Apple is about to make Hide My Email useless

Posted by SXX 14 hours ago

Counter482Comment295OpenOriginal

Comments

Comment by giancarlostoro 13 hours ago

If your website will block me out because I used a privacy friendly email, I want nothing to do with your website.

Comment by muse900 12 hours ago

Yes but not always applicable unfortunately… e.g. the other day I was in Italy, I needed to park on the publicly available parking which was paid to the municipality.

No other parking available anywhere near in 30 mins walking distance. (paid or free)

I had to download a 3rd party app that asked me to register. This app isn’t by the Italian government, it’s affiliated though.

So in that situation, I want nothing to do with your website or app, because I wouldn’t able to park.

Comment by ivanjermakov 12 hours ago

Have exactly the same situation with parking in Italy. Having a private company operating all paid parking on an island is not very healthy.

Comment by echelon 11 hours ago

Having a handful of companies that can contact you has created a land of monopoly hyperscalers.

It's so hard to build anything big and durable because they've created these steep gradients.

Comment by KennyBlanken 5 hours ago

"They" didn't create them. They laid out the bait - free APIs to do all sorts of stuff, and lazy-ass programmers took the bait hook line and sinker without thinking through the consequences of everyone moving their sites into "the cloud." Or didn't care.

Lot of people need to look in the mirror on this one - from programmers to execs.

Comment by gedy 9 hours ago

It's too bad there's no one willing to be a parking lot attendant on an Italian island.

Comment by valleyer 1 hour ago

You might not have used one, but there have long been parking meters / payment kiosks that take charge cards and even cash. Neither an app nor a human attendant is required. It bugs me that these are slowly being replaced by smartphone app systems.

Comment by pjc50 35 minutes ago

Parking is expensive enough without having to pay a human.

Comment by rapidaneurism 4 hours ago

I think there is plenty of people, but they have these obscene demands about getting paid a living wage.

Comment by drnick1 12 hours ago

Can you not pay with cash or card anywhere? What if you don't have a "smart" phone? I would categorically refuse to park anywhere that requires running a proprietary app on my device. Fortunately, in the States at least, I have not encountered such a place yet.

Comment by obmelvin 6 hours ago

Physical machines can be confusing too :)

When I was in Italy last summer, I couldn't figure out how to pay with my card at the machine in a small town, where you'd park to walk into an ancient city on a hill*. I asked two Italian woman for help and even with being able to read the Italian + having paid with coins themselves, they struggled to help me understand the combination of steps required to pay with card.

Comment by cassianoleal 12 hours ago

In the UK, I believe parking companies need to have a way to pay without the app but it's usually so bloody inconvenient that it's about the same as requiring it.

Comment by Slash65 11 hours ago

In my city in Northern California our downtown uses an app for parking now. I don’t use it so it’s still an option, but you have to goto a kiosk, enter your license plate number, and pay with card. It’s made the downtown more of a ghost town (admittedly it was already dying) and the boomers with cash just don’t go. The younger 20somethings all complain “boomers are too stupid to use an app” and have no concern for privacy apparently. Welcome to the future I guess.

Comment by mikeington 1 hour ago

I have more parking apps on my phone than any other type of app. I begrudgingly download them for some semblance of convenience, but get annoyed that I'm logging in each time as it may be months since I used it, and towns changing apps means I likely have some high percentage of void apps that I keep around just in case. Living in New England doesn't help with lots of small towns, but even Cambridge has multiple apps depending on if you are parking on the street vs in a garage.

Comment by autoexec 10 hours ago

> The younger 20somethings all complain “boomers are too stupid to use an app” and have no concern for privacy apparently.

They were literally trained not to value their privacy. The first generation of ipad kids now have driver's licenses.

Comment by mingus88 8 hours ago

I hear some take pride in being “digital native” and only knowing a world where smartphones are a ubiquitous part of your life.

I’m quite content having grown up without being always online. The childhood I had where what I did between school time and when my parents expected me home for dinner were mine alone. Every event was not recorded by 50+ cameras with bad seats and posted online for nobody to watch.

A truly excellent time to be alive that I doubt we will see again

Comment by qalmakka 10 hours ago

You need to find a working parking metre which may or may not work, accept cards or give back change. Also most if not all of parking apps allow you to pay by the exact minute and extended your stay dynamically from the go, while with a paper ticket you need to go back to the car and get another one before it expires

Comment by userbinator 5 hours ago

I do wonder if the "illegal not to accept cash" laws in some states have been applied to this situation.

Note that sometimes the risk is low, and changing your plate is cheaper if you do get a fine...

Comment by anakaine 6 hours ago

Australia: some companies are app only

Comment by calvinmorrison 12 hours ago

Essentially too bad. Look at the parkmobile disaster.

Comment by HeatrayEnjoyer 8 hours ago

The what?

Comment by calvinmorrison 6 hours ago

basically you have to use parkmobile in many places unless you carry literally rolls full of quarters due to the depreciation of the USD, some places dont even have machines anymore. ParkMobile is a moneygrabbing operation that municipalities use to run their parking stuff - yay saas. They got hacked and leaked everyones phone numbers, license plates, history, and more.

The settlement in court was - you got I believe a $1.00 coupon to use parkmobile again - but you could only use .50 towards each transaction

Comment by ElFitz 4 hours ago

That, especially the conclusion, is hilariously bad.

Comment by rTX5CMRXIfFG 6 hours ago

tutanota.com protonmail.com

create a burner for when ‘not always applicable unfortunately’

Comment by anakaine 6 hours ago

Ive bumped into these been banned too. Apples temp addresses worked well where these didnt.

Comment by pbgcp2026 2 hours ago

Proton does require phone number now. It's not anaonymous email provider anymore.

Comment by rTX5CMRXIfFG 2 hours ago

didn't know that, but the point of the burner is to trap junk email in an account you don't care to read

Comment by ABS 12 hours ago

you can pay at the parking meters directly, no need for a 3rd party app

Comment by qalmakka 10 hours ago

Yes, but

- the apps almost always allow you to remotely increase your stay - the apps almost always allow you to pay by the exact minute instead of by the quarter/half an hour

Comment by vinni2 13 hours ago

Unfortunately sometimes we are at some specific provider’s mercy for whatever reason like lack of appropriate alternatives.

Comment by MoonWalk 12 hours ago

COUGHredditCOUGH

Comment by al_borland 12 hours ago

I think Reddit falls under this category.

> If your website will block me out because I used a privacy friendly email, I want nothing to do with your website.

Comment by gnoll_of_gozag 55 minutes ago

strange. i've used disposable emails for reddit accounts several times and everything worked

Comment by MoonWalk 10 hours ago

Yep, toxic garbage staffed largely by same. Unfortunately, it has amassed quite a bit of potentially useful information.

Comment by al_borland 10 hours ago

You don’t need an account to access the information. It’s also all been sucked up my the LLMs, for better or worse.

Comment by roboror 7 hours ago

It's full circle now and a large portion of posts and comments are now LLM generated responses, whether by a bot or copy/pasted by a human.

Comment by al_borland 4 hours ago

All the more reason to stop visiting.

Comment by kodt 6 hours ago

I know I have created accounts on Reddit with disposable email services before.

Comment by HeatrayEnjoyer 8 hours ago

Reddit doesn't even require an email address to make an account. You can just leave the email field blank.

Comment by Ferret7446 6 hours ago

But it does require a valid phone number which is worse.

(I might be misremembering but they definitely require a valid something now, as I found out a while back creating a new batch of accounts to rotate)

Comment by SV_BubbleTime 12 hours ago

IDK I’ve appreciated Reddit killing off good features like old version, putting a time-lock banner on mobile while logged out, trying to block VPNs when logged out, etc.

I want that company devalued and bought by Verizon or AOL to die a Yahoo death.

What is insane to me is how few people realize their stock has a higher P/E than nVidia… and it isn’t because of some bullshit minor AI data deals. It’s a youth-forward narrative machine, and everyone knows it.

Comment by pjerem 12 hours ago

FWIW, old.reddit.com is still there and working

Comment by giantrobot 11 hours ago

Shh, don't remind them.

Comment by lenerdenator 11 hours ago

> I want that company devalued and bought by Verizon or AOL to die a Yahoo death.

If the future's your oyster for what happens to Reddit, why stop there? If it's bought by somebody, that implies that Spez gets an amount of money that is greater than $0.00. Ideally, we avoid such a grim and unjust outcome. We want it to be made effectively worthless so he goes broke.

Comment by SXX 12 hours ago

RedReader still works. For now.

Comment by 12 hours ago

Comment by coldtea 10 hours ago

It's precisely when I want "nothing to do with your website" that I want to use a private friendly email if I'm nonetheless forced to interact with it...

