Apple's Hide My Email Addresses Just Became Identifiable

Any developer can now reject a Hide My Email signup with a single regex check: /@private\.icloud\.com$/. That was not true before June 16, 2026. Apple announced that day—via a quiet developer notification—that all Hide My Email addresses are moving from @privaterelay.appleid.com to @private.icloud.com. The change arrives "in the coming weeks." The consequences are immediate and significant for the roughly 900 million iCloud users who rely on the feature.

Key Takeaways

• Apple announced on June 16, 2026 that Hide My Email is moving to the @private.icloud.com domain, away from @privaterelay.appleid.com.
• The old domain was indistinguishable from a standard Apple ID—the new domain is an unambiguous signal that the address is a privacy alias.
• Any service can now detect and block Hide My Email signups with a single domain suffix check, defeating the feature's original privacy guarantee.
• Earlier in 2026, Apple complied with an FBI warrant and unmasked a user behind a Hide My Email address, revealing 134 additional alias accounts.
• Services like SimpleLogin, addy.io, Firefox Relay, and Proton Pass do not use a detectable dedicated domain and remain viable alternatives.

What Is Apple's Hide My Email?

Hide My Email is an iCloud+ feature that generates random email aliases—addresses like quiet.maple.3r7@privaterelay.appleid.com—which forward messages to your real inbox. You share the alias with a website or app instead of your real address. If the company sells it or spams you, you delete the alias. Your real email stays private.

Apple launched the feature in 2021 alongside Sign in with Apple, which already used the same relay mechanism. The combined system was positioned as a serious privacy tool—not just spam protection but genuine identity shielding. The @privaterelay.appleid.com domain was a key part of that promise: it looked like any other Apple ID, so no service could tell at a glance whether you were using an alias.

What Changed on June 16, 2026?

Apple notified developers that it is consolidating two services under one domain. Hide My Email addresses (previously on @privaterelay.appleid.com and, for some older accounts, @icloud.com) and Sign in with Apple relay addresses will all migrate to @private.icloud.com. Existing aliases will keep working—Apple says forwarding continues without interruption. No new addresses will be issued on the old domains.

Apple offered no explanation for the consolidation. The developer notice focused on the operational requirement: teams should add @private.icloud.com to their email allowlists alongside the existing relay domains. The privacy implications of the change went unmentioned.

Reaction in the developer community was sharp. MacRumors reported that the new domain makes it straightforward for platforms to detect and block iCloud aliases—a consequence Apple did not address publicly.

Why Does the Domain Change Matter?

Before this change, @privaterelay.appleid.com was used exclusively by Apple relay services—but it shared enough visual and structural similarity with ordinary @appleid.com addresses that blocking it cleanly required Apple-specific knowledge. Many services simply allowed it. The new @private.icloud.com subdomain is different. It is an obvious, unambiguous label. Any developer can check for it in one line. Any marketing platform can add it to a block list in seconds. Any signup form can reject it before the account is created.

The technical implication for developers is equally direct. A simple regex like /@private\.icloud\.com$/ or a DNS suffix check is all it takes to identify every Hide My Email address submitted to a form. Services that previously tolerated aliases because they couldn't reliably detect them now have a trivial detection method.

There is also a retroactive dimension. If a service collected and stored the email domain at signup—standard practice in most user databases—it can now run a query against its existing records and flag every account that signed up with a Hide My Email address. Users who relied on the alias for pseudonymous access may find those accounts suddenly identifiable as privacy conscious users, or blocked outright.

The Bigger Picture: Two Blows in One Year

The domain change does not arrive in isolation. Earlier in 2026, Apple's Hide My Email gave the FBI a user's real identity—plus a list of 134 additional alias accounts that user had created. A threatening email sent from a Hide My Email alias led to a warrant. Apple complied, linking the alias to the user's real Apple ID and handing over the full account record.

That case established that Apple's relay service is not anonymous to law enforcement. This domain change establishes that it is no longer opaque to ordinary websites either. Together, the two events paint a consistent picture: Hide My Email was always a spam filter, not an identity shield. Apple marketed it with privacy language, but the architecture never delivered anonymity—it delivered plausible deniability, and now even that is weaker.

The contrarian read on coverage of this story is worth stating plainly: most reactions focus on whether Apple should have done this. The more important question is why so many users believed Hide My Email offered stronger protection than it did. The feature never obscured your IP address, your device fingerprint, or your behavior. It only hid your email address. And now it does that less effectively.

What Hide My Email Still Doesn't Protect Against

Even before the domain change, Hide My Email had a meaningful gap that almost no coverage mentioned: tracking pixels. When a marketing email arrives at your Hide My Email alias, the relay forwards the full message—HTML, images, and all—to your real inbox. When your email client renders that message, any tracking pixel fires from your real IP address, at the moment you open the email, on your real device. The alias was never in the picture at that point.

This is the difference between hiding your address at signup and hiding your behavior while reading. Hide My Email handles the former. It never handled the latter. Gblock blocks tracking pixels in Gmail, which means that even when the relay forwards a tracked message to your real inbox, the pixel never fires. For a complete picture of how to block email tracking in Gmail, address hiding and pixel blocking address two separate layers of the problem.

The same principle applies to click tracking in email links. Hide My Email does nothing to anonymize the links you click inside a forwarded message—those tracked redirects still log your IP and timestamp when you follow them.

Alternatives to Apple's Hide My Email

Several services provide email alias functionality without using a single detectable domain. None of the following assign aliases from a subdomain that unambiguously labels the address as a privacy alias:

• SimpleLogin — Open source, now part of Proton, based in Switzerland. Aliases use shared domains like simplelogin.com or your own custom domain. Unlimited aliases on paid plans ($4/month, or free with a Proton Unlimited subscription). Supports PGP encryption and WebAuthn.
• addy.io (formerly AnonAddy) — Open source, UK based. Free tier includes unlimited aliases on shared domains. Paid plans start at $1/month. Custom domain support. PGP encryption available on all plans.
• Firefox Relay — Mozilla's alias service, US based. Free tier includes 5 aliases; Premium ($3.99/month) adds unlimited aliases and a custom subdomain. Simpler than SimpleLogin or addy.io but more limited on custom domain options.
• Proton Pass — Proton's password manager includes built-in alias generation powered by SimpleLogin. Available in the free tier with a limit; unlimited with a paid Proton account.

None of these services operate a relay under a domain name that signals "this is a privacy alias" in the way @private.icloud.com now does. They are not immune to blocking—a determined service can block any alias pattern it recognizes—but they do not hand websites a ready made detection string out of the box.

What Should You Do Now?

Existing Hide My Email addresses will keep forwarding. Apple has confirmed backward compatibility. If you use the feature only for spam filtering—where you want the option to delete an alias if a company misuses it—the change may not affect you much in practice until services start enforcing blocks.

If you used Hide My Email with the expectation of pseudonymity—signing up for services under a name that could not be linked to your real identity—the feature no longer reliably delivers that. Consider migrating sensitive accounts to an alias from SimpleLogin or addy.io using a custom domain, which gives no domain signal at all.

For services where you have already signed up with a @privaterelay.appleid.com address, those old aliases remain on the old domain and will not suddenly read as @private.icloud.com. New aliases issued after the migration will be on the new domain. The risk window is highest for new signups made after the rollout completes.