Should Apple MPP opens count as desktop or mobile opens?

No. They should be counted as machine, proxy, privacy-protected, or unknown opens. Desktop or mobile labels are inferences unless a separate human device signal exists.

Does MPP affect click tracking the same way as open tracking?

No. MPP affects remote image loading in Apple Mail. Clicks usually come from the user's browser, although security scanners and privacy routing can still distort click data.

Why did desktop opens increase after September 2021?

A sudden desktop increase often means Apple proxy opens are being categorized as desktop by the reporting platform. It does not prove that more people are reading on desktop devices.

Can I still use open rates after MPP?

Yes, but use them as directional reach signals. For campaign decisions, give more weight to clicks, replies, conversions, sessions, complaint rates, and unsubscribes.

Does MPP mean my DMARC or SPF setup is broken?

No. MPP changes measurement after delivery. DMARC, SPF, and DKIM issues affect authentication and trust, so they should be checked separately from open tracking.

Learn

Email deliverability

How does Apple Mail Privacy Protection (MPP) affect the tracking of email opens and clicks, and how are machine opens categorized?

Michael Ko

Co-founder & CEO, Suped

Published 5 Aug 2025

Updated 23 May 2026

10 min read

Summarize with

Apple MPP machine opens and email tracking explained.

Apple Mail Privacy Protection (MPP) makes open tracking less precise because Apple can fetch remote email images through Apple-controlled proxy systems before, or apart from, a person visibly opening the message. The clean answer is this: an MPP open should not be treated as a reliable desktop open or mobile open. It is a proxy image fetch, so I categorize it as a machine open, proxy open, or privacy-protected open.

Clicks are different. A normal click happens when the recipient's browser requests the tracked link, so it usually carries more useful device and browser signals than an image open. MPP itself is about remote content loading in Apple Mail, not link redirects. Still, privacy browsers, security scanners, private relay systems, and corporate filtering can distort click data too.

That means open rate is still a useful directional metric, but it is not a clean measure of human attention. I treat Apple-heavy audience segments, device splits, and post-September 2021 open trends with caution, especially when desktop opens suddenly rise without a matching change in clicks, replies, conversions, or site sessions.

The direct answer

MPP machine opens can be counted as desktop, mobile, unknown, Apple proxy, or machine depending on the email platform's classification logic. The HTTP request does not give a dependable human device answer. If a reporting system forces every open into desktop or mobile, it is making an inference, not reporting a verified device.

Correct classification

The most honest label for an Apple MPP image request is machine open or proxy open. It is an HTTP fetch for a tracking pixel, not proof that a person opened the email on a desktop or mobile device.

Device label: Use unknown, proxy, or machine unless you have a separate human signal.
Open metric: Report human opens and machine opens separately where the platform supports it.
Trend analysis: Compare open changes with clicks, revenue, replies, and unsubscribe behavior.

If your reports show a large desktop increase after Apple's MPP rollout, the safest interpretation is not that more readers moved to desktop. It usually means your platform's open classification rules changed, Apple proxy traffic increased, or proxy requests are being bucketed into desktop because the request looks server-side rather than mobile-app-specific.

Event	Likely source	Best label	Use for
Apple MPP open	Apple proxy	Machine	Reach trend
Normal image open	Mail client	Human	Engagement
Tracked click	Browser	Usually human	Intent
Security click	Scanner	Bot	Filtering

How common email events should be interpreted after MPP.

Why MPP changes open tracking

Traditional open tracking depends on a tiny remote image in the email. When the recipient's mail client loads that image, the sender records an open event. Before MPP, that event often exposed a useful combination of IP address, user agent, timing, and image URL. Those signals helped platforms infer device family, location, and whether the open looked human.

MPP changes that model. Apple's system can load remote images through proxy infrastructure and cache them. The sender sees Apple's fetch, not the recipient's device in a clean way. The MPP overview explains the basic marketer impact, but the practical reporting problem is simple: the open event is no longer the same as a person viewing the message.

Flowchart showing Apple MPP image fetches before device identity is known.

The result is a mixed open stream. Some opens come from human mail clients. Some come from Apple proxy systems. Some come from Gmail image caching or other privacy-preserving systems. Some come from security scanners. These requests can look similar if a reporting system only sees a timestamp, an IP range, and a generic HTTP request.