Comment by abirch 11 hours ago

I frequently buy a domain that I think is funny and use that to forward all my emails to my main email account. It's trivial to do from Cloudflare. Then after that 1 year is up, my domain goes away and so does all of the spam.

Comment by pseudalopex 9 hours ago

And the not spam?

Comment by Bender 12 hours ago

I ran into this with an NVMO mobile provider. They did not like my personal email domains (assorted .net and .org) so I nagged their customer support until they manually added it. Their marketing team happily emails my personal domains once added. Some day this will probably cause a problem but my goal is to eventually get rid of my cell phone either way.

Comment by reaperducer 12 hours ago

I ran into this with an NVMO mobile provider.

As of about six months ago, AT&T's web site would not accept email addresses without a three-character TLD. I had to get a customer service person on the phone to manually change my address.

Comment by toast0 11 hours ago

Even .us ??? Pretty sure I used my usual domain (enslaves.us) with them for wireless and california landline and u-verse.

Comment by Bender 11 hours ago

Just a guess but .us does not permit whois privacy and perhaps that may be a factor but I am entirely guessing as all my domains have whois privacy enabled and they would not say why their system rejected my domains.

Comment by badc0ffee 11 hours ago

Do you mean it was failing with a >3 character TLD?

Comment by abirch 11 hours ago

could be < 3

   .io
   .co
   .ai

Comment by joeyhage 12 hours ago

Completely agree - have you encountered this before? The Gmail plus sign alias trick has been widely known for a long time and, to my knowledge, still works well today. It would be easy enough for websites to either block + in gmail addresses or instead grab the true email.

Comment by cloudfudge 11 hours ago

Some sites that block "+" in email addresses are actually just doing it out of incompetence. My credit union, for example, will actually accept an address with a "+" in it, but nothing will work because some broken bit of web 1.0 plumbing along the way converted it to a space (it shows up that way on my profile page). I wouldn't be surprised to see "&nbsp" on my printed bank statements.

Comment by janc_ 7 hours ago

Oh yes, so many websites are incompetent like that.

And of course after registering with foo+bar@example.com they will happily send invoices to bar@example.com

Comment by autoexec 10 hours ago

Spammers know to just cut out the +whatever. It's a simple regex to keep those from even getting into a database.

Comment by janc_ 7 hours ago

The + has no special meaning in the standards, and thus removing it will just result in invalid addresses in many cases…

Comment by AlexandrB 7 hours ago

Doesn't matter. Most email services[1] use it the way Gmail does and spam is a numbers game. Losing a few valid addresses is worth correlating all those other addresses for most spammers.

Standards only matter to nerds like us.

[1] https://proton.me/blog/what-is-email-alias#5

Comment by Ferret7446 6 hours ago

Except plus address users are also less likely to be receptive to spam, so it's probably better to just not bother

Comment by SXX 12 hours ago

Gmail also have "googlemail.com" alias and you can split your username with dots since they dont count like "user@gmail.com" and "u.s.e.r@gmail.com" are the same thing,

Nothing of it solves privacy though.

Comment by ciupicri 10 hours ago

Guess what? There are some dumb website or applications complaining that the email address is invalid.

Comment by yalogin 10 hours ago

ChatGPT doesn’t allow private relay and hasn’t allowed it since launch may be. So it’s not always possible to not use them, of course now there is no need to use ChatGPT and I have just stopped and moved on from it

Comment by fg137 11 hours ago

Didn't really have a choice with openrouter. I ended up using "Hide My Email" which gave me an icloud.com, which will likely no longer work according to this article.

Comment by paulddraper 2 hours ago

That's probably WHY you're using a privacy friendly email.

So...

Comment by Rebelgecko 10 hours ago

It's pretty common. Shopify blocks my email aliases. So does ikea

Comment by HelloUsername 12 hours ago

If your website needs an email address at all.. otherwise just use null@null.null, if it accepts and doesn't require a authentication code

Comment by octoberfranklin 11 hours ago

I guess you don't use github. It won't let you sign up with @airmail.cc.

Comment by x0x0 12 hours ago

I used to run a hybrid mobile app + webapp company.

Private emails regularly lead to awful customer service interactions because people cannot tell us the email they used to register. Fastmail at least is off the beaten path enough that people probably can understand. Apple, especially using sign in with Apple, is horrid. And not just people unable to tell us the email; they then create multiple accounts; try to sign in on web and use their actual email and then have 2 accounts and flip shit that their stuff is gone; etc. Oh, and regularly blame us for their confusion.

Comment by trollbridge 11 hours ago

It’s up to the app architect to make a way to make this work, and to stop using emails as anything other than a UUID type of token

Comment by JoblessWonder 11 hours ago

So I guess the solution is just to begin to allow accounts to always register multiple emails? Although I guess the issue of multiple accounts is still going to exist if the users don't know the initial (private) email that they signed up with though unless there is a different unique ID that everyone will be able to remember.

I'm curious (and not trolling by asking) what a solution might be since email has been used as a unique account identifier for so long it is hard for my brain to think of another option at the moment.

Comment by int_19h 5 hours ago

If you do require an email as an ID then yes, you absolutely should allow multiple emails per address if only so that the person can recover if they lose one of their mailboxes (similarly if you support hardware keys you should allow more than one).

Comment by weakened_malloc 10 hours ago

Just a regular old username + password, kind of like HN allows?

Comment by JoblessWonder 10 hours ago

I feel like email overtook usernames because it was more likely to be unique/memorable. I hate when websites ask me to remember a username (even though I'm using a password manager so I should really just calm down.)

Comment by bigstrat2003 7 hours ago

Usernames are no less likely to be unique and memorable than an email. You presumably chose something memorable for your email, so just enter that without the @foo.com bit. There, memorable and probably unique.

Comment by 11 hours ago

Comment by hamdingers 11 hours ago

[flagged]

Comment by danudey 11 hours ago

> If you insist on giving me a fake email, your business is probably a liability I don't want anyway

It's not a fake e-mail, it's a legitimate e-mail that you can send e-mail to and the user will receive, which has to be created by a paying iCloud user and not an anonymous rando off the internet.

I'd be interested to know what downsides, if any, you see for a website to accept a private e-mail address like this. Do you have a legitimate complaint about these sorts of e-mails? Again, given that private relay isn't an 'anonymous e-mail service' (it's still tied to your iCloud account so spam, etc. shouldn't be any more of an issue) but merely an 'anonymous to the person you're giving the e-mail to' service.

If your actual complaint is 'if you insist on giving me an e-mail that you can revoke unilaterally making me unable to contact you against your wishes, and which cannot be associated with other user data from other sources to build a profile of you, then you're not worth having as a customer' then that's a separate complaint - and one that means I want nothing to do with your website.

Comment by hamdingers 11 hours ago

I'm curious what you think the difference is between "a paying iCloud user" and "an anonymous rando off the internet." How many Apple gift cards do you reckon get sent to fraudsters every day? Decades worth of iCloud+ surely.

I'm running a business where I need to know who you are, because my platform can be used defraud other people. If you're trying to hide who you are from our very first interaction, that's a massive red flag.

If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)

If these terms are not acceptable to you, then great! Don't use the website, there's no need to be salty because that's what you said you wanted. Isn't it?

I don't mind either, because the number of legitimate users who are bothered by this restriction is infinitesimal compared to the number of fraudsters who would take advantage if it wasn't in place. It can be difficult to comprehend the scale of platform fraud unless you've worked in this area, many days fraudulent signups outnumber legitimate ones.

Comment by FireBeyond 9 hours ago

> If you're trying to hide who you are from our very first interaction, that's a massive red flag.

You conflate email with identity, just like the media companies conflated IP addresses.

It's not hiding who you are, it's hiding my real email address behind a mask that you can't choose to sell off to marketers, or spam yourself, or otherwise profit off, regardless of the nature of our relationship - I've got plenty of spam emails from companies that I closed accounts with, thus severing our relationship.

> If you can trivially create hundreds of these emails, and fill in the rest of the required info with bought/stolen/generated PII, now I have a vector for mass fraud. Requiring you to use a recognized non-anonymized provider doesn't stop you, but it sure does slow you down. (It's not this simple of course, but all security works in layers)

It's not that simple, but I guarantee it doesn't remotely slow anyone down, not at the scales we're talking. Maybe if you're talking one entity and tens or hundreds of thousands of accounts, but it's laughably naive to believe that such a person who is set up to conduct "mass fraud" can't create 100 Gmail/Outlook/iCloud email addresses a day, if not an hour, with near zero effort (it's not like they're committing "mass fraud" by hand, after all).

