What is Apple Mail Privacy Protection and how can I identify these events in my data?

The Basics of Apple Mail Privacy Protection

With the launch of iOS 15, iPadOS 15, and MacOS 12 Apple introduced a new feature to their built-in email client Apple Mail App called Mail Privacy Protection (MPP).  Apple self describes the feature as:

Mail Privacy Protection stops senders from using invisible pixels to collect information about the user. The new feature helps users prevent senders from knowing when they open an email, and masks their IP address so it can’t be linked to other online activity or used to determine their location

The first time users open the Apple Mail App on an iPhone, iPad, or Mac using one of the supported versions of software, they will be prompted with an option where they can choose to enable the Mail Privacy Protect Feature.

We believe that the strong wording in the prompt by Apple is likely to result in a 90% or greater adoption rate of this particular feature. Our early data backs-up this theory as well.  Now that we've been testing this feature extensively, here is what we've found regarding how exactly it works.

First if you are not already familiar with how the SocketLabs Open Tracking feature works, you can read more about it here.

When Apple Mail app launches, it begins to download all new messages to the device from the mailbox provider (I.e. Gmail). If a message lands in the inbox and appropriate battery and internet connection resources are available, then Apple will immediately download all of the images in the message (including any SocketLabs inserted open tracking pixels) and store them locally on the device. The download requests initiated by the Apple device go through at least two different proxy servers before reaching the web servers hosting the images, it is this part of the process that masks the recipients actual IP address. It will also cause an "Open" event to be registered with SocketLabs. When an Open or Click event is registered without any actual action by the user, we refer to this as non-human interactions (NHI). NHI has been a noise within engagement data since long before these most recently changes by Apple.

At this time Apple appears to use IP addresses with geolocation attributes that roughly match the recipient. This allows for senders to continue to track the general location of the users interacting with their mail. It is only the actual time of the engagement that is no longer properly recorded.  As now when the user actually opens the message on their device, the images will be loaded from the devices own cache, so no activity is detected by web servers hosting images for the email. As of our most recent tests, Apple is keeping images cached on device for about 3 days.

There are many different factors that will impact the behavior of any given Apple device that your messages may reach. In our testing at SocketLabs, images seem to be loaded almost instantly if the Apple device is plugged-in and connected to wifi with the Mail app running in the background. Under other scenarios with varying charge state, wireless connectivity, and inbox placement results different patterns were observed. Ultimately, we've found that Apple was mostly successful in disguising the actual activity of its users, but they have also left some fingerprints that allow for further analysis in some cases.

Here at SocketLabs we don't think at this point it really makes sense to try and reverse engineer and circumvent the privacy protection features being offered by Apple. Doing so with any reliability is going to be extremely difficult, and ultimately the value of doing so really isn't that great. Open data was already extremely noisy and our take on Opens is best summarized at length in our recent blog article - Open Rates are Mostly Dead

Technical Details

That being said, some customers have asked for advice on identifying these events so here are the patterns that you can look for to identify Apple MPP events:

User-Agent for iOS 15/iPad OS 15/Mac OS12 Mail App. 

Apple is using a single unified User-Agent string for the mail app on all of its new operating systems.  This User-Agent is what is provided to identify the device requesting the images in the email messages. The user-agent is the same whether or not the user has chosen to enable the Apple MPP feature or not.  That User-Agent is:

Mozilla/5.0

The IP addresses for iCloud Private Relay.  

Apple is providing an actively curated listed of the IP addresses being used for the proxying of images.  The list can be found on Apple's website:

https://mask-api.icloud.com/egress-ip-ranges.csv

The data provided in this CSV may be a bit more difficult to consumer than using a standard IP geolocation tool.  Thankfully vendors like MaxMind are including this data set in products like their GeoIP2 database products.  

Example Notification API Event:

{

  "Type": "Tracking",
  "DateTime": "2021-10-05T13:56:33.424955Z",
  "MailingId": "InStoreReceipts",
  "MessageId": "trans51631682453",
  "Address": "example@gmail.com",
  "SecretKey": "Lg44THrAhjmFD4Ladf577X",
  "TrackingType": 1,
  "Url": null,
  "ServerId": 1999,
  "ClientIp": "172.225.10.47",
  "UserAgent": "Mozilla/5.0",
  "Tag": null

}

Conclusion

Since the IP address and User-Agent are both provided in SocketLabs Notification API events, you can with some certainty identify message opens that were generated by a device where Apple MPP was enabled and exclude it if from your dataset if desired.  By removing Apple MPP events from your dataset you may be reducing the volume of machine generated opens, but as we know there are many other systems that automatically open and fire tracking pixels, so by no means is this a full stop solution to removing all non-human interactions from your messages.