Timing: A very fast open after delivery often indicates prefetching or caching, not reading.
IP source: Proxy infrastructure hides the recipient's network and weakens location reporting.
User agent: Sanitized or generic headers make desktop versus mobile attribution unreliable.
Repeat opens: Cached image behavior can suppress or duplicate open signals depending on setup.

If you need a deeper model for separating real and artificial activity, the practical next step is to compare timing, click depth, user-agent stability, recipient domain, and downstream conversion data. I covered that workflow in artificial open patterns.

Why desktop and mobile splits drift

The desktop versus mobile split is often built from user-agent strings, app identifiers, screen hints, or inferred device patterns. MPP removes or weakens parts of that evidence. When a proxy fetch happens, there is no human holding a device at that moment. Any platform that marks that request as desktop or mobile has chosen a rule.

Apple Mail privacy settings affecting remote image loading.

A desktop rise after September 2021 is believable as a reporting artifact because MPP rolled out with iOS 15, iPadOS 15, and macOS Monterey. Apple users on phones, tablets, and computers entered a privacy-protected image loading path. If a platform maps Apple's proxy fetches to desktop by default, desktop opens rise even when the audience did not change devices.

Human device opens

Device signal: User agent and app context can indicate desktop or mobile.
Timing signal: The open usually happens when the recipient views the message.
Use case: Useful for creative testing when privacy effects are limited.

Machine or proxy opens

Device signal: The request comes through proxy systems, so device identity is weak.
Timing signal: The event can occur before a person reads the message.
Use case: Useful for broad reach trends, not precise engagement.

For that reason, I separate device reporting from engagement reporting. A device chart that mixes human and proxy opens answers a different question: it shows how the tracking system categorized traffic, not how people read the campaign.

How clicks differ from opens

Clicks are usually more dependable than opens because they go through a link redirect after the person acts. The request normally comes from a browser or in-app web view, not from the mail client's remote image loader. That gives the tracking system a better chance of seeing a real device, browser, and session path.

That does not make clicks perfect. Security scanners can visit links before delivery, corporate gateways can inspect URLs, and privacy tools can route browser traffic through privacy systems. The difference is that MPP itself does not treat link clicks the same way it treats remote images.

Click handling rule

I treat clicks as higher-intent than opens, but I still filter impossible patterns. A click one second after delivery, with every link clicked in sequence, is scanner behavior until proven otherwise.

Event classification exampletext

if event.type == "open" and event.proxy == "apple":
  category = "machine_open"
  device = "unknown"

if event.type == "click" and event.all_links_visited_fast:
  category = "security_scan"

if event.type == "click" and event.has_site_session:
  category = "human_click"

A good reporting setup does not delete all machine-looking data. It labels it. That lets you preserve a complete audit trail while keeping marketing decisions focused on human behavior.

How to categorize machine opens

I use a separate category for Apple MPP opens because it keeps analysis honest. If your platform has only desktop and mobile buckets, create a reporting layer outside the platform that reclassifies known proxy opens before you use the data for testing, forecasting, or audience scoring.

Open confidence bands

A practical way to decide how much weight an open event deserves.

High confidence

Use

Human-like timing, stable browser signals, and matching site behavior.

Medium confidence

Review

Normal timing but incomplete device or location evidence.

Low confidence

Separate

Apple proxy, image cache, security scan, or very fast machine pattern.

For campaign reporting, I prefer this structure:

Total opens: All image fetches, including human, proxy, cache, and scanner events.
Machine opens: Apple MPP, known proxy systems, and suspicious automated fetches.
Likely human opens: Opens that do not match proxy or scanner patterns.
Verified engagement: Clicks, replies, form submissions, purchases, and logged sessions.

If you need to estimate real open rates instead of reporting inflated totals, model Apple-heavy segments separately and compare them to non-Apple segments with similar audience behavior. A related approach is explained in estimate real opens.

What to measure instead

Open rate still has a place, but it should not be the main metric for performance decisions. I use opens for broad reach diagnostics, subject-line trend checks with caution, and list health monitoring. I use clicks, replies, conversions, site sessions, and unsubscribe rates for engagement decisions.