Comment by hamdingers 8 hours ago

> I guarantee it doesn't remotely slow anyone down

I have watched the rate go down and stay down on real live dashboards.

> Maybe if you're talking one entity and tens or hundreds of thousands of accounts

We are.

I'm not so rude as to call you "laughably naive" but I am speaking from experience and you appear to be considering a hypothetical.

Comment by iamnothere 10 hours ago

It sounds like you are trying to shoehorn email into some kind of “real person verification” role, when you ought to be doing actual KYC through some provider like ID.me. (If honest to god no-shit fraud is on the table.)

Comment by hamdingers 10 hours ago

If I can filter/throttle fraudsters at the create account step for free, I save on the fees my KYC/IDV providers charge each time they attempt to defeat it.

Comment by iamnothere 10 hours ago

At the cost of blocking legitimate users who don’t want to be spammed, don’t want to be correlated after a data breach, etc.

I have been willing to do KYC for services (usually financial) without giving out my main email. Services that put up too many barriers to this don’t get my business. I concede that there aren’t that many users like me, compared to the general public, but I’m a legitimate user.

Comment by tom_ 8 hours ago

There must be at least two of us!

Comment by hamdingers 10 hours ago

[flagged]

Comment by anonymous908213 9 hours ago

Nowhere other than on HN have I seen so many people who are actively proud of their anti-consumer (and frankly anti-human) behaviour. It's a rather revealing look into the veil behind big tech. A lot of people have this misconception that it's evil $bigcorp forcing employees to do what earns a paycheck, but no, there's no shortage of normal people like yourself bragging about anything they can do to identify and track consumers more easily while comparing them to fraudsters for not wanting to be tracked. I suppose that's the narrative you have to concoct to help yourself sleep at night.

I'm curious, though:

> choosing to participate anonymously

Why are your name, e-mail address, and phone number not on your profile? Are you using HN with the intent to commit fraud?

Comment by AgentMasterRace 53 minutes ago

Because this isn't Facebook, or your mom's of. It's a forum where your reputation doesn't matter. I'm not trying to sell you something or have you trust me.

Comment by hollerith 9 hours ago

[flagged]

Comment by anonymous908213 8 hours ago

They aren't giving useful information, they are posting an opinion insinuating that people who use """""fake""""" (ie. non-personally-identifying) e-mail addresses are fraudsters.

> If you insist on giving me a fake email, your business is probably a liability I don't want anyway.

They did not provide any meaningful insight into the field, they are simply insisting that e-mail addresses should be a tool for personal identification because it saves them money over doing real KYC. In other words, they believe KYC should be slanted further in favor of corporations and against customers, such that KYC is publicly available for free, because they value not doing the work of verification over humans having any privacy whatsoever.

As they are entitled to post their opinion on humans having no privacy rights, I am entitled to post mine and point out the hypocrisy of them choosing to participate in this forum privately while advocating for and boasting about denying service to other people who attempt to protect their privacy.

Comment by AlexandrB 6 hours ago

> If you're trying to hide who you are from our very first interaction, that's a massive red flag.

If you're trying to collect personal information that's none of your business from the very first interaction, that's a massive red flag. Like how many data leaks and customer data exposures is it going to take to understand that the data I'm giving you is a liability for me? How much spam am I expected to put up with because you give my data to a "data broker" for one reason or another? Why should I trust anything you say regarding how you will handle my data after all the embarrassing fuck-ups over the years? What is your liability if you mishandle my data, is it approximately $0? Do you have an arbitration clause in your TOS so I can't even sue you when you screw up?

There's zero responsibility from the tech industry for their continued failures in this regard and then you have the temerity to lecture me about my "red flag"? Seriously?

Comment by cloudfudge 3 hours ago

You not bending over and opening your wallet is, frankly, a red flag. /s

Comment by Marsymars 10 hours ago

As others have alluded to, I'm not doing this to be anonymous, I'm doing this because companies can't be trusted not to leak my email address. Every real business that knows my real identity (banks, payroll, government, retailers, etc.) gets its own alias.

When an organization invariably leaks my email and I start receiving spam to it, I generate a new one, update my email on record, deactivate the old one, and the spam stops.

Comment by rpdillon 7 hours ago

> fake email

Its a real address that I can use to monitor your behavior, since businesses send so much damn spam.

Been using them for 25 years, not gonna stop any time soon.

Comment by cloudfudge 11 hours ago

There's nothing "fake" about the email. It's just an alias made specifically for each recipient.

Comment by AgentMasterRace 51 minutes ago

I personally use Mozillas masked emails to defraud referrals and such all the time. If you can't understand this point you're well... Not even worth talking to, it'd be like talking to an anti masker which you probably are.

Comment by AlexandrB 6 hours ago

Seems like we have a meeting of the minds here. You don't want me as a customer and I don't want you as a vendor (or payment processor). Enjoy your spamming :)

Comment by jawiggins 13 hours ago

> If you use iCloud+ and Hide My Email, there is still time to generate more aliases on @icloud.com as the change has not yet landed and the rate limit for creating aliases is at least 30 per hour.

Part of the reason to use Hide My Email was that it made keeping myself private hassle-free. Making a system to pre-generate values and then catalog them for later use is quite the hassle.

Comment by c7b 12 hours ago

If you don't mind trusting another company with forwarding your emails, it's definitely less hassle to set up an equivalent service for yourself.

Comment by treesknees 9 hours ago

You can sort of do this today with iCloud. Add a custom domain and enable the catch-all forwarding, and you can receive anything@domain.tld and it’s forwarded to you.

What you’d lose is the reply-to forwarding feature.

Comment by LordDragonfang 11 hours ago

If you mean "set up an equivalent service" under your own domain, that's both less private and more likely to be blocked; there are a lot of services which, unfortunately, only allow sign-ups from big, well-known domains.

Comment by wartijn_ 11 hours ago

Are there really? I don't think I've ever encountered such a service in all the years I've been using an email address under my own domain. And blocking every email address that's not from a big provider means blocking basically everyone who tries to sign up with their company email, which might not be great for business.

Comment by vitally3643 10 hours ago

I've been running my own mailserver on a firstnamelastname.com domain for nearly 15 years.

As far as I can tell, nobody blocks it. Google sometimes rejects emails where the from address doesn't match the real sending address, which is fair.

I guess the first couple of years were rocky, I hadn't figured out DKIM and SPF and all the other blood rituals yet. Back then I got blocked by Steam and banks. But ever since I set up the correct security it's been fine. Been my primary email for a long long time. All my online accounts are tied to it.

Incidentally, I also have free and unlimited aliases. But I don't usually bother because I have a rule to route all messages to unknown addresses into a special folder. I can give out any random address at my domain and it will always make it back to me. So much more convenient than logging into the website to generate an alias.

Comment by bb88 9 hours ago

I did that too years ago, but the management of it was kind of annoying. DKIM was just getting introduced when I stopped using it. SPF had controversy. I understand both of those are awesome now.

The biggest issue was if your ip address got listed in a RBL (Realtime Blackhole List), and then nobody would talk to you. Some were easy to get off, others were permanent blocks, and I found those to be constantly interfering with the delivery of mail. At least the rejection would usually tell you which RBL blocked you.

Comment by janc_ 7 hours ago

Most RBLs are scams. No competent mail admin uses them to block mail ever.

Comment by dadadad100 10 hours ago

Camel camel camel wouldn’t send notifications to my hidden email. Works fine for my regular vanity domain.

Comment by xigoi 11 hours ago

I recently tried signing up for DeepSeek using my custom-domain e-mail address and the website said the domain is “not supported”.

Comment by kay_o 10 hours ago

in asia it is frequent that email domain is a dropdown not a type in

Comment by gerdesj 10 hours ago

Asia is huge. Please be more explicit (if you can).

Comment by kay_o 1 hour ago

China, Japan ish are where I have seen it the most.

Weibo, Sina you get "Failed registration (mail not supported)" if you enter non-major provider. In china nearly everyone is using qq, 163, 126, sina. Probably >99%

Comment by ranger_danger 5 hours ago

I have seen sites in both Japan and China limit signups to not only mobile-only provider-specific email domains, but also IP block everything but domestic mobile traffic as well.

Most of those services (mixi was one in particular I remember doing this) stopped this practice close to 20 years ago though, but some still remain.

I think it was partly due to the "Galapagos phone" era of pre-smartphones, where each carrier used slightly different mobile web standards (think WAP and custom emoji).

Here is a current help page for Mitsubishi UFJ bank that lists approved domains for both desktop and mobile use: https://faq.cr.mufg.jp/mufgcard/detail?id=4402

Here is a user complaining (with screenshot) that the mail magazine for tabelog only supports mobile provider email domains: https://king.mineo.jp/reports/13368

Another recent one is the login page for gravity.place has a dropdown for country codes (for mobile login) with only 6 options.

