I am a big fan of catch-all mailboxes. They enable me to use a unique email address for every service that demands my personal information. By doing so, I know exactly who is emailing me or who leaked my email address. Let’s explore how we can elevate this concept on a technical level with programmable email routing.
An offline Belgian mailbox
The format that I use for unique email addresses consist of the name of the company, a flag, and my custom domain name. E.g. [email protected] tells me that ECorp emails me to my personal mailbox, which is set by -d.
In order to get this to work, I had different wonky solutions over the past few years. One of them was forwarding all emails to a Gmail account and setting up filters in order to make the emails end up in the right mailbox.
These solutions have one major drawback: you can only filter on the from and to header of the email. The actual receiving email address is not always present in those headers: when receiving a Blind Carbon Copy (BCC) or emails from a mailing list. Therefore, utilising filters and forwards is far from ideal for this goal.
Cloudflare Email Workers
Cloudflare offers a service called Email Routing. It basically enables you to create and manage email addresses and forwards for a domain name that is managed by Cloudflare.
Example from Cloudflare on how to allow only certain senders
Parsing Received by … for
The header that tells us the actual recipient looks like this:
Received: by mail-vk1-f194.google.com with SMTP id 71f...
for <[email protected]>; Wed, 28 Jun 2023 04:30:15 -0700 (PDT)
Every mail server that processes the email adds such a header.
message.headers.get("received") is, however, not capable of returning all of them. It only returns the last occurrence of Received, but the first one is needed. The entire source of the email must be parsed using the following regex.
- (?<=for <): This is a positive lookbehind expression that checks if the pattern is preceded by “for <”.
- [email protected]: This pattern matches one or more characters followed by “@landgenoot.com”.
- (?=>;): This is a positive lookahead expression that checks if the pattern is followed by “>;”.
I have brought it all together in a Gist, with blacklist functionality that can be hosted as a .txt file somewhere.
cloudflare-email-worker-recipient-flag-parser.js on Gist