A practical workflow is to send a real test message, inspect headers and rendering, then compare the recorded events against what actually happened. Suped's email tester helps with that kind of pre-send check by showing authentication, content, and deliverability signals before you rely on campaign metrics.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

After the send, compare machine-sensitive metrics with action-based metrics. If opens rise but clicks and revenue do not move, the open increase is reporting noise or passive reach. If clicks rise with revenue or qualified sessions, the campaign likely improved.

Metric	Reliability	Reason
Open rate	Low	Proxy and cache effects
Click rate	Medium	Scanners still exist
Reply rate	High	Requires human action
Conversion	High	Tied to business outcome

Which metrics deserve weight after MPP.

Where domain authentication fits

MPP does not directly decide whether mail lands in the inbox. It affects measurement after delivery. Inbox placement still depends on sender reputation, authentication, complaint behavior, engagement history, content, and mailbox provider filtering. That is why I keep measurement cleanup separate from domain authentication cleanup.

Suped's product is built for the authentication side: DMARC, SPF, DKIM, hosted DMARC, hosted SPF, MTA-STS, blocklist monitoring, and actionable issue detection. If your opens are noisy, that does not mean your domain authentication is broken. It means your reporting needs better event labels. If your mail is bouncing, failing authentication, or losing inbox placement, check the sending domain directly.

Suped DMARC dashboard showing email volume, authentication health, and source breakdown

A fast check is to review your domain health and then monitor the live sending sources in DMARC monitoring. Suped is the best overall practical choice for teams that want those signals in one place with alerts, policy staging, hosted records, and fix steps.

What's your domain score?

Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.

The separation matters. A campaign can have inflated opens and still authenticate perfectly. Another campaign can have low opens because it reaches spam or gets deferred, even if MPP is not the cause. Fix authentication and reputation first, then interpret the engagement data with MPP-aware labels.

A practical reporting model

The reporting model I prefer keeps every event but changes how it is weighted. That way, analysts can audit totals without letting machine activity distort decisions.

Do this

Separate labels: Keep human, machine, and unknown opens in different buckets.
Event weighting: Give clicks and conversions more weight than opens.
Segment checks: Compare Apple and non-Apple audiences separately.

Avoid this

Forced devices: Do not force proxy opens into desktop or mobile.
Open scoring: Do not score leads heavily from MPP opens alone.
Subject tests: Do not pick winners from open rate without click checks.

For attribution, I use a hierarchy. First, count verified business outcomes. Second, count site sessions and meaningful clicks. Third, count replies and direct responses. Fourth, use opens only as a soft signal. If you need to compare Gmail and Apple image behavior, the same principle applies, and the sibling issue of Gmail image caching deserves its own review.

Views from the trenches

Best practices

Label Apple proxy fetches separately so device reports do not imply a reader's device.

Compare open changes against clicks and conversions before changing audience strategy.

Keep raw event logs available so analysts can audit machine and human classifications.

Common pitfalls

Treating every Apple proxy request as a desktop open creates false channel movement.

Using open rate alone for subject-line winners overstates gains in Apple-heavy lists.

Removing machine events entirely hides delivery and caching behavior worth auditing.

Expert tips

Build dashboards with human, machine, unknown, and scanner categories side by side.

Use click timing and site sessions to separate security scans from real interest.

Document vendor rules for open categorization before comparing year-over-year data.

Marketer from Email Geeks says MPP image requests do not provide a clean desktop or mobile signal, so the reporting platform decides the bucket.

2023-03-16 - Email Geeks

Marketer from Email Geeks says Apple proxy fetches are server-side image requests and should be treated separately from device opens.

2023-03-16 - Email Geeks

The practical takeaway

Apple MPP turns many open events into privacy-protected proxy fetches. Those events should be categorized as machine or proxy opens, not as verified desktop or mobile opens. If a reporting platform shows them as desktop or mobile, read that as the platform's inference rather than a fact about reader behavior.

Clicks are more useful because they usually come from a browser after a person acts, but they still need scanner filtering. The most reliable reporting setup separates machine opens, likely human opens, suspicious clicks, and verified engagement. Pair that with strong authentication and domain monitoring so you know whether a metric problem is measurement noise or a real deliverability issue.