL that wants an email address. I wish there was a way to use Shortcuts to generate a new email in one tap.
The other benefit for apple is that if a generated email address for Home Depot has non Home Depot content, it's easy to block, since it's clear it got sold to a email marketing company.
And then Apple can then threaten the corporations to not sell their mailing lists or risk being cut off from sending to icloud, or worse, having a header in the email from Apple saying that "Home Depot doesn't respect your privacy and sells your email address to 3rd party marketing companies. Here's a telephone number where you can complain."
Email marketing ruined communication for everyone.
I once ran my own email server for several years off a domain from no-ip.org running from a local server in my home. Most places accepted email from it just fine, occasionally though some places had their mail server reject my IP because it was in a DNS black hole.
Then you had the spoofers pretend to be att.com/verizon.com so they had to implement SPF and DKIM.
Then you had to uphold your reputation and the security of your servers otherwise your address would get put on one of the DNS black hole blocks.
Worse was if your IP address was already used to send spam -- you somehow had to get the black hole lists to remove your IP.
At some point about 15 years ago, I gave up and moved to gmail, and I never really looked back on it again.
I still get sites from time to time that reject custom domains and want an address on yahoo.com, gmail.com etc, which is infuriating.
The worst thing is that so many sites have stupid email validation rules. Even cameo.com, which is a mid-size ecommerce site, doesn't accept a lot of TLDs created in the last 8 years, including mine.
This is the million dollar question that Apple hasn't answered. What happens to these forwarding addressses if you cancel iCloud+?
The result is bad either way. It's either A or B. (A) Canceling iCloud+ doesn't remove existing Hide My Email addresses - which makes it possible to abuse by creating tons of extra addresses before canceling. Or: (B) Canceling iCloud+ deletes all of your Hide My Email addresses, locking you out of dozens of services (e.g. anything that sends an email as a MFA).
I suspect that it is actually (A). Someone just needs to test this and report out.
I see SimpleLogin mentioned in the replies several times, but I haven't seen anyone mention that you can use your own domain name with them to prevent vendor lock-in.
You can also export your setup through their API so you can very easily migrate to a self-hosted instance if ever necessary:
And given the author talks about Have I Been Pwned, I feel I should mention that SimpleLogin has built-in HIBP integration (contributed by me in https://github.com/simple-login/app/pull/472)
The great thing about Apple doing stuff like that is the sheer scale they reach.
Sure, there were many services like that before, and many of us have used them. But making it an integral part of iOS can drive mass adoption. You have to credit Apple for that.
There is also a trust component. I do trust Apple to not abuse this product or shut it down in the future much more than I do some no name privacy company.
My only wish is that it were easier to send an outgoing email via a Hide My Email address (rather than only being about to reply once the other party has sent the first message).
In iOS and macOS mail.app, you can select the from name in the compose sheet and the option to autogenerate and random email address using “Hide My Email”.
If Apple would provide an easy and straightforward method of sending emails from that garbled and, to the layperson, "anonymous" adresses all kind of dumb shit would happen. I guess they don't want that kind of publicity, even if they can obviously trace every offender.
Gmail used to have send-as feature that verified only with your ability to click on the link that you get from google on that inbox.
Technically you can do the same with SES on AWS as well, they verify just a single email address this way (domain is with dns records), and they have SMTP gateways to connect to a mail client .
I made something similar that I've been using for several months now: https://shroud.email/
The concept is fundamentally the same as Hide My Email or DuckDuckGo's service, but it's libre software and has (IMO) a better UI to manage addresses. It also stops tracking pixels, which Hide My Email doesn't do unless you also use Mail.app. It's hosted in the EU and runs entirely on renewable energy.
Seems great, but the same question I have with most email add-on services, how do I know you aren't reading my email? Seems a risk to introduce additional 3rd parties into the email system.
I agree that this is a challenge! If you want to use the hosted version, it's impossible to avoid the need for that trust. I'm working on making self-hosting easier for this reason.
Some other services (like Firefox Relay) will use AWS' Simple Email Service for everything. I opted to go for [MailPace](https://mailpace.com/), an independent, privacy-focused provider instead, which is an improvement but still not ideal. I believe that SimpleLogin lets you self-host your email, which is best from a privacy perspective, but I'm slightly concerned about the UX of having to think about email deliverability. Still experimenting with that!
