
read receipts
The spam in your inbox knows who snitched. You just have to ask it the right way.
Apple's Hide My Email hides your address. A unique alias does something better: it names the company that sold you out.
I once got a junk email addressed to a name no human had ever called me: chairs-direct@. I'd invented that alias the year before, used it on exactly one furniture site, and never typed it again. So when garbage started landing on it, there was no mystery, no shrug, no "how did they get my address?" The furniture company got my address because I gave it to them. And then somebody else got it from there.
That's the whole pitch for per-signup aliases, and it's the one thing nobody mentions when they tell you to just turn on Apple's Hide My Email.
Hide My Email is genuinely useful. It generates a random relay like [email protected], forwards mail to your real inbox, and lets you kill the relay later. Apple's own docs are upfront that the point is to keep your real address private and give you an off switch. Fine. But here's the gap: Apple decides what the relay looks like, and the relay is opaque. When spam shows up at wandering-otter9182, you can see that address leaked. You usually can't remember which company you handed it to eight months ago, because you didn't name it. You named nothing. Apple named it for you.
Flip that. Give every company an alias you choose, tied to a domain you control, and spam stops being noise. It becomes evidence.
This is the model SimpleLogin and addy.io are built around, and it's why people pay for them instead of using the free relay already sitting on their phone. You sign up for a newsletter as nyt@yourdomain. You buy sneakers as kicks@yourdomain. You register a warranty as warranty@yourdomain. Each one forwards to the same real inbox. Each one is a tripwire with a label on it. The day kicks@ starts getting crypto pitches and fake invoice spam, you don't guess. You know the sneaker shop either got breached or sold its list, and you can delete that one alias and watch the noise vanish while everything else keeps working.
You don't even strictly need a paid service to start. RFC 5233 defines sub-addressing — the plus trick — so [email protected] lands in your normal Gmail and tells you the same story. The catch is that a +tag is trivially easy for any data broker to strip back to [email protected] before they resell it, which defeats the forensics. A unique alias on your own domain can't be reverse-engineered into your main address. That's the upgrade worth paying for.
The scale of the problem is why this matters. The Identity Theft Resource Center counted 3,158 publicly reported U.S. data compromises in 2024, the second-highest year on record, exposing well over a billion records. Your address is in some of those piles right now. The question is never whether a company will leak you — it's which one, and what you can do the morning you find out.
A single hidden relay gives you a panic button. An alias-per-company gives you a paper trail. One lets you stop the bleeding; the other tells you who cut you.
So by all means hide your email. Just don't hide it the same way to everyone. Hand each company a name with their fingerprints already on it, and when the spam arrives — it will — you won't have to wonder who talked.
Sources
- Apple Support — Hide My Email overview and relay behavior
- SimpleLogin — Unique-alias-per-service model
- IETF RFC 5233 — Sub-addressing (plus-addressing) spec
- Identity Theft Resource Center — 2024 Annual Data Breach Report: 3,158 compromises