Cloakmail is a local-first browser extension for generating privacy-focused email aliases using Cloudflare Email Routing and your own domain. No backend, no telemetry, no external database.

github.a82s@mail.example.com  →  your-inbox@gmail.com
amazon.k91x@mail.example.com  →  your-inbox@gmail.com

Every alias is a dedicated Cloudflare Email Routing rule. Disabling, blocking, or deleting an alias is a real Cloudflare action — mail stops immediately.

Problem

Most people use the same personal email address across every service they sign up for. That creates three compounding problems:

  • The address becomes a permanent tracking identifier across services
  • A single breach puts the address in leak datasets forever
  • Spam attribution is impossible — you can’t tell which service leaked or sold it

Temporary email services solve the spam problem but not the durability one. Addresses expire, domains get blocked, and you lose access to account recovery.

The better model is user-owned aliases: one unique address per service, forwarded to a real inbox you control, with the ability to kill individual aliases without touching the others.

How It Works

Cloakmail has no server component. Everything runs in the browser.

flowchart LR Popup["Extension Popup"] --> BG["Background Worker"] Options["Settings Page"] --> BG Content["Content Script"] --> BG BG --> Storage["chrome.storage.local"] BG --> Cloudflare["Cloudflare Email Routing API"] Cloudflare --> Inbox["Your Inbox"]

The Cloudflare API token lives only in the background service worker — content scripts never see it.

Features

  • Alias generation — derive a readable alias from the current hostname with a cryptographically random suffix
  • Dedicated Cloudflare rules — one routing rule per alias, created via the CF API on generation
  • Disable — turn the Cloudflare rule off; mail is silently dropped, rule stays for re-enable
  • Block — convert the rule action to drop; alias is permanently silenced
  • Delete — delete the Cloudflare rule entirely; mail bounces at the MTA
  • Autofill — content script detects email fields and injects a one-click alias button
  • Sync — reconcile local alias state against live Cloudflare rules
  • Encrypted token storage — API token encrypted with AES-GCM (Web Crypto API) before being written to chrome.storage.local
  • Export / import — JSON backup of all alias metadata, secrets excluded

Alias Lifecycle

flowchart TD A["Generate alias"] --> B["Create Cloudflare routing rule"] B --> C["Active — mail forwards to inbox"] C --> D["Disable"] C --> E["Block"] C --> F["Delete"] D --> G["rule.enabled = false"] E --> H["rule.action = drop"] F --> I["Rule deleted — mail bounces"]

Why Dedicated Rules, Not Catch-All

The simpler approach is a catch-all rule (*@mail.example.com → inbox). Aliases generate instantly with no API call.

The problem: deletion is not real deletion. As long as catch-all is active, any address under the subdomain still forwards — including ones you’ve “deleted” locally.

Dedicated rules fix this. Deleting a rule means the address bounces at Cloudflare’s MTA. The user has real control.

The tradeoff is that each alias creation requires one Cloudflare API call (~200–400 ms). For a privacy tool, that’s the right trade.

Token Encryption

The Cloudflare API token is sensitive. Cloakmail encrypts it before writing to extension storage using the Web Crypto API.

// Derive AES-GCM key from a per-install ID using PBKDF2
const key = await crypto.subtle.deriveKey(
  { name: "PBKDF2", salt, iterations: 310_000, hash: "SHA-256" },
  keyMaterial,
  { name: "AES-GCM", length: 256 },
  false,
  ["encrypt", "decrypt"]
)

// Encrypt — ciphertext = salt + iv + encrypted bytes
const ciphertext = await crypto.subtle.encrypt(
  { name: "AES-GCM", iv },
  key,
  new TextEncoder().encode(apiToken)
)

What this protects against: plaintext token exposure in storage inspection, accidental token export in backups, content script access.

What it doesn’t protect against: malware with full access to the browser profile. That threat requires OS-level secret storage, which is planned for a future version.

Content Script Security Boundary

Content scripts run in the context of websites. They can read and manipulate page DOM, which makes them useful for autofill but not a safe place for secrets.

Cloakmail content scripts are intentionally kept minimal:

  • Detect email input fields
  • Inject a small alias button
  • Send a generate-alias message to the background worker
  • Fill the returned alias into the field

The background worker owns all token access, decryption, and Cloudflare calls.

Cloudflare Setup

  1. Enable Email Routing on your domain zone
  2. Add and verify a destination email address
  3. Create a scoped API token with these permissions:
    • Zone → Read
    • Zone Settings → Read
    • Email Routing Rules → Read
    • Email Routing Rules → Edit
  4. Enter token, Zone ID, alias domain, and forwarding email in the extension settings