My pal nick and I built something called Cloaked Email for our startup Gliph back in August of 2012. [1]
Apart from our early integration to send and receive Bitcoin on Coinbase, Cloaked Email was the most successful part of our privacy focused startup, not only in its ability to attract press coverage but in generating revenue as well.
We believe our work contributed to forcing criagslist to introduce their email relay service. Craigslist went so far as to block email from cloaked email users. [2]
Doing this well and to take on the responsibility of maintaining ~forever is a huge thing.
It is great Apple has recognized the importance of this matter and brought it into their platform in such a straightforward way.
One of the most engaging actions we had was people re-rolling for a different random email address. People just loved seeing what they might land on next.
Bringing first-class support for it on Safari/iOS is interesting, and I'm surprised they did it. Even my mom is using it because, when it pops up, why not.
Until this, it was just a handful of privacy-conscious folks using services like AnonAddy.
Anonaddy is a godsend to me, for having an additional feature to set which alias are allowed to forward (albeit limited just enough for essential services I can use) and also recently you can reply a message from your alias email
I must be the only person who doesn't receive spam. I mean I do, but it goes into the spam folder. I've never really understood why I should use something like this. I have my email address on my website anyway, so it's not like it's private information.
Low-quality spam veeery rarely makes it to my inbox, but “opt-out newsletters after signup” are basically how every business operates nowadays. And that’s spam as far as I’m concerned.
I have been using my current domain for 3 years now and I don't receive any spam in my spam box either. Email spam seems like it was a solved problem years ago. Now its all just newsletters which go right through the spam filter..
For those using this feature for a long enough time, have you seen misfiring or emails that disappear, you couldn't retrieve ?
When using keychain as a password manager, once in a while when creating a password for a new site, it would generate it and complete the account registration, without properly saving the generated password.
I'd hunt for the site item through keychain's list and not find it, and go through the "Reset My Password" for the site, except if time passed I might not even remember which email I used to register.
It was annoying enough for passwords, but not critical. For emails there's probably situations where the account is just lost and the only option is to create a fresh new one. How good is their implementation for this ?
There are lots of ways to do this. Postfix is nice but a little heavy. The simplest and most functional way I've found is https://github.com/0xERR0R/mailcatcher since all it does is forward the emails. You can even use a throwaway gmail SMTP so it doesn't get send to spam
Easy to set up on a rpi/cheap VPS, as long as you have a hostname. And while you're there, look for a short domain name so it's fast to type (on credit card kiosks). You can get cheap short non-standard TLD's like .li. I got a 3 character domain for $5 a year, as short as bit.ly, but just for me
Twitter is one site that I know requires you to reply to their automated email from the exact same address if you want to appeal a suspended or locked account.
> It’s important to note that you shouldn’t use Hide My Email for everything. For example, you probably don’t want to use a random address for critical services such as online banking. If you trust the bank with your money, you can probably trust them with your email. I’d also think through those sites that may use your email to help others find you, such as social media accounts. If you’d like your contacts to find you automatically, you’ll need to use an email they know of.
Social media is high on the list of use cases for such addresses to help preserve one's privacy.
It’d be nice if there was a service like this for physical addresses and even phone numbers. Every account you sign up for could be with a made up name, email, phone, address, and single use credit card number.
Apple provides data on iCloud subscribers to the police without search warrants or probable cause over 20k times every year(!) (under FAA 702, aka PRISM), because the US federal government illegally demands it and Apple has no ability to really stop them without their staff going to jail (thanks to the government's secret interpretations of what FAA 702 really means). Much of the data in iCloud is not end-to-end encrypted (including the keys protecting all of your iMessages, as well as all your photos, and your device backups) so this is a huge amount of data on/about you they can be compelled to turn over at any time without probable cause.
This means that you shouldn't use iCloud (even if you have nothing to hide). The fact that there is no probable cause required means that the state can demand this data as part of a fishing expedition to abuse/harass even the totally innocent.
This means that features like this, which lock you in to using iCloud in the long term, should be assiduously avoided.
