In order to send email messages through the relay service to the users’ personal inboxes, you will need to register your outbound email domains. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple’s private mail relay. Please ensure the source emails and domains are properly registered for your developer account, and that you have Private Email Relay notification enabled to detect misconfigurations and receive periodic emails of failed deliveries.
All outbound emails sent through the Private Email Relay service must be authenticated with the Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) protocol. This is to prevent spam and ensure that messages sent to your users only come from your registered source email addresses and email domains. We recommend authenticating outbound emails using both SPF and DKIM, if possible.
For additional information, please see
Developer Account Help: Sign in with Apple - Configure Private Email Relay Service > Authenticating Your Domains—
Using SPF AuthenticationThe domain in the envelope sender (also known as the MAIL FROM, bounce, or Return-Path address) must be registered in the Domains section of Certificates, Identifiers & Profiles. This domain must pass SPF validation, and the registered domain and envelope sender domain must match exactly to pass the private relay service SPF check.
Using DKIM AuthenticationIf you use an email service provider that uses their domain in the envelope sender of your outbound emails, you must sign your emails with DKIM to meet the private relay’s email authentication requirements.
The DKIM domain (the d= value in your DKIM signature) will be matched against the domain used in your email’s From: address (aka the header From: address) that is registered in the Domains section Certificates, Identifiers & Profiles. To pass the private relay’s DKIM check, the DKIM signature must pass verification, the DKIM signature must include the From: address, and the DKIM domain and the domain in the From: address must match exactly.
Registering Valid Source Domains and/or EmailsAfter the private relay authenticates inbound emails with either SPF or DKIM, it will also match the source email or domain against your registered email domains or email addresses.
You must register and validate every source email domain or subdomain you intend to use. If you do not own a domain configured for email, you can register individual source email addresses. For example, if you want to send emails from “john@example.com” and “john@sales.example.com” you must choose to register source email domains as “example.com” and “sales.example.com” or you may choose to register individual source email addresses as “john@example.com” and ”john@sales.example.com”.
If you want to send email addresses from any other source (for example, “john@help.example.com”) you must also register “help.example.com” or “john@help.example.com” as a separate source.
If you do not register all the source domains or emails that you use, email sent to the private relay service will result in a bounce message.
Configuring Your Email Service Provider (ESP) AccountIf you send outbound emails with email service providers such as Amazon SES, Mailchimp, or SendGrid, the SPF record you publish for your email sending domain should look similar to examples below. The “include” mechanism in the SPF record authorizes your email service provider’s mail servers to send on behalf of your domain.
SPF TXT Record for example.com to support using SendGrid example.com. IN TXT "v=spf1 include:sendgrid.net ~all"
SPF TXT Record for example.com to support using Amazon SES example.com. IN TXT "v=spf1 include:amazonses.com ~all"
SPF TXT Record for example.com to support using Mailchimpexample.com. IN TXT "v=spf1 include:servers.mcsv.net ~all"
