An Ode to Apple's Hide My Email

April 10, 2022: Check out the discussion on Hacker News

Last summer, Apple announced that as part of their iCloud+ service expansion, a new feature named Hide My Email was launching. The feature received little fanfare and was mainly swept up in the plethora of other news from WWDC. After using it for nearly a year, I think we’ve done it a bit of a disservice.

Hide My Email is a simple feature that creates randomly generated email addresses on-the-fly. Since the system-wide inclusion of the feature last fall, I’ve come to love it. Here are a few of the main reasons why:

1. Clean Forwarding - Unlike other services, such as FastMail Masked Email, Hide My Email forwards to your chosen address, regardless of who hosts it. You can use Hide My Email with Gmail, Outlook, iCloud, or any other email provider.
2. Privacy First- If you’re using one primary email across all of your online accounts, there’s a common dimension for marketers to correlate your identity. Most websites we sign up for don’t need our “real” email anyway. Reducing this dimension adds one more layer of abstraction between us and the persistent threat of data brokers.
3. System-Wide Integration - Hide My Email is integrated across iOS, iPadOS, and macOS through Safari. If you want to create a new random email, click on a field expecting an email address, and Safari will suggest you use the feature. It’s as easy as auto-filling your primary email. If you use another browser or a Windows PC, you can create a new address through iCloud.com or the iCloud control panel. It will even remember the unique email used for each subsequent visit.
4. Seamless Reply - The service creates a proxied return address, allowing you to reply to an email directly while remaining concealed behind the unique, random address. This works regardless of client or email service.
5. Tracking the Trackers - If you’re creating unique addresses for each newsletter or site you sign up for, it becomes trivial to track when one site sells (or leaks) your email to a spammer.
6. Security Through Obscurity - Similar to the practice of creating a unique password for each site you log into, creating a unique email adds yet another layer of security. Potential hackers must guess your password and must also guess your email.
7. Cut and Release - Finally, if a service leaks your email or doesn’t have a functioning unsubscribe button on their marketing blasts, you can delete the unique address and move on.

It’s inventible - the more time spent online, the higher the likelihood that your inbox fills to the brim with unwanted messages from spammers and marketers. Any step I can take to prolong the useful life of my email address is a massive win in my book. Couple this with the privacy benefits, the system-wide integration, and that the service is included in any iCloud storage plan, and I’m sold. I’ve found myself changing the email on sites I won’t trust with my email and swapping out nearly all of my newsletter subscriptions with unique addresses.

It’s important to note that you shouldn’t use Hide My Email for everything. For example, you probably don’t want to use a random address for critical services such as online banking. If you trust the bank with your money, you can probably trust them with your email. I’d also think through those sites that may use your email to help others find you, such as social media accounts. If you’d like your contacts to find you automatically, you’ll need to use an email they know of.

I’m a huge fan of the service and think the practice of a unique email per site is nearly as essential as using a unique password. When it’s this easy, you have no excuse. Finally, if you think emails don’t leak, or it’s not a security risk to use the same email everywhere, I’d suggest checking out Have I Been Pwnd.