Get your own domain name and get your own email hosting (not from Apple) and use that. You can setup a catchall to have unlimited unique email addresses. You can use multiple domains if you like. Step by step instructions on how to do this are on my website.
Been using individual email adresses for each website I signed up for by using Fastmail.com‘s email aliasses.
- Previously I had a second email address just for sign ups, but whenever a platform was hacked and user data was leaked, my email address was burned.
So yes, this feature is super useful, and kudos to Apple for introducing this to their customer base.
This feature is indeed amazing, but my biggest complaint is that it's not easier to access. Roughly speaking, the worse the website, the less I trust it with my email, the less likely their HTML is well formed and will trigger iOS to prompt me to use Hide My Email.
Way too frequently I have to dig this feature out of the settings menu, copy the address to the site, copy the site back to Hide My Email as a label, and then usually do the same hoop-jumping with my password manager.
I would welcome this feature to be more front-and-center on the keyboard somehow.
Hide My Email is an awesome product, no doubt, but why the mention of Have I Been Pwned? Security through obscurity is not worth two cents. Use a password manager and generate your passwords.
My thought process was if you search your primary email, you'll quickly see all the breaches with that email. Using a different email per service reduces the surface area (lateral movement). Security through obscurity has nominal value, but the reduction in ability to correlate has a much higher value.
Hide my email is great but I've also really been enjoying the new duck email service that does the same thing just because it's quicker to use on windows, where you have to open icloud, create a new email and paste it in.
In fact the duck email service is nearly perfect, except for the fact that the extension forces you to use duck as a search engine and so you literally have to modify the chrome extension and store it locally if you just want the email service.
How do I report Hide My Email abuse? Someone used it to send a nasty email to my company. I couldn’t figure out how to report it. My guess is there is no way to do it and there won’t be until after some reporters make it the Apple scandal of the week when there’s no other news.
I'm not sure how one would do that? You cannot create Hide My Email addresses purely to send mail. Your company would have to first send mail to that address, and then the person behind it may reply
There is SimpleLogin[0] and Mozilla Private Relay[1] as more generic options. I've never tried them as I struggle to figure out how trustworthy they are. At the end of the day, emails are essentially proxied by these products.
Abine Blur (https://www.abine.com/) was one of the first to do that however some of the domains started to get blocked. Hide My Email using iCloud negates that risk.
I have been tinkering to use chrome auto filling form to sign up for random services with the email address of the current director of the CIA Bill Burns. Haven’t tried it though.
Is this different than me just programmatically adding new email addresses on my domains, which just forward to my primary? Is it just more convenient?
It has the benefit of being at a general domain, icloud.com, instead of one that is (in theory) traceable to you for someone who cares enough to do so.
One thing that wasn’t included in this article but is amazing is being able to deactivate an email address. It results in a total dead end for whomever it was given to.
Now that Google is insisting on kicking me out of legacy Gsuite, I may give icloud a try. It's a pity it's such a PITA to set something workable on Android.
It’s been totally amazing for me! All Apple need to do is create an dev experienced like Firefox developer edition browser and I will jump very quickly!
A bit of a plug, but I have written a small piece with some suggestions for services that could be used to hide and not share your main account as well as some pros and cons to them here - https://psyonik.tech/posts/keep-your-email-private/
TL;DR - Cloudflare email works great if you have your domain on Cloudflare, Firefox Relay is cheap and will work with emails up to 150KB and a number of email providers give you the ability to create aliases (Runbox allows up to 100 aliases).
I might switch back to it as I had some delivery issues with Cloudflare on some messages, but the issue was the email size, as emails with attachments wouldn't come through. +1 for the change!
I just used Hide my email for a non-critical but real-life situation. I had to learn my new email address and I’ll have to remember it forever. I’ll probably change it back to my regular address at some point.
Unfortunately, I found that Hide My Email complicates unsubscribing. I tried unsubscribing from Jumba Juice many times unsuccessfully, only to realize that the email that I entered was my actual email, and I should enter the email that was shared to Jumba Juice instead.
This is serendipitous. I just now signed up for the 5 day overcoming overthinking challenge by Jon Acuff and when I signed up Apple checkef with me if I wanted to hide my email and this is trending on HN!