Comment by lukeify 11 hours ago

Within the last month both Mapbox and Etsy blocked my attempts to signup using a Proton Mail alias. How many services do you sign up for in recent years, on average? The practice is becoming incredibly common and more than likely you're just grandfathered in.

Comment by jbxntuehineoh 11 hours ago

are you sure they're not just blacklisting protonmail vs. whitelisting known providers? ime a lot of sites block "temporary" or "anonymous" email providers

Comment by ranger_danger 5 hours ago

Etsy blocks my entire ISP (I know because my IP rotates almost daily) so I cannot even view their site at all, it just gives me a "you are blocked" page.

Comment by BiteCode_dev 11 hours ago

Yes, espacially exotic tld. I have a ".email" domain name, and I get 2 to 3 instances a year of either rejected forms, or sneakier, just confirmation email that never come until I use a .com address.

Comment by threeio 11 hours ago

I have a 3 character .com as my primary email... it gets rejected more often than I'd like... including at my bank :) I've got a longer more normal domain that I alias, but it annoys me none the less.

Comment by gerdesj 9 hours ago

Have you got this lot sorted out:

  MX->A->PTR->A->MX
  SPF
  DKIM
  DMARC
  mta-sts - DNS and webpage
Also your IPs must be squeaky bum clean, ideally for several years. DNSSEC might help too. In the UK getting as far as DKIM is usually enough (plus clean IPs, even FTTC connections will work if static).

Comment by ranger_danger 5 hours ago

https://sys.4chan.org/signin has a short list of approved email domains:

> Allowed domains are: gmail.com, hotmail.com, yahoo.com, proton.me, protonmail.com, outlook.com, live.com, icloud.com, yandex.com, tutanota.com, tutamail.com, tuta.io

Comment by thfuran 11 hours ago

>there are a lot of services which, unfortunately, only allow sign-ups from big, well-known domains.

I have never encountered one.

Comment by kodt 6 hours ago

Popular gaming forums NeoGaf and Resetera only allow signups from paid email accounts. All free and temporary email providers are banned to discourage trolls / forum raids / alt accounts.

Comment by ocdtrekkie 9 hours ago

Ars Technica is one you can test I believe. I think I had to register with Gmail and put in a support ticket to ask them to change it to my real email. I use Fastmail, not a selfhosted setup or anything, some services absolutely have a domain allowlist for email signup.

Comment by Hnrobert42 11 hours ago

Nah. I have hosted my domain for 17 years on google and then fastmail. The hosting is harder than private relay, although not too hard.

But I have only had maybe 3 services ever reject my domain, and those were because the domain contains a number.

Comment by snark42 11 hours ago

I've had some reject my e-mail address because it contains their company name. REI was one (ie it wouldn't allow rei@domain.com but would accept reicoop@domain.com)

Comment by drdexebtjl 5 hours ago

I had my account marked as suspicious and closed in a financial institution for this a few years ago. They were concerned I was a bad actor attempting to impersonate an employee. It was very annoying, because no one from customer support could talk to me directly, it had to flow through legal. Very stupid.

I have since stopped doing this out of fear that it will actually cause me more headaches with people/systems that don't understand how email works.

Comment by js2 11 hours ago

I was just able to create an account using `rei@<mydomain>` on rei.com w/o any issues. Now, figuring out how to delete the account is another matter entirely...

Comment by snark42 10 hours ago

Cool, they probably changed it, this was years ago. I've had similar issues with other companies, REI is just the only one I can I really recall right now.

Comment by 10 hours ago

Comment by lxgr 10 hours ago

I haven't had an outright rejection, but definitely a few odd moments with call center agents. "theircompanyname@myname.com" is definitely not the default expectation :)

Comment by janc_ 6 hours ago

Should have registered as rei-are-incompetent-idiots@ instead…

Comment by lukeify 11 hours ago

Within the space of 2 weeks I had both Etsy and Mapbox block signups with Proton Mail aliases. The practice is rapidly becoming more common.

Comment by bigstrat2003 9 hours ago

Blocking signups from proton.me is not the same thing as only allowing signups from the big mail providers.

Comment by lukeify 7 hours ago

Great, so all I need to do is to authoritatively check each plausible combination of domains that _might_ work and rule each of them out before I can make my claim, according to you?

What a load of pedantry.

Comment by weird-eye-issue 5 hours ago

Are you sure you don’t have this backwards? Some B2B websites only accept sign-ups from domains not associated with Gmail, Yahoo, and similar providers.

Comment by jbverschoor 9 hours ago

Less private, but the most common case is actually anti-harassment.

Plenty of providers, but perhaps Apple needs to be forced to open up hide-my-email-providers for others.

Only the EU is capable of doing such thing

Comment by bigstrat2003 9 hours ago

I have had my own domain for mail for 10 years. I have yet to ever see a service which didn't let me sign up with it. I'm willing to believe that such services exist, but I dispute the claim that there are a lot of them.

Comment by stavros 10 hours ago

I've had my own domain for email for twenty years or so now, and I've encountered maybe one signup form that didn't accept it. What you're saying is definitely not true, and I would highly recommend using your own domain for email (preferably with Fastmail, it's fantastic).

Comment by theshackleford 11 hours ago

I mean none of this is accurate, but sure.

Comment by SXX 12 hours ago

Yep, but I still generated some for myself just in case and fellow hackers can do the same if they want to.

iCloud+ was the best $1 / month custom domain email and email alias service with 100GB of E2EE cloud drive.

Obviously it will be sad to see it enshittified for seemingly no reason.

Comment by sneak 3 hours ago

It's E2EE (only if you turn it on, which you can't do in the UK) but it saves (non-encrypted) the hashes of the plaintext of the files to Apple (presumably for dedup).

This allows Apple to see which sets of users share unique Winnie the Pooh memes. They know who had them first, who they sent them to, and when.

The E2EE is useless with such unencrypted metadata leaks.

https://www.youtube.com/watch?v=tL8_caB35Pg

Comment by SXX 2 hours ago

> only if you turn it on, which you can't do in the UK

Fortunately changing Apple account country is as easy as buying US gift card on Amazon and unlike Google they dont mess with account location.

As about encryption I totally agree its pretty meh, but again it's not why I paid my $1.

Comment by sneak 2 hours ago

It’s not based on Apple account country, and even if it were, it’s not nearly that simple to switch it.

Comment by reaperducer 12 hours ago

[flagged]

Comment by dang 10 hours ago

Personal attacks aren't acceptable and you've been doing this repeatedly again recently (e.g. https://news.ycombinator.com/item?id=48522089)

We've had to ask you many times to stop breaking the site guidelines. If you keep doing it, we'll end up having to ban you. I don't want to ban you, so please fix this. It shouldn't be hard to make your substantive points without being an asshole.

https://news.ycombinator.com/newsguidelines.html

Comment by SXX 12 hours ago

You could've at least checked my profile...

Problem is that using of own domain is creating huge privacy and cybersecurity risk since you can track all the person profiles across all the databases ever leaked.

Its nice as vanity item, but it's better not to use same domain across banks, online forums and porn sites. ;-)

Comment by chucksmash 11 hours ago

1. Create a domain like myquickanonemailaccount.com.

2. Use the domain exclusively for hosting your own mail, but create a fake account creation page that just temporarily doesn't work.

3. As an added bonus, should you one day get a subpoena for information about one of your site user's online activities, you've got like a 24 hour head start on fleeing the country.

Comment by applfanboysbgon 9 hours ago

Yeah, real hackers use a uniquely identifying domain that lets everyone in the world trivially trace all of said hacker's online activity to the same person.

Comment by choilive 11 hours ago

There are no true scotsman

Comment by trueno 1 hour ago

is it possible to automate this

Comment by JKCalhoun 9 hours ago

Yeah, I have several dozen already—I suppose I can reuse those forever… I guess it's kind of cool having one-per-site though so you can tell who the "rat" is when one of your hide-my's gets spammed.

Comment by treesknees 9 hours ago

I have over 300 so far. In addition to knowing where spam is coming from, and being able to block it, it also helps prevent correlation across accounts and websites as data leaks occur.

Comment by sciencesama 10 hours ago

we need s script to make date aliases for the next 10 years so one has a email for each day

Comment by danpalmer 7 hours ago

Hide My Email is fundamentally broken in two major ways:

1. Services those emails are used with cannot unilaterally send email to them. They must pre-register how they will send email to them, which breaks services with third-party relationships such as online retail with payment processors or shipping companies.

