How Apple Mail Privacy Protection inflates email open rates

In September 2021, Apple introduced its Mail Privacy Protection (MPP) feature as part of iOS 15, iPadOS 15, and macOS Monterey. Its purpose is to improve user privacy by preventing email senders from knowing when an email is opened and masking a recipient’s IP address. To appreciate why this matters, it is necessary to understand how traditional email open tracking worked and how MPP changes the game.

The study ‘Privacy versus Convenience: A Historical Perspective, Analysis of Risks, and an Informatics Call to Action’ notes, “The pace of technological change outstrips the pace of social and policy change,” and privacy concerns often emerge only after new systems are widely adopted. Just as mHealth apps became ubiquitous while raising “concerns about the risks of unforeseen or unexpected uses of personal data,” MPP reflects the same tension between convenience and privacy. 

Users gain a sense of safety, but in practice, the feature “raises more questions than it answers,” creating new challenges for organizations that rely on open rates as signals of engagement. In this way, Apple’s intervention shows the broader trade-off between digital convenience and data accuracy, echoing what the authors call a “radical discounting of the value of information” in exchange for perceived security.

What is Apple Mail Privacy Protection?

The purpose of MPP is to prevent email senders from learning specific details about a recipient's email activity, protecting users from unwanted profiling and location tracking. Apple Legal Terms explains that “emails you receive may include remote content that allows the email’s sender to learn information about you… email senders may learn when and how many times you opened their email, whether you forwarded the email, your Internet Protocol (IP) address, and other data that can be used to build a profile of your behavior and learn your location.” With Mail Privacy Protection, Apple counters this by stating that “Protect Mail Activity helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity.”

When users enable MPP, Apple intercepts and preloads email content through a network of proxy servers before the recipient even opens the message. Traditionally, email senders use invisible pixels embedded in messages to collect details about opens, like the time of open, IP address, and device information, to gauge user engagement. This data has been invaluable for healthcare organizations aiming to monitor how patients interact with emails about appointments, medication reminders, or health education. However, by automatically downloading remote content in the background regardless of actual interaction, MPP effectively breaks this model. 

The proxy system is deliberately structured to protect anonymity. According to Apple, “Protect Mail Activity routes all remote content downloaded by Mail through two separate relays operated by different entities. The first knows your IP address, but not any third-party Mail content you receive. The second knows the remote Mail content you receive, but not your IP address.” This separation prevents any one party from linking identity with email activity. Even if a user disables MPP, Apple notes that “the Hide IP Address feature will still mask your IP address using the same two-separate-internet-relays design.”

The main features

• MPP hides your IP address so senders cannot see your location.
• It prevents senders from knowing if or when you opened an email.
• It blocks senders from counting how many times you opened an email.
• It stops senders from learning if you forwarded an email.
• MPP downloads email images and content in the background, even if you never open the email.
• It uses two separate proxy relays so no single party knows both your IP address and your email content.
• Even if you turn off MPP, the “Hide IP Address” feature still masks your IP by default.

How email open rates are inflated 

MPP works by routing all remote content requests through multiple proxies designed to shield the recipient’s IP address and device data. This prefetching effectively opens emails on behalf of the user, injecting noise into the traditional opens metric by making it impossible to distinguish between an actual user viewing an email and the automated downloading of embedded content. As a result, open rates reported by email senders are artificially inflated, sometimes by large margins, because every recipient with Apple Mail and MPP enabled appears as if they have opened the message, even if they have never interacted with it.

According to a study on privacy and security published in the American Journal of Translational Research, the matter of inflated open rates mirrors a broader challenge in digital health and research, where “the rapid growth in the availability and incorporation of digital technologies in almost every aspect of our lives creates extraordinary opportunities but brings with it unique challenges.” Just as translational researchers must navigate the tension between opportunity and risk, marketers and healthcare communicators face an ecosystem where meaningful behavioral data is obscured by automated technical processes.”

The automated nature of this preloading distorts raw open counts and derived analytics like click-to-open rates (CTOR). Since the denominator (the number of reported opens) includes countless artificial opens from proxy downloads, the CTOR is deflated, making it more challenging for healthcare marketers and communication specialists to assess genuine patient interest or interaction levels. These skewed email metrics complicate segmentation, targeting, and evaluation of email campaigns.

The danger to healthcare marketing statistics 

Apple MPP creates a disconnect between what the data reports and what patients actually do. This inflated sense of success can lull marketing teams into complacency, blinding them to messages that may be ignored or unreceived by patients who rely on timely health reminders and education. The result is a dangerous gap between perceived and real engagement.

The issue is comparable to the issue of healthcare data mining explored in the BioData study ‘The ethics of data mining in healthcare: challenges, frameworks, and future directions,’ where “privacy and consent concerns remain paramount when handling sensitive medical data, particularly as healthcare organizations increasingly share patient information with large digital platforms.” 

Just as biased or incomplete datasets can mislead clinical models, MPP’s automated preloading produces misleading engagement signals that healthcare teams may mistake for genuine patient interaction. The authors warn that “algorithmic bias further threatens equity,” and the same principle applies here: reliance on distorted open-rate data can unintentionally reinforce disparities by failing to reach patients who most need reminders, while creating the illusion of equitable communication.

See also: How to use email metrics to improve marketing efforts

How to navigate the MPP impact

Apple MPP can indeed be switched off by users who wish to restore traditional email engagement tracking. Disabling MPP stops Apple from preloading email content in the background, allowing senders to track when and if the email is genuinely opened. While turning off MPP restores visibility into email opens, Apple still offers the option to hide the IP address to maintain some privacy protections. 

For healthcare organizations grappling with the impact of MPP on email analytics, this ability to disable the feature offers a direct means to regain more accurate open-rate data when engaging with patients who opt out of MPP. However, recognizing that not all patients will, or should, disable this privacy feature, healthcare marketers can also leverage alternative data sources provided by platforms like Paubox Marketing. Paubox offers privacy-focused, HIPAA compliant email analytics that go beyond open rates, such as click-through tracking, reply rates, and secure patient portal interactions. 

FAQs

What are third-party trackers in healthcare?

Third-party trackers are external tools or scripts embedded in healthcare websites or applications to collect data on user behavior, such as pages visited, clicks, and time spent.

Why are third-party trackers a concern for healthcare organizations?

These trackers can potentially access and transmit protected health information (PHI) without patient consent.

Are patients aware their data might be tracked?

Often, patients are not explicitly informed that their data is being monitored by third-party trackers. This lack of transparency contributes to distrust and raises ethical issues regarding patient consent and data usage in healthcare marketing and analytics.