Shestakov argues that the entire point of Hide My Email was the ability to silently forward aliases to any inbox you actually read — Gmail, a custom domain, whatever. By restricting forwarding to iCloud Mail, Apple turns a genuine privacy primitive into a thinly-veiled funnel toward its own mail stack, leaving long-time Apple ID users who set up forwarding to non-iCloud addresses years ago effectively stranded.
The editorial frames Hide My Email as the single most successful privacy primitive Apple shipped to non-technical users, and credits that success entirely to its refusal to lock users into iCloud Mail. A Gmail user being able to hand `random@icloud.com` to a sketchy SaaS and have it land in Gmail is the whole product — strip that out and there's nothing left worth defending.
Rather than debating whether the change is bad, the top of the HN thread is busy swapping migration plans. SimpleLogin, AnonAddy/addy.io, Fastmail's masked email, and Proton's hide-my-email aliases all get name-checked within the first twenty replies as drop-in replacements that preserve the inbox-agnostic forwarding model Apple is abandoning.
Arseniy Shestakov's post — currently sitting at 470 on Hacker News — argues that Apple's pending changes to Hide My Email gut the feature's actual value proposition. The mechanic that made Hide My Email useful was never the `xyz-abc@icloud.com` alias; it was the ability to silently point that alias at whatever inbox you actually read. Strip that out and you're left with a free iCloud forwarder that only forwards to iCloud — which is to say, a regular iCloud address with extra steps.
The specific change at issue: Apple is tightening the forwarding destination so Hide My Email aliases route into your iCloud inbox by default, with the previous "forward to any verified address" option being phased down. For users who set up Apple ID years ago with a Gmail or custom-domain address as the forwarding target — which, based on the HN thread, is a sizable chunk of the comment section — the feature stops being a privacy tool and starts being a nag screen pushing them toward iCloud Mail.
The HN reaction is unusually consistent for a 470-point Apple thread. The top comments aren't arguing about whether the change is bad; they're swapping migration plans. SimpleLogin, AnonAddy/addy.io, Fastmail's masked email, and Proton's hide-my-email-style aliases all get name-checked within the first twenty replies.
The interesting part isn't that Apple is doing something user-hostile. The interesting part is that Hide My Email was, for three years, the single most successful privacy primitive Apple ever shipped to non-technical users — and it worked precisely because it didn't lock you into Apple's mail stack. A Gmail user could sign in to a sketchy SaaS with `random@icloud.com`, have it forward to Gmail, and never give the SaaS their real address. That's the entire product.
Compare the alternatives. SimpleLogin (acquired by Proton in 2022) gives you the same primitive with reply support, custom domains, and PGP — but you have to know it exists. addy.io (formerly AnonAddy) is the open-source pick, runs on your own domain if you want, and has a CLI. Fastmail's masked email is the most polished, ships with 1Password integration, and costs nothing extra if you already pay for Fastmail. None of these have Apple's distribution. Hide My Email was checked by default in every Sign in with Apple flow on every iPhone — that's roughly 1.4 billion default-on installs of a privacy alias system, and Apple is about to neuter it.
There's a credible read where this is just Apple doing what Apple does: collapse a feature into the subscription it's trying to sell. iCloud+ at $0.99/month is the obvious upsell target, and any user who currently routes Hide My Email to Gmail is, from Apple's perspective, a customer who's using the privacy brand without paying for the mail product. The counter-read — and the one Shestakov leans into — is that this breaks the implicit contract. Users adopted Hide My Email because the forwarding target was theirs to choose. Take that away and the alias is just a tracking ID Apple controls, pointing at an inbox Apple controls.
The broader pattern is worth naming. Sign in with Apple shipped in 2019 with a remarkably clean privacy story: the relying party gets a per-app email alias and nothing else, and you can revoke it anytime. Every quiet downgrade since — the slow erosion of "two-factor without a phone number," the friction around exporting Apple ID data, now the forwarding restriction — chips at the credibility of using Apple as your identity provider for anything you don't want to migrate later. If you're an engineer evaluating Sign in with Apple for a B2C product right now, the calculus shifted this week.
If you use Hide My Email personally and the forwarding target is anything other than `@icloud.com`, audit your aliases now. The high-value ones — bank, broker, primary social — should be migrated to an aliasing service you actually control before Apple's change ships, because the migration path post-change is going to involve manually updating every account that currently has your `@icloud.com` alias on file. Fastmail masked email or addy.io with a domain you own are the two options that survive a future Apple policy change, because the forwarding rules live on infrastructure you can pay for in cash and move.
If you're a developer who ships Sign in with Apple as an auth option, this is a good moment to look at your churn data on those accounts. The users most likely to be affected — Gmail-primary users who chose SiwA for the privacy alias — are also the users most likely to silently abandon an account when their alias starts behaving weirdly. Make sure your account-recovery flow doesn't assume the email on file is still receiving mail, and consider surfacing an "update email" prompt to SiwA users in the next release cycle.
For the indie/SaaS crowd that built around Hide My Email aliases as a free privacy story for end users: that pitch needs a rewrite. The honest version is now "use Sign in with Apple if you're already in the Apple ecosystem; use Fastmail masked email or addy.io if you're not." That's a fine pitch — it's just not the one Apple was selling for you.
The broader question is whether any platform-owned privacy primitive is durable. Hide My Email had three good years. Sign in with Apple has had seven. The pattern with platform-owned identity is that the privacy story is great at launch, erodes during the consolidation phase, and ends up as a funnel into the platform's paid stack. The defensible move for engineers who care about this is the boring one: own the domain, own the forwarding rules, and treat any platform-provided alias as a convenience that can be revoked by someone else's product manager on someone else's roadmap.
> If you use iCloud+ and Hide My Email, there is still time to generate more aliases on @icloud.com as the change has not yet landed and the rate limit for creating aliases is at least 30 per hour.Part of the reason to use Hide My Email was that it made keeping myself private hassle-free. Making
Hide My Email is fundamentally broken in two major ways:1. Services those emails are used with cannot unilaterally send email to them. They must pre-register how they will send email to them, which breaks services with third-party relationships such as online retail with payment processors or shippi
Pro tip for doing something like this without apple. Buy or get a cheap domain name. Create a subdomain on it and have it catch and forward all messages to you when sent to that sub. For example:nytimes@mailsub.example.com -> jono@gmailanything-else@mailsub.example.com -> jono@gmailYou dont ev
> Long story short: now both Sign in with Apple and Hide My Email aliases are going to be issued on the @private.icloud.com subdomain. This makes it much easier to ban all aliases without affecting non-relay mailboxes on iCloud mail.Could someone clarify why having Sign in with Apple and Hide My
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
If your website will block me out because I used a privacy friendly email, I want nothing to do with your website.