Users don't like not receiving shipping notifications, and users don't like not seeing invoices or at worst missing bills and going into debt because the payment processor can't contact them.

2. Users signing up for services struggle to re-use accounts. If the account is identified by email, as most are, figuring out the private email used when you signed up on your iPhone, when you later try to sign in on the web, basically impossible for your average user. Users end up with mulitple accounts, likely one on their real email anyway, and it's a support nightmare for both the user and the service provider.

Does this increase user privacy? Yes. Does it increase user control? Sure I guess. But it does so at the cost of basic UX and service expectations, and likely makes the overall experience and control worse for users in many cases.

So why is this change being made? My take is that it's so that it's easier for services to exclude Hide My Email sign-ups. That way the bad UX is gone, and the service provider looks like the bad guy rather than Apple.

Comment by vanchor3 5 hours ago

> Services those emails are used with cannot unilaterally send email to them. They must pre-register how they will send email to them, which breaks services with third-party relationships such as online retail with payment processors or shipping companies.

You're talking about "Sign in with Apple" email addresses here, not Hide My Email. Anyone can send to Hide My Email addresses.

Comment by pjc50 32 minutes ago

I appreciate this ends up as your problem when it shouldn't be, but it feels so self-inflicted; someone using a privacy email has declared they don't want to receive email, so they shouldn't be surprised when .. they don't receive a shipping notification email.

Comment by wpm 4 hours ago

If you have iCloud Keychain enabled you don't have to "remember" a sign-in at all. Flip a toggle, say "Yes" when Safari offers to remember the new password you generated for the fake email you generated in a drop down menu, and you're a FaceID/TouchID away from auth. My 80 year old uncle can manage this.

I have been a happy Hide My Email user for years. This is simply not a problem, and even for normies it's no more a problem than "can't remember password at all".

Comment by allthetime 3 hours ago

It’s a problem if you use non-Apple devices as well as Apple devices.

Comment by cavoirom 2 hours ago

For now I think Hide My Email is for power users! It's on the user side to manage their identities. My current workflow:

- Label Hide My Email with the service name I registered with it. Add number or nickname if I have multiple accounts on that service. - Add an email rules to move the email addressed to that Hide My Email addressuu to a separate inbox. - Use the same label in password manager, also save the email to the password manage entry.

Comment by 6 hours ago

Comment by jonotime 11 hours ago

Pro tip for doing something like this without apple. Buy or get a cheap domain name. Create a subdomain on it and have it catch and forward all messages to you when sent to that sub. For example:

nytimes@mailsub.example.com -> jono@gmail

anything-else@mailsub.example.com -> jono@gmail

You dont even need to materialize aliases at all.

Comment by shoo_pl 11 hours ago

The problem is if someone figures it out and starts sending you spam to {random}@domain.tld. That's when you will need to sit down and start creating actual aliases for all those used email addresses and stop the catch-all forwarding:)

Also, another downside is that you will loose privacy by using your own domain.

And the lack of privacy makes targeted scam/phishing more likely, and targeted scam is the one we are most susceptible to.

All in all, I am not saying this is bad idea, in fact I am doing it myself, just pointing out this is not so black and white.

Using iCloud solves those problems, but puts you at risk of getting your account banned and loosing access to those emails, so there is that.

Probably best way to deal with it is to get dedicated email domain with a bunch of your friends, and hook it up with something like SimpleLogin. But that's gets complicated quickly ;)

Comment by jonotime 11 hours ago

I have run this for years with very little problems. And I can honestly say that have not found anyone writing to addresses I did not give them at their domain. Simple as this is, it is way to niche for companies to figure it out and exploit it. And if that really was a problem I'd just create a new subdomain.

If you are worried about privacy, get a domain just for this. Use domain privacy and dont host other things there.

Yes, some sites whitelist domains or dont allow subdomains. For those I'll use another account - or a firefox alias or something. But 9 out of 10 work fine.

I am not a fan of alias services since materializing names takes discipline. How many do you make? Maybe there is a limit of 50. When do you share them across services? My guess is many people just create 2 or 3 aliases they use for everything - which defeats the purpose. Sure, it masks your personal address, but once one gets compromised, you find it basically served as your personal address anyway.

I also dont really keep track of most of the names I use. Since most are one time things that I would never use again, like to sign a waiver or something. But I mostly stick to '{domain}@' for the names. So my nytimes account would just be nytimes@, which is predictable when I need to recover it. I used to use addy.io for this, but it was not as good since it had account limits and I had to manually manage every alias. Much easier for me to just create a mail filter to sinkhole an old name. Of course I have never really needed to do this anyway.

Comment by pseudalopex 9 hours ago

> I have run this for years with very little problems. And I can honestly say that have not found anyone writing to addresses I did not give them at their domain. Simple as this is, it is way to niche for companies to figure it out and exploit it.

Someone I knew did this. Spammers used lists of common names.

Comment by cube00 11 hours ago

I've found using a subdomain helps with that, spammers will try everything@domain.tld but won't bother trying to brute force subdomains.

However be warned some surprisingly large websites don't support subdomains, for example eBay will silently send user@sub.domain.tld to user@domain.tld and you'll only figure it out by looking at your server logs for rejected mail.

In those cases I have to specifically alias that username@domain.tld to the subdomain.

With this new Apple privacy subdomain maybe eBay will finally fix this.

Comment by janc_ 6 hours ago

Why would anyone entrust money to a company like eBay if they are this incompetent at something as simple as e-mail?

Comment by int_19h 5 hours ago

Because the world runs on incompetence, so it's ultimately unavoidable (best case, you don't know that something important that you're relying on is run incompetently).

Comment by drnick1 9 hours ago

> Also, another downside is that you will loose privacy by using your own domain.

Not really no. You can absolutely create a domain using bogus WHOIS information. No one will bat an eyelid.

Comment by drdexebtjl 5 hours ago

WHOIS isn't a factor here. If an attacker knows or deduces that you're the only individual receiving mail at *@yourdomain.example [1], they can track you across different databases by just looking for your domain name.

The privacy preserving aspect of hide-my-email services is the fact that they have thousands of users using the same domain name.

[1]: This is trivial if you have a service's email database leak. You just find all domains that have exactly one user. If the service targets individuals (who would sign up with personal emails, not work emails) and is reasonably popular, you'll get a pretty good list of single-user domains.

Comment by driverdan 9 hours ago

> The problem is if someone figures it out and starts sending you spam to {random}@domain.tld.

It's a non-issue. I've been using a catch all domain for at least a decade. I get a small amount of spam to random made up emails but not enough to care about plus it all gets caught and filtered.

Comment by themafia 8 hours ago

The mechanism I use is ordered. All specific aliases are tried first and then it falls through to the catch-all forwarding rule.

So, it's a piece of cake to add "{random}@example.com" to the block list. Usually it's something like "msg-bestbuy@example.com".

Comment by switz 11 hours ago

I do this. The awkward thing is when I am in person or on the phone and have to explain that my customer email address is [their_business_name]@my_weird_domain.tld

But the people usually just nod along.

The other downside is that it's forward-in only, wish I could proxy responses without setting up a whole new inbox (and outbox).

Comment by cube00 11 hours ago

> The only awkward thing is when I am in person or on the phone and have to explain that my customer email address

I had one small business aggressively threaten me that they fully owned their business name and I wasn't allowed to use it in my email address.

My solution was to keep my wonderful aliases and dump them. If a business is concerned but nice about it I'll offer an alternative such as plumber@

> The other downside is that it's forward-in only, wish I could proxy responses without setting up a whole new inbox (and outbox).

If you have your own domain most mail providers don't care what username@ you use on your sent mail so you shouldn't need any additional mailboxes (especially if they already offer inbound catch all)

I also use the ReplayAsOriginalRecipientUp [1] extension in Thunderbird which takes the recipient address and puts it as the sender for ongoing communication.

[1]: https://addons.thunderbird.net/en-US/thunderbird/addon/reply...

Comment by Marsymars 10 hours ago

> I had one small business aggressively threaten me that they fully owned their business name and I wasn't allowed to use it in my email address.

I haven't had that, but before I switched to Hide My Email I've had many businesses ask if I was an employee of the business - many people don't intuit the difference between john@bank.com and bank@john.com.

Comment by kstrauser 11 hours ago

"Sorry for the misunderstanding. My new email is yourcompanysucksinmyopinion@example.com."

Comment by HackerNewt-doms 1 hour ago

[dead]

Comment by jonotime 10 hours ago

Just happened to me today! I was at the Verizon store and my address was verizon@... Sometimes it leads to confusion, but sometimes it leads to getting extra special treatment actually! They think I'm someone important.

Comment by chuckadams 11 hours ago

They act as if I discovered fire when I give them a plussed address.

