Does Apple Private Relay break my email authentication (SPF, DKIM, DMARC)?

No, Apple Private Relay does not break your email authentication. Instead, it re-signs emails with Apple's own SPF and DKIM records, passing DMARC. This means the final recipient server sees Apple as the authenticating entity, not your original domain.

Why do emails sent directly land in the inbox but those via Private Relay go to spam?

This often occurs because directly sent emails benefit from your specific domain and IP reputation. Emails sent via Private Relay inherit the shared reputation of Apple's relay service. If Apple's relay is used by senders with poor practices, it can negatively impact deliverability for all.

What is the difference between 'Sign in with Apple' and 'Hide My Email'?

'Sign in with Apple' allows users to quickly create accounts with apps, offering the option to 'Hide My Email' which generates a random, unique Apple Private Relay email address. 'Hide My Email' can also be used independently by any iCloud+ subscriber to create proxy email addresses for various purposes.

Can I prevent my emails from going to spam with Apple Private Relay?

While you can't control Apple's relay reputation directly, you can improve your overall email sending practices: register your domains with Apple, maintain a clean list, ensure good engagement, and educate your subscribers to check their spam folders and mark your emails as 'not spam'.

Does Apple Private Relay affect email tracking, like open rates?

Apple Mail Privacy Protection (MPP), which often works alongside Private Relay, impacts email tracking by preloading images, making it appear as if all emails are opened. This can inflate open rates and reduce the reliability of open-based tracking.

Why are emails sent through Apple Private Relay going to spam? - Troubleshooting - Email deliverability - Knowledge base

It can be frustrating when emails you send reliably land in the inbox for standard addresses, but mysteriously end up in spam folders when sent through Apple Private Relay addresses. This is a common challenge for many senders, especially those using Apple's 'Sign in with Apple' feature. It's perplexing because, on the surface, everything seems to be authenticated correctly. Yet, mail still struggles to reach the primary inbox.

I've observed cases where a client reported that emails sent via an Apple Private Relay address would go to Gmail spam, while the exact same message sent directly to the user's actual Gmail address would land in the inbox. This suggests something specific about the Private Relay mechanism is influencing filtering decisions, even when email authentication appears to pass.

The core of the issue often lies in how Apple handles and re-authenticates these emails, and the downstream impact on reputation. Let's explore the underlying reasons and what you can do about it.

Understanding Apple Private Relay

Apple Private Relay, particularly the 'Hide My Email' functionality associated with 'Sign in with Apple', generates unique, random email addresses ending in @privaterelay.appleid.com. These addresses act as intermediaries, forwarding emails to the user's actual email inbox while keeping their real address private. While a fantastic privacy feature for users, it introduces complexity for email senders.

How Apple Private Relay works for email

When a user signs up for a service using 'Sign in with Apple' and chooses 'Hide My Email', Apple generates a unique email address. Any emails sent to this relay address are then forwarded to the user's actual inbox while Apple's own spam filtering also occurs, before the email reaches the final recipient's inbox.

Proxy addresses: Users get a unique, randomized @privaterelay.appleid.com address.
Domain registration: To ensure proper delivery, you must register your sending domains with Apple. Failure to do so often results in bounces.

While Private Relay is designed to preserve user privacy, it can inadvertently affect deliverability. The system modifies email headers, often signing them with Apple's own authentication (SPF, DKIM, and DMARC). This means that by the time the email reaches the final inbox provider, its authentication record points to Apple, not your original sending domain.

This leads to a unique challenge: shared reputation. If other senders using @privaterelay.appleid.com have poor sending habits, it can negatively impact your deliverability, even if your own sending practices are exemplary.

The impact of header rewriting and authentication

When an email passes through Apple Private Relay, its headers are re-written. This isn't necessarily a bad thing, as it's designed to maintain privacy and ensure deliverability through Apple's system. However, it changes the authentication footprint that receiving mailboxes see.

Example of Apple Private Relay Authentication Headers (Gmail)text

ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@privaterelay.appleid.com header.s=prv2019 header.b=xT1mWdNt;
    spf=pass (google.com: domain of privaterelay.bounce.dtk@privaterelay.appleid.com designates 17.41.186.236 as permitted sender) smtp.mailfrom=privaterelay.bounce.dtk@privaterelay.appleid.com;
    dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=appleid.com
Return-Path: <privaterelay.bounce.dtk@privaterelay.appleid.com>

As seen in the example headers, even if your original email was perfectly authenticated, the final recipient's mail server, such as Google (

Gmail), sees the email as coming from and authenticated by Apple. This means the sender reputation applied by Gmail is associated with Apple's relay service, not your domain directly. If Apple's relay service is forwarding a significant volume of mail that recipients don't want, or if other senders using the relay have poor practices, it can lead to higher spam filtering rates for all emails coming through it.

