Envelopes and Apple

I’m a big fan of one-time-use emails (as you can probably tell by previous posts on this blog). However, one thing that iCloud’s Hide My Email is still unbeatable at compared to my own domain is full anonymity. When I sign up for a junk site to get free WiFi, or order at a restaurant, I don’t even want to expose my domain to them, because that domain is, well, registered to my real identity.

Hide My Email on the other hand is fully anonymous: Emails come from “@icloud.com”, no name in the headers, nothing. Just a fully anonymous blank email. Great! Services can’t even filter for it (compared to mozillas solution, or duckduckgo), because filtering would mean shutting access to everything coming from icloud.com.

Here’s one thing I wanted to get working for a while: Instead of having <site or person> -> one-time-use Email (iCloud) -> Me, I want it the other way around: A one-time-use email that allows me to anonymously send to a specific recipient whenever I send something to that email. Turns out you can actually do that in Apple’s Hide My Email! Let’s take a look how

How Hide My Email actually works

Hide My Email is acting as a relay in between the user account and the sender. You don’t actually send emails from that randomly generated @icloud.com address. In fact, you can’t. You can’t authenticate with that email on the iCloud SMTP server because that email is not yours.

Here’s what I mean: Let’s compose a new email and use Hide My Email

New email with Hide My Email

When I click “Send”, the email arrives successfully with the hidden iCloud email as sender, as expected:

How the receiver sees the email

… but when we inspect the actually sent email, it looks like this:

How the email actually got sent

Do you see it? The email never got sent from “heave_balks_0g@icloud.com”, instead what Mail did is, it inserted a relay address as the actual receiver of the email. That’s the long test_at_davemail_io_5rvm…@icloud.com you see there. Just that Mail is doing this so transparently that you’ll likely never even notice what is happening.

Relaying back and forth

So now that we know this relay address, what happens when we send an email directly to it? Let’s try!

Manually composing a new email to the relay

Sending, and hey look at this! Doing it manually gives us the same result! (duh)

How the email got received

This means that test_at_davemail_io_5rvrmv74x77007_62a85f4e@icloud.com is the relay address that iCloud mapped to test@davemail.io - Everything I send to it will always arrive at test@davemail.io, kind of like a mini portal that shovels content over to a specific sender.

The other end will always see heave_balks_0g@icloud.com, the other part of the relay, as sender. The final relay looks like this:

  • heave_balks_0g@icloud.com: Relay to my email
  • test_at_davemail_io_5rvrmv74x77007_62a85f4e@icloud.com: Relay to the recipient

Hide My Email is unique per recipient, but not fully random

Another question you might have while following this is: Wait a moment, aren’t Hide My Email addresses random? Well, kind of.

Each time you generate a hide-my-email-email (nice word), it will be random, but only per recipient: When I hide my email from plans@tripit.com, it will always be the same @icloud.com email, no matter how often I generate it. You can’t use iCloud to spam people, they’ll see everything coming from the same person.

Cool, but what can we actually do with this information??

Obviously this post was leading up to something, otherwise I would have not put so much time into writing it.

Now that we know that relay addresses don’t change, we can use this knowledge to automate sending completely anonymous emails to specific senders without exposing our main domain, name or any other information.

Even better: Using the relay even shields us from any mistakes, like accidentally leaking personal information in headers. It happened dozen times that I used “forward email” functionality in email clients to forward an email to a service, just to realize that the email service sent that email with my global account email, instead of the one-time-use email. (How would the service even know what email I want to use for forwarding?)

Let’s take a service like TripIt which gives me an email that I can send flight itineraries to: plans@tripit.com. I can link an email to it like “tripit.com@mydomain.com”, then whenever I send an email from this email to plans@tripit.com, it will add that itinerary to my account. This works great, but means I can’t really setup any quick-actions, shortcuts or automations to quickly forward to it, because of the issue I described above. Now we can fix that by directly using the relay address :)

  1. Send an email to plans@tripit.com using Hide My Email
  2. Copy the generated @icloud.com address and add it to TripIt
  3. Copy the generated relay address (the long one aka test_at_davemail_io_5rvrmv74x77007_62a85f4e@icloud.com), create a new contact with it for quick access
  4. Profit.

Now we can hit “forward” (or use a Siri Shortcut) to forward any PDF attachment we want to add to tripit to our relay address, iCloud will do the rest.

All of this effort just so we don’t expose our main email, huh 😉

Keep on shaving that yak

The Yak