If you're using Amazon SES and emails to @privaterelay.appleid.com are silently failing, the cause is almost certainly SES's account-level suppression list treating Apple relay DSN errors as hard bounces.
Fix: Emails Not Delivered to Apple Private Relay Addresses (Amazon SES)
If your app supports Sign in with Apple, some of your users will have a Hide My Email address — a relay address like abc123@privaterelay.appleid.com that forwards to their real inbox. These addresses are easy to break silently.
Here's the symptom we ran into and exactly how we fixed it.
The Symptom
Transactional emails (alerts, welcome emails) worked fine for regular email addresses but never arrived for users who signed in with Apple. We were also receiving bounce notifications like this:
Subject: Delivery Status Notification (Failure)
An error occurred while trying to deliver the mail to the following recipients:
prw8xms8tv@privaterelay.appleid.com
Confusingly, some of these emails were being delivered — Apple's relay occasionally returns a DSN error even on successful delivery. But over time, delivery stopped entirely for affected addresses.
Root Cause: SES Suppression List
Amazon SES has an account-level suppression list. When a send results in a bounce (even a soft or misleading one), SES adds that address to the suppression list and silently drops all future sends to it — no error, no log entry from your code's perspective.
Apple's private relay sometimes returns a non-standard response that SES interprets as a hard bounce. Once that happens:
Send to Apple relay → Apple returns DSN error → SES logs as hard bounce
→ Address added to suppression list → Every future send silently dropped
We found 9 Apple relay addresses on our suppression list, the oldest suppressed since September 2025 — meaning those users had missed months of emails.
The Fix
Step 1 — Remove suppressed Apple relay addresses
In the AWS Console:
- Go to Amazon SES (make sure you're in the correct region)
- Left sidebar → Configuration → Suppression list
- Search or scroll for any addresses ending in
@privaterelay.appleid.com - Select all → Bulk actions → Remove email address
Step 2 — Change account suppression to Complaints only
By default, SES suppresses addresses on both bounces and complaints. Since Apple relay false bounces will keep triggering this, change the setting to suppress on complaints only:
- Stay in SES → Configuration → Suppression list
- Find Account-level suppression (or go to General settings)
- Change from "Bounces and complaints" to "Complaints only"
- Save
This prevents Apple relay DSN quirks from silently killing future users' email delivery.
Checklist: Everything Else You Need for Apple Private Relay
If you're still having issues after clearing the suppression list, verify the following:
| Check | What to do |
|---|---|
| Apple domain registration | developer.apple.com → Certificates, Identifiers & Profiles → More → Configure (Sign in with Apple for Email Communication). Register every domain you send from. |
| SPF | Your sending domain needs include:amazonses.com in its SPF record |
| DKIM | Enable Easy DKIM in SES for your domain and add the 3 CNAME records to your DNS |
| Custom MAIL FROM | Configure a custom MAIL FROM subdomain in SES (e.g. mail.yourdomain.com) so the return-path domain matches your registered domain |
All of these must be in place. Apple's relay validates the source domain/email against your registered list after running SPF or DKIM — if either check fails, the email is rejected.
Summary
If you're using Amazon SES and emails to Apple private relay addresses are failing:
-
Check SES → Suppression list for
@privaterelay.appleid.comentries and remove them - Change account-level suppression to "Complaints only" so Apple relay false bounces don't re-suppress addresses
That's it. Step 2 is the permanent fix — without it, the suppression list will fill up again and you'll be back to the same problem.
Top comments (0)