Configure capabilities

Configure private email relay service

In order to send email messages through the relay service to the users’ personal inboxes, you'll need to register your outbound email domains. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple’s private mail relay.

If you’re enrolled as an individual, you can register up to 32 email sources. If you’re enrolled as an organization, you can register up to 100 email sources. You don’t need to upload a file on your server to complete the registration process for domains and subdomains.

Register domains

  1. In Certificates, Identifiers & Profiles, click Services in the sidebar, then click Configure under Sign in with Apple for Email Communication.

  2. In the Email Sources section, click the add button (+).

  3. Enter a comma-delimited list of domains and subdomains that will be used for email communication, then click Next.

  4. Confirm your entered email sources, then click Register.

  5. The table will display if the registered email source passed an SPF check.

Register communication emails

  1. In Certificates, Identifiers & Profiles, click Services in the sidebar, then click Configure under Sign in with Apple for Email Communication.

  2. In the Email Sources section, click the add button (+) on the top left.

  3. Enter a comma-delimited list of unique email addresses that will be used for email communication and click Next.

  4. Confirm your entered email sources and click Register.

  5. The table will display if the registered email source domain passed an SPF check.

Manage private email relay notifications

We’ll periodically notify the Account Holder and team admins if we detect that emails sent from your account were unable to be delivered by Apple’s private email relay service. If you’re in development and would like to turn off these emails for your team, the Account Holder or team admins can change this setting.

  1. In Certificates, Identifiers & Profiles, click Services in the sidebar, then click Configure under Sign in with Apple for Email Communication.

  2. Click Settings on the top right of the page.

  3. Click the toggle to disable Sign in with Apple private email relay notifications.

  4. Click Save.

Required role: Account Holder or Admin.

Authenticating your domains

All outbound emails sent through the Private Email Relay service must be authenticated with the Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) protocol. This is to prevent spam and ensure that messages sent to your users only come from your registered source email addresses and email domains. We recommend authenticating outbound emails using both SPF and DKIM if possible.

  • Using SPF Authentication

    The domain in the envelope sender (also known as the MAIL FROM, bounce, or Return-Path address) must be registered in the Domains section of Certificates, Identifiers & Profiles. This domain must pass SPF validation, and the registered domain and envelope sender domain must match exactly to pass the private relay service SPF check.

  • Using DKIM Authentication

    If you use an email service provider that uses their domain in the envelope sender of your outbound emails, you must sign your emails with DKIM to meet the private relay’s email authentication requirements.

    The DKIM domain (the d= value in your DKIM signature) will be matched against the domain used in your email’s From: address (aka the header From: address) that is registered in the Domains section of Certificates, Identifiers & Profiles. To pass the private relay’s DKIM check, the DKIM signature must pass verification, the DKIM signature must include the From: address, and the DKIM domain and the domain in the From: address must match exactly.

  • Registering Valid Source Domains and/or Emails

    After the private relay authenticates inbound emails with either SPF or DKIM, it will also match the source email or domain against your registered email domains or email addresses.

    You must register and validate every source email domain or subdomain you intend to use. If you don’t own a domain configured for email, you can register individual source email addresses. For example, if you want to send emails from john@example.com and john@sales.example.com you must choose to register source email domains as example.com and sales.example.com or you may choose to register individual source email addresses as john@example.com and john@sales.example.com.

    If you want to send email addresses from any other source (for example, john@help.example.com) you must also register help.example.com or john@help.example.com as a separate source.

    If you don’t register all the source domains or emails that you use, email sent to the private relay service will result in a bounce message.

  • Configuring Your Email Service Provider (ESP) Account

    If you send outbound emails with email service providers such as Amazon SES, Mailchimp, or SendGrid, the SPF record you publish for your email sending domain should look similar to the examples below. The “include” mechanism in the SPF record authorizes your email service provider’s mail servers to send on behalf of your domain.