Comment by snark42 11 hours ago

You can proxy responses with a ton of e-mail clients, even Gmail supports it once you verify you can get a message sent to that address.

Comment by shoo_pl 11 hours ago

Not really, this only works for other emails hosted by Gmail (including Workspaces) or if you supply SMPT that will send those emails. If you use simple email forwarding from your DNS provider, you don't have SMPT server to give to gmail:/

Comment by phi0 11 hours ago

Google will happily send from smtp.gmail.com, after verifying that you own that email. You won’t get DKIM, but Google’s reputation is enough to make the mail land in people’s inboxes.

Comment by SXX 11 hours ago

Its not the worst.

I was once on the phone with german insurance provider and they dictateted me email to send documents to: kundenbetreuung@passportcard.de

I dont speak German so it was both tough and funny EuroTrip-like moment.

Yes its really email they use.

Comment by airstrike 11 hours ago

sometimes I'm lazy and I just have it as spam@firstlast.com or noreply@firstlast.com and they get quite puzzled

Comment by Henchman21 11 hours ago

So I guess I'll take a moment and plug my email provider, Fastmail. Their integration with 1Password to enable creation of Masked Email at account creation time is really fantastic! I have several hundred of these at this point, it's made my digital life appreciably better.

But to the point of forward-in-only -- I use the fastmail web client and iOS client. Both of these respond using the Masked Email address if you choose to respond to an email. In fact I can choose any of my masked email addressed as I am composing mail to initial communication from that address.

In short, "it just works". I really can't say enough good things about Fastmail!

Comment by quinncom 11 hours ago

Gmail will block messages that fail SPF/DMARC alignment unless the forwarding mail server supports SRS.

Comment by jedberg 11 hours ago

I’ve been doing this for years. It works fine and it’s fun to see who is selling your email.

But keep good records!!

It gets really awkward when you’re trying to recover an account and can’t remember what custom email you used.

Comment by jonotime 10 hours ago

Yeah, I think I only record maybe 10% of them that actually have logins associated. For the others I just search through my email.

Comment by pimlottc 11 hours ago

SPF/DMARC/DKIM make this all a bit more complicated now. There are plenty of MTAs out there that will refuse to send you mail if it's not all correct.

Comment by drnick1 9 hours ago

This is absolutely not difficult to get right. Run OpenDKIM and OpenDMARC on your server along with your email stack (I use Postfix and Dovecot). Use a tool such as mail-tester.com to verify compliance.

Comment by fg137 11 hours ago

Doesn't work when some service providers only allow email addresses that are on a whitelist of domains. And I have run into more than a few.

Comment by LoganDark 11 hours ago

Services like DeepSeek have an email domain whitelist rather than blacklist. So creating your own domain just guarantees a lockout

Comment by drnick1 9 hours ago

That's nonsense. I have a DeepSeek account, of the form ai+deepseek@mydomain.com.

Comment by LoganDark 8 hours ago

DeepSeek didn't always have a whitelist. At some point they went crazy due to spam, started requiring Chinese phone numbers only, and then loosened it to an email domain whitelist. (IIRC)

If you try to sign up with a domain they don't support, they tell you something like "please use a popular email provider like gmail"

Comment by quotz 11 hours ago

I do something similar, use an open source service called addy.io, bought a domain but you can also use their domains too, and each website has a separate login i create through bitwarden with the addy integration.

Comment by joeyhage 11 hours ago

addy.io and proton pass are both great, affordable options. (Proton pass has a built in hide-my-email feature that supports custom domains)

Comment by quotz 11 hours ago

addy.io is also self-hostable

Comment by HackerNewt-doms 1 hour ago

[dead]

Comment by gxs 10 hours ago

iCloud itself does this for you if you bring your own domain fyi

Comment by mortenjorck 13 hours ago

> Long story short: now both Sign in with Apple and Hide My Email aliases are going to be issued on the @private.icloud.com subdomain. This makes it much easier to ban all aliases without affecting non-relay mailboxes on iCloud mail.

Could someone clarify why having Sign in with Apple and Hide My Email on the same domain would make a blanket ban easier rather than harder? What am I missing?

Comment by w10-1 13 hours ago

Before, the emails were "me@icloud.com", the default for all apple users. There was no way to distinguish normal emails from generated private emails.

Now, they will be "blah@private.icloud.com", so it will be easy to ban the generated/private email that reduces the ability to associate logins across services.

Unclear why Apple would shoot themselves in this way; I hope it's not Ternus complying with anti-privacy.

Comment by utilize1808 12 hours ago

maybe to avoid getting their legitimate email servers banned by other servers since they host (i.e. being exploited) a growing number of spam accounts.

Comment by int_19h 5 hours ago

For most online businesses, blocking Apple email servers sounds like a good way to kill off the portion of your customer base that has the most money to spend.

Comment by SXX 12 hours ago

You cant send mail from Hide My Email aliases. They are only work one way.

Comment by nielsbot 11 hours ago

You can send from Hide My Email addresses:

https://support.apple.com/guide/icloud/use-hide-my-email-in-...

I think I've also seen this in Mail.app but that's not shown on this page.

Comment by SXX 11 hours ago

Wow my bad I wasnt aware its possible. I remember someone in HN comments complaining about it being one way only back in 2024.

UPD: apperently this supposedly only work if someone message you first. So you still cant spam from aliases.

Comment by snowe2010 11 hours ago

But it’s not? Like if they block that subdomain, they will completely block Sign in with Apple.

Comment by pseudalopex 8 hours ago

Many web sites and apps do not use Sign in with Apple. And they could block the domain for account creation with email without blocking the domain for account creation with Sign in with Apple. This would not make sense unless Apple changed what personal information Sign in with Apple provided probably. But they could.

Comment by pokstad 11 hours ago

You can use Hide My Email independently from Sign in with Apple.

Comment by snowe2010 11 hours ago

I know that, but in doing so you prevent yourself from ever using Sign in with Apple

Comment by Grombobulous 7 hours ago

I think you as the user can use the aliases without Sign in with Apple though, right?

But otherwise, you're right, any website that wants to accept Sign in with Apple will almost certainly be agreeing to Apple's TOS for Sign in with Apple I presume will stop you from blocking this service.

Comment by valicord 3 hours ago

Why would they care about this?

Comment by mortenjorck 10 hours ago

I see – somehow the Apple UI for this gave me the mistaken impression that privaterelay.appleid.com was the domain used by the alias, but I see now that it was always just icloud.com.

Comment by reaperducer 12 hours ago

Now, they will be "blah@private.icloud.com"

I've been in the ecosystem long enough to have .iCloud.com, .me, .mobileme.com, iTunes.com, and probably one or two more addresses all assigned by various Apple services over the years before they started unifying the systems.

They all work, and independently of one another.

I wonder if all the domains will be migrated, and how namespace collisions will be handled.

Comment by SXX 11 hours ago

Apple stated legacy aliases will work as is:

> Existing addresses on the legacy domains will continue to work and forward mail to users without interruption.

Comment by 11 hours ago

Comment by gobip 12 hours ago

Apple was generating (something)@icloud.com whenever you used that service. Now, it will use (something)@private.icloud.com instead. So you can ban this subdomain instantly, knowing people will be "hiding" with this service by default.

It's like blocking anondaddy, simplelogin etc but not protonmail.

Comment by BoorishBears 13 hours ago

I guess their thought process is, both alias and non-alias accounts use @icloud.com

You were always able to reserve a normal icloud email address just like you would a GMail account, so banning all icloud email addresses would be banning non-alias Apple customers

That being said, I'm not convinced anyone who wanted to ban aliases couldn't have already. The alias emails look weird enough I'm guessing you could ban them with few false positives.

Comment by SXX 12 hours ago

> The alias emails look weird enough I'm guessing you could ban them with few false positives.

While this is true not all of them been weird. Some can be just word + number + word without dots or underscores.

Also blanket banning whole domains is just much easier and already done for temporary emails. No false positives.

Comment by BoorishBears 7 hours ago

The point of the article is previously banning Apple's temp domain would create many false positives (all the normal Apple registered emails that chose @icloud.com during setup)

Comment by outlore 8 hours ago

I highly recommend either SimpleLogin or Fastmail aliases. The latter are superior because they can be used to reply directly to any received email without needing to set up reverse aliases.

When you own your own domain, the switching cost between providers is small. You can make a dedicated domain just for aliases

Both SimpleLogin and Fastmail have excellent integration with password managers as well

Comment by frollogaston 11 hours ago

"Useless" is a leap. The kind of site that would block private relay emails is the kind that was already getting my burner anyway. The private relay is for sites I want to hear from, but also want a failsafe in case they're hacked later.

