When this article matters
You're either deciding whether the forwarding address is safe to put into a filter rule, or your address got shared more widely than intended and you want to know what the exposure actually is. This article explains how the address is structured and what the security layers are.
If you just want to set up forwarding for the first time, see set up email forwarding; this article is the deep-dive on the address itself.
What the address looks like
Every company gets its own address of the form u-<hash>@in.taxiteasy.org — for example, [email protected]. Three parts:
u-— a fixed prefix marking this as a company inbox.- The hash — exactly 16 hex characters, derived from a one-way cryptographic hash (SHA-256) of an internal identifier. It can't be guessed from your name, email, company name, or signup date, and it can't be reversed. Two companies created seconds apart have completely uncorrelated hashes.
@in.taxiteasy.org— our dedicated inbound domain. We don't send mail from it. The hash tells our pipeline which company an email belongs to, and the recipient address is domain-pinned — mail routed through a look-alike domain can't land in your account.
The hash space is 16^16 ≈ 1.8 × 10^19 possibilities. Brute-force guessing is infeasible in practice — and everything that does arrive is logged, so probing wouldn't be invisible either.
One address per company, not per user: an account with three companies has three forwarding addresses, and each routes into its own company's documents.
The security layers
Layer 1 — address secrecy
The non-guessable hash only helps if you don't publish it. Treat the address like a password:
- Don't post it on a public webpage, forum, or chat.
- Don't include it in CSV exports you send around.
- Don't share it with your accountant for "easier client invoices" — use invite your tax advisor instead, which has its own audit trail.
Layer 2 — sender authentication (SPF or DKIM)
Even if the address leaks, an attacker can't easily fake a sender. Every inbound email is verified:
- SPF checks whether the sending server is authorised for the claimed sender domain. Forwarding legitimately breaks SPF (the forwarder isn't on the original sender's allow-list), which is why we don't require SPF alone.
- DKIM is a cryptographic signature from the original sending server, and forwarding usually preserves it. We require either SPF or DKIM to pass.
A spoofed sender — someone sending From: [email protected] from a server they control — typically fails both, because they have neither Hetzner's DKIM keys nor a place on Hetzner's SPF list. The message is rejected before it enters your account, and the rejection is logged.
This is also why, if your provider offers both, redirect (Sieve) is preferable to forward — redirect preserves the original signatures.
Layer 3 — pipeline integrity
Below the email layer, the inbound pipeline itself is hardened: the delivery webhook is verified with a public-key signature (Ed25519) so nobody can inject fake "inbound email" events, and replayed webhook deliveries are deduplicated so the same email can never be processed twice.
What we keep, what we discard
| Field | Stored? | Notes |
|---|---|---|
| Sender address | Yes | Shown in the Activity log. |
| Send date | Yes | Shown in the Activity log. |
| Subject line | Yes | Shown in the Activity log. |
| Email body | No | Processed once for classification, then discarded — never stored permanently. |
| Attachments (PDF, JPG, PNG, HEIC, ≤ 20 MB each) | Yes | Run through the Documents pipeline, encrypted, stored. Byte-identical duplicates are skipped. |
| Other attachment types | No | Stripped at intake. |
Even if you forward a deeply confidential email, the body itself is not retained — only the sender, date, subject, and the extracted attachments.
Delivery is instant
Forwarding is push-based: the moment your email arrives, a webhook hands it to the pipeline. There is no polling interval on this path — the attachments typically appear in Documents while you're still looking at your sent folder.
Troubleshooting
My address got published or shared too widely. There's no self-service way to change the address today — write to [email protected]. The exposure is bounded meanwhile: senders still have to pass SPF or DKIM, and every arrival shows in Settings → Email integration → Activity log, so review what lands there.
Someone tries to send me a fake invoice. If they fail SPF and DKIM (typical for spoofing), the message is rejected before it enters your account. If they pass — meaning they sent from a legitimately-configured domain they control — the email shows in the Activity log like any other; a fake invoice from a real domain is caught by human judgment, not authentication.
Can I see who sent what? Yes — the Activity log shows every inbound email with sender, date, subject, classification, and the number of attachments extracted.
I want one address per project. Use companies — each company has its own forwarding address, so one account with three companies gives you three addresses.
Can I make the address shorter or memorable? No — that would defeat the non-guessability.
An email bounced and I don't know why. Common reasons: both SPF and DKIM failed, an attachment exceeded 20 MB, or the attachment format wasn't PDF/JPG/PNG/HEIC.
Related
- Set up email forwarding — using the address in practice
- How to disconnect an email account — the direct-OAuth alternative cleanup
- What happens when you forward a newsletter — how classification decides what to keep
- Email attachment size and format limits — what attachments survive intake