Mail Privacy Protection (MPP): What it means for your email analytics

Over the past few years, email privacy updates have changed how open tracking works and not just on Apple devices.

If your open rates feel higher than expected, inconsistent, or just harder to interpret, you’re not imagining it. This article explains what’s happening, what’s affected inside Flodesk, and how to confidently measure engagement moving forward.

The short version: Open rates are no longer a reliable measure of engagement. And even click tracking needs a bit more context today.

Mail Privacy Protection (MPP) is a privacy feature introduced by Apple for the Apple Mail app on iPhone, iPad, and Mac.

When enabled, Apple Mail:

• Pre-loads email content (including tracking pixels)

• Routes content through a proxy server

• Can register an “open” even if the person didn’t actually read the email

This means some opens are automatic, not intentional.

No.

Apple’s MPP was the biggest shift, but email privacy and security protections have continued evolving across the industry, including Gmail, Outlook, Yahoo, and others.

Today:

• Some providers cache or proxy images

• Some block images by default

• Some use security filters that trigger tracking pixels

• Some scan email links for safety before the recipient clicks

Open tracking may still technically fire, but it no longer consistently reflects real human behavior.

Because open tracking relies on a tiny invisible image (a tracking pixel), privacy changes can:

• Inflate open rates

• Mask real engagement

• Trigger opens from automated systems instead of humans

This impacts features that rely on open data, including:

• Email open rate reporting

• Workflow analytics that reference opens

• Open-based workflow conditions

• Resend to unopens

• Subscriber activity tracking based on opens

Clicks are still more meaningful than opens, but they are not perfect either.

Many inbox providers and corporate email systems now scan links for security reasons. These scans can:

• Trigger a click before the human recipient opens the email

• Happen immediately after delivery

• Come from security software instead of the subscriber

This means:

• Some clicks may be automated

• A small number of subscribers may appear to click instantly

• Click totals may occasionally be slightly inflated

Important: Real human clicks usually happen minutes or hours after delivery, not immediately.

While click tracking remains one of the strongest engagement signals available, it’s best viewed as a directional indicator, not a perfect measure.

Nope. These changes are industry-wide and affect all email marketing platforms.

Instead of asking:

“Did they open?”

Or even:

“Did they click?”

The better question is:

“Are they meaningfully engaging over time?”

Looking at patterns, not just one metric, gives you a much clearer picture.

Here’s a smarter way to measure engagement today:

If someone clicks consistently across multiple emails, that’s strong engagement.

A single instant click right after delivery? That could be a security scan.

Bot clicks often happen immediately upon delivery. Human clicks usually happen later.

Patterns matter more than isolated data points.

The strongest signal of engagement is action taken after the click, like:

• Purchases

• Bookings

• Downloads

• Replies

Adding UTM parameters can help you measure this in analytics tools.

Instead of removing subscribers based on opens:

• Send a “Do you still want these emails?” message

• Ask them to click to confirm

• Monitor continued engagement over time

This approach is more reliable than using opens alone.

Let subscribers choose what they want and how often they want to hear from you. Relevance naturally increases real engagement.

Avoid cleaning your list based only on:

• Open rates

• A single click

• Short-term activity

Instead, look at:

• Repeated click activity over time

• Conversion behavior

• Engagement across multiple campaigns

• Re-confirmation campaign responses

Healthy list management today is about trends and consistency, not one isolated metric.

Mail Privacy Protection didn’t break email marketing. It just changed how we measure engagement.

Open rates are no longer dependable on their own.
Click data is stronger, but still imperfect due to security scans.

The strongest strategy now focuses on:

• Clear calls to action

• Valuable, relevant content

• Engagement patterns over time

• Conversion behavior

• Smart segmentation

If your audience consistently interacts, replies, and converts, you’re doing it right.

Automatic image pre-loading (especially in Apple Mail) and security scans can trigger tracking pixels, making emails appear opened even if they weren’t read.

They can show general trends, but they are no longer reliable indicators of true engagement.

Clicks are more meaningful than opens, but security systems may scan links automatically. Because of this, clicks should be viewed as a strong directional signal — not perfect proof of human action.

Bot clicks often happen immediately after delivery. Human clicks usually occur minutes or hours later. Look for patterns across multiple emails rather than isolated events.

Not based on opens alone. Consider click patterns, conversions, and re-engagement campaigns first.

Absolutely. Engagement, conversions, replies, and meaningful actions remain strong indicators of performance, and those matter far more than opens alone.