By ByteBot
Apple announced this week that Hide My Email and Sign in with Apple are moving to a new shared domain: @private.icloud.com. The company called it consolidation. The privacy community called it something else. The practical effect is that any service can now block every Apple email alias with a single domain entry — and that is exactly the power Apple’s design was built to deny them.
Why the Old Setup Was Clever
Hide My Email currently generates relay addresses on @icloud.com — the same domain used by Apple’s billion-plus real iCloud accounts. A service trying to block Hide My Email aliases faces an impossible choice: block @icloud.com and lose access to a huge share of your potential users, or leave it alone. Apple users got effective privacy because their aliases were hidden inside a much larger crowd.
Sign in with Apple took the other approach. Its relay addresses used @privaterelay.appleid.com — a distinct domain, easily identified, and already blocked by more than a few services. Developers who implement Sign in with Apple know this friction. It is a solvable problem, but it is a real one.
What’s Changing This Summer
Starting later this summer, Apple will issue all new Hide My Email and Sign in with Apple addresses on @private.icloud.com. Existing addresses stay active — your @icloud.com aliases will continue to work, and so will your old @privaterelay.appleid.com addresses. The backward compatibility is clean.
The problem is everything that gets created going forward. Once @private.icloud.com becomes the address users hand to websites, the feature loses the camouflage. It becomes another relay domain, identifiable by anyone who bothers to check.
The Blocking Problem
There is an entire industry built around detecting disposable or relay email addresses. Services like Kickbox, ZeroBounce, and MillionVerifier maintain databases of relay domains and flag signups that use them. Finance platforms, healthcare portals, and gaming services routinely reject these addresses to prevent fraud or enforce single-account rules.
Apple’s competitors in the alias space — Firefox Relay (@mozmail.com), DuckDuckGo Email Protection (@duck.com) — already deal with this. Those services get blocked at many sites. Apple was better because it used @icloud.com. That advantage disappears this summer.
What Developers Need to Do Now
If you have Sign in with Apple in your app or website, update your email validation logic and allow-lists immediately. Apple’s official announcement is explicit: you must accept addresses on @private.icloud.com in addition to privaterelay.appleid.com and icloud.com. If you use a third-party email validation API — Kickbox, MillionVerifier, or similar — add an explicit exception for private.icloud.com before your provider adds it to their blocklist. Your Sign in with Apple users will otherwise start failing your signup flows silently.
What Users Can Do Right Now
If you rely on Hide My Email, generate additional aliases while the @icloud.com domain is still in use. The rate limit is approximately 30 per hour, with a 750-alias cap per account. Aliases you create now will preserve the privacy advantage for those specific services indefinitely.
For new signups after the transition, consider a service with custom domain support. SimpleLogin (owned by Proton) and addy.io both let you use your own domain as the alias root, making per-domain blocking far harder. The original analysis by Arseniy Shestakov that surfaced this issue is worth reading in full.
The Bigger Picture
Apple did not announce this as a privacy reduction. They framed it as infrastructure simplification, and on a technical level that is accurate — one domain is cleaner than two. But the privacy implication was not mentioned, and the community had to surface it. That gap matters. Hide My Email was one of the most thoughtfully designed consumer privacy features in recent memory, and the design choice that made it work — obscuring relay addresses inside a real email domain — is the thing being removed.
The feature is not dead. Existing aliases keep working. But the protection new aliases provide this summer is materially different from what came before. That is worth knowing before it happens.