Comment by deepfriedbits 10 hours ago

Exactly. No reasonable business will ban emails from this subdomain.

Comment by throwuxiytayq 10 hours ago

Thankfully, we live in an unprecedented time of reasonable businesses lead by reasonable people. Close one. Nice save.

Comment by frollogaston 10 hours ago

The unreasonable ones get my burner, so whatever

Comment by k1next 12 hours ago

For me personally, Hide My Email is binding me to the Apple ecosystem more than iMessage (but I'm European).

Comment by Barbing 11 hours ago

It’s unsettling, you’re either an iCloud customer for life or hundreds of logins could break.

Comment by weberer 11 hours ago

Nothing breaks when you switch. You just can't create more private icloud addresses. I recently switched back to Android and can still use my old icloud logins.

Comment by Barbing 7 hours ago

Thanks, undocumented? Meanwhile reddit’s answer:

> In what universe if you stop paying for a service you can still access the resources of that service? Basic common knowledge.

But on MacRumors:

  “Update: So I let my iCloud+ account expire.

  When this happens you lose access to managing ALL your Hide My Email emails. Yet you can't even see what the Hide My Email addresses are any longer.

  But, people can still send emails to those emails. However, you apparently cannot reply to the emails with the Hide My Email address.

  This is troubling...”
https://forums.macrumors.com/threads/what-happens-to-hide-my...

Comment by SXX 11 hours ago

But what happen if you stop paying $1 / month?

Comment by KomoD 10 hours ago

If you cancel iCloud+, all the aliases remain active. As parent said, you just can't create more of them.

Comment by k1next 3 hours ago

And you'll still be able to receive email send to these aliases? Even on a free-tier iCloud account?

Comment by Marsymars 10 hours ago

Does it? I use Hide My Email largely without integration to the Apple ecosystem - I generate new emails on icloud.com and copy/paste them to login forms before saving to 1Password.

Comment by KomoD 10 hours ago

Same, Hide My Email is pretty much the only Apple service I use and the aliases are only for accounts I don't really care about.

I use this wonderful extension to make it easy to generate aliases https://chromewebstore.google.com/detail/icloud-hide-my-emai...

Comment by Grombobulous 7 hours ago

This is one reason I never used it, but another reason is that I never felt that the privacy benefits were worth the hassle of randomized emails.

If I need to make an account with someone I don't trust enough to hand my email over to, usually the right answer is to just not create an account with them.

I have also tried things like having email aliases but what ends up happening is now I have more email accounts aliases to maintain/think about. It's annoying.

I don't personally find the prospect of "receiving spam email" or "having my email account leaked in a hack" to be particularly threatening. Spam just goes to the spam box, it's usually not my problem.

And besides, my real email can get exposed by my own legitimate companies that really should have my real email getting hacked. See also: EquiFax.

Comment by Cider9986 12 hours ago

Determined sites could already easily do this. Just detect the patterns used. I agree it's a useless change though.

heave_balks_0g@icloud.com

It shouldn't matter for the sign in with apple because sites are already expressly supporting that.

Email aliasing is hard because you want privacy from a herd of users, but then you're locked into that ecosystem versus a domain you control has no herd, but the upside is no lock-in.

Comment by SXX 12 hours ago

Not all aliases it generated look like this, some look like these:

  viods01crew@icloud.com
  methyl.brick1h@icloud.com
In any case fact that some services banned alies is not the reason to make them completely useless instead of making them better.

Apple is one of few companies that ia able to push for this with market share.

Comment by tehwebguy 12 hours ago

> Determined sites could already easily do this

They already DO do it, I don't know how they're currently determining it

Comment by keane 12 hours ago

I think the NYT might be one detecting them which is funny because their editorial staff have promoted the use of aliases.

Comment by teekert 11 hours ago

I use Proton aliases everywhere...Well not everywhere, there are indeed quite some places that don't accept a passmail.net address... So I can imagine this becoming a useless feature, at least on some sites.

Btw I only use these aliases for sites where I don't mind loosing the login, otherwise it would the mother of all lock-ins... Would have been nice if I could opt for aliases on my own (secondary?) domain... At least then I could still move them (using wildcards or some exported list).

Comment by sxg 11 hours ago

You can create custom aliases on your own domain. I do this for every log in and am migrating old emails to my custom domain aliases.

Comment by trollbridge 11 hours ago

In the flip side, someone who blocks private.iCloud.com will block the ability to do SSO with Apple, thereby cutting themselves off from Apple’s ecosystem.

Comment by mdasen 11 hours ago

Not really. You could allow private.icloud.com only if they're using Apple's SSO. If someone tries to create an account not using Apple's SSO, then you don't allow private.icloud.com email addresses.

Comment by rogual 5 hours ago

I have a cron script which configures a today-only email address in Postfix.

Mail sent to t20260617@foon.uk will reach me, but only for today.

So, any time I'm giving away my email address against my will, which is most of the time, they get to spam me for exactly one day.

Comment by dostick 1 hour ago

How is that different from “privaterelay.apple” that has been used?

Comment by frollogaston 12 hours ago

Maybe they've started seeing sites ban @icloud.com addresses

Comment by jamesreadsnews 11 hours ago

I guess the new subdomain address implies a paid iCloud user, not a free mail freeloader, and that could be a positive thing.

Comment by msdz 11 hours ago

Which has more market pull: Some web site or Apple?

Comment by frollogaston 10 hours ago

iCloud email isn't very popular. I always have to spell it out verbally if someone asks, and sometimes they end up emailing @gmail.com anyway.

Comment by Barbing 11 hours ago

Almost surprised it lasted this long but quite disappointing

Comment by abujazar 11 hours ago

Almost all of my iCloud relayed addresses are already @privaterelay.appleid.com, and they've been working perfectly. So I don't expect this to change any time soon.

Comment by catgirlinspace 10 hours ago

That domain is only used for Sign in with Apple.

Comment by WesSouza 2 hours ago

It is limited to around 600 addresses, it’s already useless.

Comment by SXX 2 hours ago

Well, 600 is probably more websites than most people ever use in a decade.

Comment by nerdjon 13 hours ago

I would bet that doing so would be a pretty quick way to have your app pulled.

They already require that you use Sign in with Apple, I would think that it working fully is also a requirement?

Comment by nozzlegear 13 hours ago

You can use Hide My Email on any website though, whereas Sign In with Apple is limited to just those websites and apps that support it. Sign In with Apple isn't nearly as popular on the web, so it's a lot easier to just ban "@private.icloud.com" from your web service there.

Comment by layer8 13 hours ago

Hide My Email isn’t particularly related to apps. You can use it on any web form that asks for your email address, or as the sender of any email message you send using Apple Mail.

Comment by pseudalopex 9 hours ago

> They already require that you use Sign in with Apple, I would think that it working fully is also a requirement?

They require apps offer a service which meets their privacy requirements if they use any 3rd party or social login service.[1] And apps could block private.icloud.com for email and not Sign in with Apple.

[1] https://9to5mac.com/2024/01/27/sign-in-with-apple-rules-app-...

Comment by 12 hours ago

Comment by 12 hours ago

Comment by 13 hours ago

Comment by elcombato 12 hours ago

The rate limit seems to be 20/hour and not 30/hour as mentioned in the article.

Comment by SXX 12 hours ago

Just wait 20 minutes. I generated like 40 in under an hour. No idea what limits are though and how they refresh.

Comment by ahepp 11 hours ago

I got stopped after 5

Comment by nate 9 hours ago

I guess I'll go back to mailinator. That thing has 100s of aliases by the way for some that don't use that yet. Great service. Not guaranteed private really so don't depend on it for that. (Though if you use a strong has for a hash@mailinator.com address, is it pretty secure for "email purposes"?)

Comment by huey77 7 hours ago

This is a big downer for me, I have started using Hide My Email religiously.

Comment by KiDD 12 hours ago

I guess I don't understand the concern... what does it matter if a different domain is used for Sign in with Apple and Hide My Email?

Comment by 9dev 12 hours ago

Because many sites check the domain part of your email address against a blocklist, which contains entries like trashmail.com to prevent users from signing up with ad-hoc throwaway accounts. They don't want that, because they'd like to get a proper lead they can either track, sell, or reach out to.

Now Hide My Email allowed you to do just that: Create an account with an email that wasn't tied to your identity, and that you could just decommission if you didn't need it anymore. Sites had no way to detect these either, because all of the randomly generated addresses Apple provided you with just ended in @icloud.com, which is also used by tons of regular accounts - so if you blocked this domain, you'd invariably preclude millions of people from your service.

But by separating the domains, sites can simply add private.icloud.com to their trash mail blocklist, preventing the use of Hide My Email, while regular @iCloud.com addresses will continue to work. It makes the entire service useless at once.

