Apple's "Protect Mail Activity" Doesn't Work

If you have an iPhone, in the settings for the Mail app, there is a “Privacy Protection” section, and inside that it has a “Protect Mail Activity” option. This does not work as advertised and actively worsens your privacy. I told Apple about this early 2025. They discarded the bug, said it works as expected and closed the case.

It’s described here - https://www.apple.com/uk/legal/privacy/data/en/mail-privacy-protection/. Basically, they claim that when this option is turned on, they hide your IP by loading remote content via their proxy (true), and also the following:

“When you receive an email in the Mail app or Mail on iCloud.com, rather than only downloading remote content when you open an email, Protect Mail Activity downloads remote content in the background by default — regardless of whether you engage with the email.”

Which is false. I have used the Mail app on two different iPhones, hooked up to my email account via IMAP. Here’s what actually happens when that option is turned on (I have tested this with https://www.emailprivacytester.com several times):

1. After the email lands on your phone, it does not fetch the images in the background as they claim. It does not do this immediately. It does not do this if you wait for hours.
2. When you open Mail, and see the message in your list of emails, if it is a HTML email and contains a html tag like follows:

   <link rel="prefetch" href="http://trackingcode123.example.com/">
   

   then it will trigger a DNS lookup of trackingcode123.example.com through cloudflares DNS resolvers. Letting the sender know the message has arrived.
3. When you open the email, all remote content is immediately fetched at that point, informing the sender that you have read the email.

Granted, it hides your IP by proxying these requests through Apple, but that is not how Apple says the feature works.

If you want to use Mail on your iPhone, turn this feature off, as you can do better. After turning it off, you will see two other options appear:

1. Hide IP Address
2. Block All Remote Content

Turn both of those on. Now you have the best setup offered by Apple. No network requests are performed automatically, even if you read the email. When you open the email it will say “Message contains unloaded images” with a “Load All Images” button which you can optionally choose to click if you want the remote content.

I don’t know if “Protect Mail Activity” works correctly for other people. Presumably it works for the dev who wrote it at Apple. Maybe it’s because I’m using IMAP? They don’t exclude IMAP in their description of the feature though… Maybe it’s because I’m in the UK and it has to work differently here due to some idiotic rule.

Anyway. If you’re relying on this feature, I suggest you test it out on https://www.emailprivacytester.com because it might not work for you either.

And if you work for Apple, when you get this fixed, pay me. I followed your bug bounty rules. It’s not my fault you ignored me. Give me my damn bounty.