Apple one time email addresses

At WWDC 2019 Apple announced “Sign in with Apple.” This is a service that allows iOS users to log into different applications with private, dedicated email address. When developers send mail to that address, Apple will forward it to the email address associated with the users AppleID. App developers that offer any third party log in will be required to also offer AppleID log in.


icon of a padlock with an at sign on it

Apple has set up a private email relay service for this program. Program users must register their sending email domain and addresses and publish SPF records for that domain.


In order to send email messages through the relay service to the users’ personal inboxes, you will need to register your outbound email domains. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple’s private mail relay. You can register up to 10 domains and communication emails. Configure Private Relay

Not only are Apple protecting their user’s email addresses, but they’re also denying access to anyone who is not preregistered. This means any stolen apple addresses are likely to be invalid after they’re stolen from the initial sender.

I do have to wonder what deliverability will be like. This is just a forwarding service so there are questions about how this will affect marketers.

  1. When registering addresses, do you need to register the 5321.from, 5322.from or both?
  2. Will the relay server rewrite the 5321.from?
  3. If the relay server rewrites the 5321.from, how will that interact with companies using only SPF authentication for DMARC?
  4. If the relay server doesn’t rewrite the 5321.from, how will that interact with companies who use only SPF authentication for DMARC?
  5. Will the relay server make any changes that break DKIM?
  6. When forwarding to domains that have DKIM based FBLs will FBL mails reveal the recipient address to the marketer?
  7. What happens to mail coming from an unregistered email address?
  8. How do users unsubscribe from emails? Will Apple include the private email address in emails?
  9. How is Apple going to maintain the reputation of their relay IP addresses?

I’ve got mail into Apple asking if they’ll answer some technical questions about this. We’ll see if they answer.

ESPs are failing recipients
Their network, their rules

Related Posts

Hitting the ground running

We’ve landed in Dublin and are back at work. Blogging will pick up as I get back into the swing of things.

Read More

Don't bother unsubscribing

In the early years of the spam problem, a common piece of advice was to never unsubscribe. At the time, this made a lot of sense. Multiple anti-spammers documented spammers harvesting addresses from unsubscribe forms. This activity tapered off around 2000 or so, although the myth persisted for much longer.

These days, there isn’t much harm in unsubscribing. I even spent a full month unsubscribing from spam at one of my dormant accounts (Yes, spam is still a problem). While the graph shows an initial increase in spam, levels dropped for the next few months. By the time I cancelled the account in 2017, spam levels were at very low. I don’t know if the decrease was due to the unsubscribing or if there were improvements in the filtering appliance the ISP used.
More recently the biggest problem is senders that don’t honor unsubscribes. There are a lot of reasons this can happen and they’re not all malicious. Still, too many companies don’t care enough to actually make sure their unsubscribe process is working. I’ve had way too many companies “lose” unsubscribe requests, sometimes years after I asked them to stop. I expect many of these cases are accidents. They switch ESPs and decide or forget or otherwise fail to transfer unsubscribes to the new ESP. But, in other cases, there doesn’t seem to be any ESP change. It appears the companies think that they can reactivate unsubscribes at some point (pro tip: there is no expiration on legally required unsubscribe requests).
All of this leads to my current recommendation: yeah, unsub if you feel like it, it’s unlikely to hurt, and it’s possible it will help. But, don’t expect them to actually work permanently. Companies just don’t care enough to make them permanent.
 
 

Read More

Collecting email addresses

One of the primary ways to collect email addresses is from website visitors, and it’s actually a pretty good way to collect addresses. One of the more popular, and effective, techniques is through a pop-up window, asking for an address. Users need to provide an address or click a “no thanks” link or close the window. I’ve noticed, though, that many companies drop something passive aggressive in their “no thanks” button. “No, thanks, I don’t want to save money.” “I don’t need workout advice.”

Read More