Anybody using iCloud+ custom domain for email hosting during beta?


Apple is, of course, scant on details on what iCloud email does as far as spam filtering, whitelisting, and other features. They’re barely even acknowledging the mail or other features coming to iCloud+ right now. According to some websites, you can access the options via (does not permanently alter your account for beta access), but the DNS verification steps will fail (it may not be enabled quite yet, since it is a beta).

One tidbit I did find out about iCloud though: Apple DOES NOT encrypt email at rest on their servers. One can imagine that this allows for scanning of email messages via their hashing algos for kiddy porn, or any other reason for that matter….

Considering that email was not ever built with security in mind, and all the current encryption and security protocols were haphazardly bolted on later, would you consider Apple iCloud+ hosted email as an option? What about for business use? I’m considering it, but I also use a personally-hosted E2EE Slack-like chat server on a NAS for secure communications. Running your own email server is a mess. I wouldn’t use email if I didn’t have to for online accounts because you can’t trust the security mechanisms of third-parties, and hosting your own has way too many security hurdles to overcome when it comes to interconnectivity with third-parties, along with external port/exploit scanners constantly hitting your IP (and it has to be a static IP with a PTR record because every spam list on the planet will block dynamic IP ranges).

Comments (7)

7 responses to “Anybody using iCloud+ custom domain for email hosting during beta?”

  1. Truffles

    Wait, are you saying I can use my domain mx record to point to iCloud mail without resorting to aliasing??? I'd jump on that.

  2. waethorn

    If you pay for iCloud (soon to be called iCloud+) or Apple One, yes. But it’s in beta, so it’s not working yet. Instructions are here:

    Note: there is no server-side method for importing email, such as a PST import ala Exchange Online. Best you could do is try to move stuff around on your computer and hope that iCloud allows bulk uploading of messages to the account you’re importing into (I have no idea if it does).

  3. curtisspendlove

    I’m going to enable it on the domain I use for my DevOps homelab (and my home network) as a test. If it works well, I’ll consider using it for a couple other domains I use for my “personal brand” (ugh! I hate marketing).

    I don’t think I’d consider it for actual business use. I’d lean toward Microsoft 365 or (what I currently use—Fastmail) for any kind of business use.

    It’s entirely possible to run your own mail server but you definitely have to mess with the security junk. (If I did that for an actual business that needs bulletproof email, I’d probably toss something like Mailroute in front of it to limit the security / blacklisting / etc ballaches I had to deal with.)

    • waethorn

      I’m currently using a Synology NAS with their MailPlus package. It’s nice, but here are some things your might not know about hosting your own email server:

      1) You need a static IP or else you’ll be on every SPAM list imaginable. Good luck getting one from a consumer-level ISP. Luckily here in Canada, Rogers allows you to use their business service at home and only charges $5 extra for a static IP (but their business service is set up on annual contracts).

      2) You need your ISP to create a PTR record in THEIR DNS for you. This is for the reverse DNS for SPAM filters also.

      3) Your regular SPAM filters on your servers have to be updated constantly. Don’t put an email address on a website unless you want a spider bot picking it up and putting it on a SPAM list. Good email server packages will do this already, but it’s far from complete. Some hackers will try to send to unlisted email addresses, or use faulty SMTP commands or connected webmail hacks to create SPAM.

      4)There are many scammers and port-scanners that will try to communicate with your mail server using exploits or known backdoors. If you have a port open for anything, you WILL be scanned by any number of cloud hosting providers like Dreamhost and Linode that allow their customers to use their services to hack into systems and drop malware. Blocking them will block a huge chunk of Internet traffic used for other, legitimate traffic. Sending C&D notices to the cloud hosts will go generally unnoticed, even with full log evidences of their clients misuse.

      5) Bad actors in countries like China, Turkey, several EU countries, and such, will also just try to hack your router with a number of known router exploits, mandating the use of a better router like a UniFi one with Threat Management. Consumer routers don’t have the same level of protection.

      This is why a regular user would get lost trying to host their own email. And this is why I wouldn’t recommend anybody to host it themselves. It’s not worth the hassle. Set up an encrypted chat server instead. You don’t need to deal with a bunch of DNS crap or extra filters and hacking attempts. Synology Chat is a good option, or you can host a Mastadon instance and federate. Matrix has better technology behind it though.

    • waethorn

      Oh and one more thing: even if you do all this, if you pay for a static IP from your ISP, there’s a good chance it’s already on a SPAM list for all the Big Tech providers. Good luck getting it removed too. Microsoft had to fix their Whitelisting website when I tried to use it, and then it finally worked….for about 9 months, and then I got put back on their naughty list again for no reason at all. This affects my ability to send to clients that use either Microsoft email service: both and Exchange Online. My emails go directly into their Junk folder, or just don’t get delivered.

  4. curtisspendlove

    Also, I’m pretty sure I read somewhere that you basically get five domains max.

    And it’s only accessible to those inside the family group or such. So I don’t think you could add like 100 users to a domain.

    I think you only get three aliases as well.

    So if these things are true it’s definitely geared toward having a personal / family domain (which I do have).

    (Also, my weekly request to be able to edit posts. Hopefully it’s on the TODO list.) ;)