> Apple doesn't read or process any of the content in the email messages that pass through Hide My Email, except to perform standard spam filtering that's required to maintain our status as a trusted email provider. All email messages are deleted from our relay servers after they're delivered to you, usually within seconds.
Unless you can present an evidence, your post is mostly a conspiracy theory.
I would take the bet in this case without hesitation. Apple is too big and has too many potential internal whistle blowers to run a clandestine email monitoring operation.
>Apple is too big and has too many potential internal whistle blowers to run a clandestine email monitoring operation.
This calls for an interrobang. APPLE?‽!
This is an absurd reversal of the burden of proof - where I think you go very wrong is to imply or assume the natural state of a large organization is compliance with legal or ethical norms. There's a reason they have legal and compliance departments! There's a reason the laws and rules keep metastasizing! And the same silos that allow lack of compliance, allow potential whistleblowers to be intimidated - "you don't understand the context" they can say.
Every time you take one of those online courses at the beginning of a job, they tell you to report anything unethical or illegal to a hotline or ombudsman or something, and then they tell you that you will be protected...unless you make false or malicious allegations, of course. You have to be pretty obtuse or literal not to understand the threat. They are telling you how it will go down - I mean, what sort of asshole would make a federal case out of the CEO parking in handicapped spaces?
Or, maybe I should've just gone with sarcasm and some hyperlinks:
Apple is too big and has too many potential internal whistle blowers to run a clandestine wage fixing operation, and huge conspiracy theories are nonsense, which is why this never happened:
Also, Apple is too big and has too many potential internal whistle blowers to run a clandestine insider trading operation, and conspiracy theories are nonsense, which is why the person responsible for insider trading compliance definitely did not insider trade Apple stock:
But they are both for one-offs - single events or single rogue employees. One offs always happen. Systematic, Enron-style ingrained fraud is quite another.
The idea that Apple is systematically reading people's emails - with all the multitude of supporting rogues employees, right down to SREs to keep things running that would need to be in on the act - is absurd, truly a ticket on the consipiracy theory train.
The fines for wage fixing totaled over $400 million, and although I realize that was collective and not only Apple, how can you possibly say it's not systematic Enron-style ingrained fraud? It wasn't $400 million stolen from one employee! There were all those other companies involved too!
As I see it, it's arguably not Enron-style only because the company didn't collapse as a consequence.
But that makes it more like compromised emails, not less! The more remote serious punishment is for something, the more likely the thing is.
Is it plausible that the worst possible breach of privacy would lead to Apple going under? I think not.
I also think you're arbitrarily excluding the possibility of anything between an all-encompassing plan and a "rogue employee". Pretty much everything that happens falls in between! Many things that are hardly planned at all happen anyway!
A thing that was in the news recently, that did not relate to Apple, was that thousands of PwC (Canada) employees were sharing answers to internal training.
The auditors were cheating on the exams that were supposed to test auditing ethics and skills! Clearly everybody was not aware this was going on, but also clearly it was not an isolated rogue employee!
Management apparently said "whoops, we'll add controls to prevent this" and got assessed a not-very-huge fine.
Which seems to evade the question and problem of how they hired so many people with no ethics to watch over the proverbial henhouses of other companies!
If you've worked for any large organization, you've seen how they declare they adhere to the dogma of finding the root cause of a failure and preventing it going forward. And yet, how often do you see people fix the exact thing that failed a test and blatantly ignore the wider implications?
It seems kind of frightening that the PCAOB (I think) doesn't really seem to see an issue with a slap on the wrist and a promise to do better being the penalty.
Thanks for using our crappy (app or web site) and Preserve Your Privacy With Apple.
Please enter your mobile number for account verification. Your number must be capable of receiving SMS messages.
We need your mobile number in order to verify that we can track you, personally identify you via data brokers, and send you SMS spam and robocalls.
To help us verify this, please log in using your password and the single-use code we will send you via SMS.
It's the easiest Postfix config in the universe, essentially just:
And then /etc/postfix/virtual looks like this: I also made a super simple web UI for myself to edit this file quickly.Gmail seems to be fine with this, emails do not usually end up in spam. Every full moon maybe, but usually it's alright.
It's not as shiny as Apple's thing, but it's 100% selfhosted and I own the domain.