I've run decently sized SMTP servers in the course of my career. I have some idea how SMTP works. In my testing, Apple's HME SMTP servers do NOT sanitize the headers at all.
If you setup HME to forward to a non-iCloud address, you absolutely risk leaking information if you reply to an HME email. For example, in my testing, the replies disclosed the DMARC policy I have on my domain when Apple's SMTP servers themselves added that header:
X-DMARC-Info: pass=pass; dmarc-policy=reject; s=r1; d=r1; pdomain=mydomain.org
(Where "mydomain.org" is my actual personal domain from which I replied when I had HME setup to forward to js2@mydomain.org.)So in that sense, I'm agreeing with you.
But, that's not the claim that alexpc201 made. To wit: "sends a response email (from the real address) with the rejected email message"
Sure, that's possible, but I doubt it and I was also unable to trigger such behavior. An oversized message is bounced directly by the receiving SMTP server with:
message size 67539976 exceeds size limit 28311552 of
server mx01.mail.icloud.com[17.57.154.33]
I tried various approaches. They all bounce at the edge: Reporting-MTA: dns; mailfout.phl.internal
X-Postfix-Queue-ID: 13B6AEC00E7
X-Postfix-Sender: rfc822; elided@pobox.com
Arrival-Date: Thu, 2 Jul 2026 18:28:38 -0400 (EDT)
Final-Recipient: rfc822; word-word.0x@icloud.com
Original-Recipient: rfc822;word-word.0x@icloud.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx02.mail.icloud.com
Diagnostic-Code: smtp; 550 We are unable to send your email as one or more of its attachments may be corrupted or may contain malicious content.
So the theory now has to be that possible to sneak something past the edge SMTP server, past the point where the system rewrites the HME address, then bouncing, and in sending the bounce, failing to properly rewrite something on the way back out, thus disclosing the real address. I remain skeptical that's what's happening.Elsewhere in this thread someone theorized that the leak doesn't involve SMTP at all, but maybe some other service Apple operates.
---
Since doing this testing, I updated my HME setting to forward to my real iCloud.com address instead of my personal domain. If I then reply on icloud.com, nothing that I can see is leaked.
So basically, the HME SMTP servers are:
1. Rewriting the From and To address in a reply.
2. Are not sanitizing message headers.
3. When replying from a non-icloud.com domain, are actually inserting new headers which leak information such as your domain if you have a DMARC policy setup.
Eeek! So be careful when replying to an HME email! But even though the blog post is vague, I believe the claim is that no reply from the HME address is necessary.