I am a big fan of catch-all mailboxes. They enable me to use a unique email address for every service that demands my personal information. By doing so, I know exactly who is emailing me or who leaked my email address. Let’s explore how we can elevate this concept on a technical level with programmable email routing.

An offline Belgian mailbox An offline Belgian mailbox

Catch-all Format

The format that I use for unique email addresses consist of the name of the company, a flag, and my custom domain name. E.g. [email protected] tells me that ECorp emails me to my personal mailbox, which is set by -d.

In order to get this to work, I had different wonky solutions over the past few years. One of them was forwarding all emails to a Gmail account and setting up filters in order to make the emails end up in the right mailbox.

These solutions have one major drawback: you can only filter on the from and to header of the email. The actual receiving email address is not always present in those headers: when receiving a Blind Carbon Copy (BCC) or emails from a mailing list. Therefore, utilising filters and forwards is far from ideal for this goal.

Cloudflare Email Workers

Cloudflare offers a service called Email Routing. It basically enables you to create and manage email addresses and forwards for a domain name that is managed by Cloudflare.

Additionally, they started a public beta a couple of months ago with so-called Email Workers. Email Workers enable you to programmatically handle emails. A piece of JavaScript decides what should happen with an incoming email: forward somewhere or reject.

export default {
  async email(message, env, ctx) {
    const allowList = ["[email protected]", "[email protected]"];
    if (allowList.indexOf(message.headers.get("from")) == -1) {
      message.setReject("Address not allowed");
    } else {
      await message.forward("inbox@corp");

Example from Cloudflare on how to allow only certain senders

Parsing Received by … for

Now comes the tricky part. Cloudflare offers a nice EmailEvent API that can be called from JavaScript. However, this only allows for querying the from and to headers directly. In order to fetch more information, the raw email needs to be parsed manually.

The header that tells us the actual recipient looks like this:

 Received: by mail-vk1-f194.google.com with SMTP id 71f...
 for <[email protected]>; Wed, 28 Jun 2023 04:30:15 -0700 (PDT)

Every mail server that processes the email adds such a header. message.headers.get("received") is, however, not capable of returning all of them. It only returns the last occurrence of Received, but the first one is needed. The entire source of the email must be parsed using the following regex.

function parseRecipient(source) {
  return source.match(/\b(?<=for <)[email protected](?=>;)\b/g)[0];
  • (?<=for <): This is a positive lookbehind expression that checks if the pattern is preceded by “for <”.
  • [email protected]: This pattern matches one or more characters followed by “@landgenoot.com”.
  • (?=>;): This is a positive lookahead expression that checks if the pattern is followed by “>;”.

Source code

I have brought it all together in a Gist, with blacklist functionality that can be hosted as a .txt file somewhere.

cloudflare-email-worker-recipient-flag-parser.js on Gist