This also explains why sending the same message directly to a user's actual email address might result in inbox placement, while the Private Relay version goes to spam. The direct send benefits from your established domain and IP reputation, whereas the Private Relay send relies on the shared reputation of Apple's relay infrastructure.

Direct email sending

Authentication: Uses your domain's specific SPF, DKIM, and DMARC records.
Reputation: Leverages your established sender reputation directly.
Control: You have full control over your email deliverability factors.

Apple private relay sending

Authentication: Apple re-authenticates emails with its own SPF/DKIM/DMARC.
Reputation: Inherits Apple's shared relay reputation, which can fluctuate.
Control: Limited direct control over the final deliverability outcome.

Troubleshooting and mitigation strategies

While you're somewhat at the mercy of Apple's overall reputation when sending to Private Relay addresses, there are steps you can take to mitigate the risk of landing in the spam or junk folder.

Verify registration: Ensure your sending domains are correctly registered and verified within your Apple Developer account settings. A misconfiguration here can lead to immediate bounces.
Monitor deliverability: Keep a close eye on your deliverability rates for emails sent through Private Relay. If you notice a significant drop or increased spam placement, it could indicate a broader issue with Apple's relay reputation or a specific problem with your sending.
Maintain high sender reputation: Even though Apple re-authenticates, your original sender reputation still plays a role in the initial acceptance of the email by Apple's servers. Focus on practices that ensure a strong domain reputation, like managing bounces, handling spam complaints, and keeping your lists clean.
List-Unsubscribe header: Some reports indicate that Apple's re-authentication might remove the List-Unsubscribe header. This is crucial for inbox providers like Gmail, who increasingly rely on this for compliance and user experience. Ensure your emails include this header, and be aware that Apple's relay might impact its presence downstream.

Unfortunately, direct intervention on Apple's side is limited for individual senders. The most effective strategy remains focusing on your own email program's hygiene and overall reputation. This includes robust DMARC monitoring, maintaining a clean email list, and ensuring valuable content.

Educate your subscribers

If you experience consistent spam placement for Apple Private Relay users, consider proactively educating your subscribers. In your onboarding or confirmation emails, advise them to check their spam or junk folder and, if found there, to mark your email as 'not spam' or move it to their inbox. This positive engagement can help train the recipient's mailbox (like Gmail) over time to properly classify your emails.

It's a waiting game to some extent, as mail service providers like Gmail refine their machine learning filters to better differentiate legitimate senders utilizing Apple Private Relay. Until then, consistent good sending practices and subscriber education are your best tools.

Views from the trenches

Best practices

Always compare email headers between direct sends and Private Relay sends to identify any differences.

Common pitfalls

Assuming that passing DMARC via Apple's authentication guarantees inbox placement.

Expert tips

Check email headers, engage with Apple's developer documentation, maintain overall strong sender reputation.

Expert view

Expert from Email Geeks says that Apple fully rewrites email headers to handle DMARC, meaning the email's authentication footprint will point to Apple, not the original sender's domain.

2022-05-09 - Email Geeks

Expert view

Expert from Email Geeks says that if Apple is handling the authentication, senders are sharing the aggregated reputation of every company that uses the Apple Private Relay domain.

2022-05-09 - Email Geeks

Navigating the Apple Private Relay landscape

The challenge with emails sent through Apple Private Relay ending up in spam is a complex one, primarily stemming from the re-authentication process and the shared reputation model. While Apple aims to protect user privacy, it inadvertently creates a layer of abstraction that can obscure individual sender reputation from the perspective of recipient mail services like Google (

Gmail) or Microsoft (

Outlook).

It's important to remember that this situation is likely an evolving one. As mail service providers continue to refine their machine learning filters, they may develop more sophisticated ways to differentiate senders even when emails come through a proxy service like Private Relay. Until then, maintaining excellent email deliverability practices remains your strongest defense.

Focus on high engagement, low complaint rates, and robust email authentication for your direct sends. This consistent positive behavior helps establish a strong reputation that can potentially influence how your emails are treated, even when traversing the Apple Private Relay system.