Comment by snowe2010 11 hours ago

But that will completely break Sign in with Apple, which no service is ever going to do. I really don’t get the problem here.

Comment by 9dev 11 hours ago

A tiny, tiny fraction of sites and apps offer Sign in with Apple. Every single service with user accounts under the sun allows signing up with a Hide My Email address.

That random online shop you order something from once? The IT forum that only shows external links for signed-in users? The whacky new AI tool you want to try out? The startup "sign up for updates" newsletter box? None of these offer Sign in with Apple. For all of them Hide My Email avoids having to disclose your real email address. This is broken now.

Comment by LoganDark 11 hours ago

Most services would never support Sign in with Apple anyway. Honestly most services don't even support social sign-in at all

Comment by chatmasta 12 hours ago

Right now it’s the same @icloud.com domain as normal personal emails. Now all auto-generated emails will use a separate domain name, so sites can block emails with that domain, without worrying about blocking people’s main personal email.

Comment by twobitshifter 12 hours ago

Websites block certain throwaway email domains from signups. The concern is that this will happen with private.icloud.com

A good example of a throwaway email that is now useless because of these blocks is mailinator.com. Originally, you could just make up a random email on the spot like gregsrightfoot@mailinator.com, visit mailinator.com, and get the needed signup verification email. These services autodeleted messages and required no signup so they were a black hole for spam. However websites eventually got wise that their spam wasn’t being seen and started blocking the domain. Mailinator came up with alternative domains and there was a brief back and forth before the throwaway email domains all ended up being blocked.

Comment by 11 hours ago

Comment by 12 hours ago

Comment by stormed 10 hours ago

I wonder if the existing hidden emails I already have in iCloud will be changed over too. If that's not the case, I'm just going to use one of the 50 throwaway addresses I already have.

Comment by pseudalopex 9 hours ago

The announcement the article linked said Existing addresses on the legacy domains will continue to work and forward mail to users without interruption.

Comment by stormed 8 hours ago

Guess I missed that part, my mistake

Comment by 11 hours ago

Comment by ziml77 9 hours ago

Fastmail still generates theirs with @fastmail.com. And 1Password has an integration with them to quickly generate an address when creating a new account somewhere.

Comment by getcrunk 12 hours ago

Okay but banning private relay emails would also mean your site is blocking Apple sign in?

Comment by 9dev 12 hours ago

That was always opt-in from the sites, and many never bothered - me included, because I refuse to pay Apple $99 per year for the privilege to offer easier authentication to their users.

Comment by wxw 12 hours ago

I pay for Fastmail just for masked email and its integration with 1Password.

Comment by darknoon 11 hours ago

I frequently run into scenarios where it won't let me generate the email within 1password on a website, and I have to go to Fastmail and then manually do it. Is this something you have bene able to work around?

Comment by mthoms 11 hours ago

Same problem here.

I sure wish 1Password + Fastmail would let you generate them within the 1Password app without requiring a browser sign-up page in the middle.

Comment by 12 hours ago

Comment by smth-smth-ai 11 hours ago

simplelogin from Proton works great, can recommend; for Uber I generate uber.random-word@simplelogin.com, for Slack slack.random-word etc to easily see who leaked my email

Comment by sharts 6 hours ago

Just use fastmail

Comment by vslira 12 hours ago

Where do I sign to show my opposition to this change? Hide My Email has been essential to keep my digital life protected from abusive mail lists and frankly one of the features that make me associate icloud with a premium service

Comment by kylehotchkiss 12 hours ago

Did Hide My Email addresses cause problems for deliverability for actual emails/users on iCloud?

Comment by righthand 12 hours ago

Emailfake.com

Fastmail also has wonderful random email functionality you can link up to your Bitwarden client or use the Fastmail API.

Comment by Mindwipe 11 hours ago

Urgh, that's a huge downgrade. What a shame.

Comment by risyachka 12 hours ago

Shameless plug - I created a chrome extension that allows to create unique email addresses that forward to your real inbox. It uses Cloudflare email routing, simplifies creating/labeling of new addresses and keeping track of them. Always 1 click away.

The addresses are pre-allocated and recycled when deleted so creating a new one is faster that with Apple's hide my mail.

https://github.com/webmonch/hide-my-mail-cloudflare

Comment by SXX 12 hours ago

With cloudflare you can also just setup catch-all and be done wirh it.

I personally doing catch-all already, but problem is that using your own domain for website registration basically gives everyone unique id to eaaily connect all the information that ever been leaked for your accounts and something always gets leaked.

Not a very good idea for privacy.

Comment by kevin_thibedeau 3 hours ago

Spammers aren't going to make that connection. Your custom domain will be like any other corporate entity as far as their scripts are concerned.

Comment by risyachka 12 hours ago

The biggest upside for me of having separate labelled mailboxes is I can use one, delete it later and never receive mail from it again.

Comment by SXX 12 hours ago

My email addresses been public for years and spam was never a big issue.

But yeah it mostly opposite problem I would say - spam filters eat usefull stuff sometimes. Just today I found one more job related email in spam, but its from public mailbox damn.

Privacy is kind a bigger issue and having aliases on icloud is just much more convinient than having 10 accounts.

Comment by mixdup 11 hours ago

with something like cloudflare forwarding you can black-hole an address if it becomes a problem

Comment by Terretta 11 hours ago

Pretty good way to harvest magic links and email codes!

Comment by rafram 12 hours ago

Doesn't owning the domain kind of defeat the point?

Comment by drnick1 11 hours ago

Not really, at least if you register the domain anonymously. You get unlimited emails, and I assign one to each website or registration.

Comment by doctorpangloss 12 hours ago

email isn't really a decentralized system at all. Google, Microsoft and Amazon own e-mail delivery. Perhaps Google ads customers complained that they could not correlated private @icloud addresses, and we are now witnessing the consequences. What Apple got in exchange from Google, I don't know, I'm sure it is related to their Siri deal.

Comment by rafram 12 hours ago

[citation badly needed]

Comment by SXX 12 hours ago

Come on. Most likely this is just a result of some manager pushing for "improvement": "Why we have two different privacy email alias systems? Lets make unified one, save on maintenace and I get promotion".

And might be there just no one remain as owner of feature to explain them why its bad idea.

Comment by Razengan 12 hours ago

Oh fuck. I love Hide My Email and it's been the best feature about iCloud ever since it came out.

It's actually useful compared to Gmail's useless "yourrealaddress+alais" that gives away your actual email anyway, and it helped me catch quite a few spammers/data sellers.

Hide My Email addresses already have a peculiar format that others could guess, and some do block those, and there's no reason to add a blatant "private." tag.

This is a win for privacy-intruders, not users, just like Apple's iCloud Keychain API that has allowed Facebook, TikTok etc. to secretly track users across multiple devices and device reinstalls for years.

Comment by jjice 12 hours ago

FWIW it's not a gmail thing for privacy, but rather just part of the email spec. RFC 5233 talks about it.

https://www.rfc-editor.org/info/rfc5233/

Comment by technothrasher 12 hours ago

It all dates back to the Andrew Messaging System at CMU, developed in the 1980's. Originally the format was "<username>+<keyword>+<args>@example.net" where the mail server would interpret the keyword and arguments to route the message in whatever unique way that keyword would dictate (e.g. bob+dist+~/mailinglist@example.net would read the file mailinglist in Bob's home directory and deliver the email to addresses listed in it). If the keyword was not recognized, it would just deliver normally. So bob@example.net and bob+alias@example.net were equivalent, and could be used to filter after the fact if desired.

Comment by rafram 5 hours ago

> bob+dist+~/mailinglist@example.net would read the file mailinglist in Bob's home directory and deliver the email to addresses listed in it

The days before security sure were quaint!

Comment by 9dev 12 hours ago

Did the RFC editor get a makeover recently? It looks familiar, but also kinda… polished. Neat.

Comment by autoexec 10 hours ago

When looking at a document I think it's all distracting/annoying. I still prefer plain text https://www.rfc-editor.org/rfc/rfc5233.txt

Comment by 11 hours ago

Comment by nate 9 hours ago

[flagged]

Comment by nozzlegear 9 hours ago

My dog thinks it's because we're running low on milkbones, but my cats aren't convinced.

Comment by nate 8 hours ago

ah. techcrunch must have alluded to you not having milkbones

https://techcrunch.com/2026/06/16/apple-plans-to-change-its-...

Comment by pseudalopex 7 hours ago

The TechCrunch article said Apple turned over the real account information. And the older article said this was in response to a request. Not a warrant. Hide My Email hid nothing from the Trump administration in this case.