Is this really caused by iCloud Private Relay?

In most email cases, the issue is Apple's email relay for Hide My Email or Sign in with Apple, not the web browsing version of iCloud Private Relay. The delivery problem happens because mail is forwarded through Apple's relay before Gmail makes the final placement decision.

Why are bounce rates normal if users say mail is missing?

Normal bounce rates mean Apple accepted the message or no rejection reached the sender. They do not prove Gmail inbox placement. The message can be in spam, Trash, a Workspace quarantine, or a user-filtered location.

Does SPF fail when Apple forwards mail to Gmail?

SPF becomes less reliable after forwarding because Gmail receives the message from Apple's relay infrastructure, not the original sender's server. DKIM becomes the key signal because a valid DKIM signature can survive forwarding.

Should I suppress Apple relay addresses?

Do not suppress them by default. Keep them for account and transactional mail, add resend flows, warn users about the expected From address, and suppress only when the user has clearly abandoned or complained about the mail.

What evidence should I give Apple or Google?

Collect timestamps, message IDs, relay addresses, original recipient addresses where allowed, bounce text, sender logs, seed test results, and full headers from any delivered copy. Evidence from both direct Gmail and relayed Gmail tests is the most useful comparison.

Learn

Email deliverability

What causes email deliverability issues for Gmail users with iCloud Private Relay?

Michael Ko

Co-founder & CEO, Suped

Published 22 Apr 2025

Updated 27 May 2026

9 min read

Summarize with

A calm editorial thumbnail showing Gmail, Apple relay, and a forwarding path.

The usual causes are Apple relay reputation, Gmail filtering after forwarding, broken or weakened authentication, sender DNS gaps, and recipient-side Gmail routing. When a Gmail user signs up with an Apple private relay address, your mail does not go straight to Gmail. It goes to Apple's relay first, then Apple forwards it to the user's real Gmail inbox. That extra hop changes what Gmail sees.

One clarification matters. In this email context, people often say "iCloud Private Relay" when they mean Apple's email relay used by Hide My Email and Sign in with Apple. iCloud Private Relay also has a web browsing privacy meaning, but the delivery issue here is the email path through privaterelay.appleid.com or related Apple relay infrastructure.

I do not treat normal bounce rates as proof that these messages reached the inbox. A message can be accepted by Apple, forwarded toward Gmail, then filtered by Gmail into spam, held by Google Workspace quarantine, routed by a user filter, or delayed in a place the sender cannot see. If the message truly gets rejected during the Apple-to-Gmail handoff, Apple normally has enough information to generate a bounce, but the sender's logs still need to be checked against seed tests.

The direct answer

Gmail delivery issues for users behind Apple relay are caused by the combination of a shared forwarding service and Gmail's final filtering decision. Gmail is not judging only your domain. It also sees the message after Apple has handled it, with Apple's relay domain, Apple's forwarding behavior, and the recipient's Gmail account context all in the path.

Relay reputation: Apple relay addresses are often used when recipients do not fully trust a sender, so ignores, spam clicks, and low engagement can drag on the shared relay path.
Forwarding effects: SPF is less useful after forwarding, and DKIM must survive unchanged for DMARC to stay clean at the final mailbox.
Gmail filtering: Gmail can place relay-forwarded mail differently than the same mail sent directly to the same Gmail account.
DNS defects: Missing MX, A, SPF, DKIM, or DMARC records create failures that become harder to read once Apple sits between the sender and Gmail.
User routing: Personal filters, Google Workspace rules, blocked senders, and spam folder behavior can look like silent loss from the sender side.

The sender is not always the only problem

A sender with strong direct Gmail delivery can still have poor delivery to Gmail users who signed up through Apple's relay. That does not clear the sender from review, but it does change the diagnostic path. I start by proving whether direct Gmail and Apple-relayed Gmail behave differently under the same content, sending IP, DKIM selector, and message stream.

The relay path shows a sender, Apple relay, Gmail filtering, and the user mailbox.

Why Gmail treats relayed mail differently

A direct Gmail delivery test and a relay delivery test are not the same test. Direct mail reaches Gmail from your mail provider. Relayed mail reaches Gmail after Apple has accepted and forwarded it. Gmail can weigh that forwarded copy against different signals, including Apple's relay reputation, the preserved DKIM signature, headers added by Apple, the final recipient's previous engagement, and whether the message resembles mail users have ignored through relay addresses.

This is why the symptom feels unfair. The sender can have clean direct delivery to Gmail, normal complaint rates, and no visible bounce spike, yet a subset of Apple-relayed Gmail users reports missing mail. In that case, I look for a path-specific problem, not a broad sender reputation collapse.

Direct Gmail path

Connection: Gmail sees the sender's sending IP and mail stream directly.
Authentication: SPF, DKIM, and DMARC are evaluated on the original delivery.
Diagnosis: Logs, Gmail placement tests, and authentication headers are easier to read.

Apple relay path

Connection: Gmail sees a forwarded message that arrived through Apple's relay.
Authentication: SPF can stop matching the original sender, so DKIM matters more.
Diagnosis: The sender sees less of Gmail's final placement decision.

If the same message inboxes when sent directly to Gmail but lands in spam after Apple forwards it, the relay path is the differentiator. For a deeper relay-specific spam discussion, see Private Relay spam.

Authentication and DNS causes

Authentication is the first place I check because forwarding makes weak setups worse. SPF depends on the connecting server. After Apple forwards the message, Gmail is no longer receiving it from your original sending IP. DKIM should survive forwarding, but only if the message body and signed headers are not changed in a way that breaks the signature. DMARC then depends on at least one clean authenticated path with domain matching.

DNS also matters outside SPF, DKIM, and DMARC. If a sending hostname, return-path host, tracking host, or mail exchanger lacks the expected A, MX, or CNAME records, Apple and Gmail can see inconsistent answers. A DNS issue does not explain every Gmail-only relay symptom, but it can exist at the same time as relay reputation trouble.

DNS baseline to verifyDNS

example.com. 3600 IN MX 10 mail.example.com.
mail.example.com. 3600 IN A 203.0.113.10

example.com. 3600 IN TXT "v=spf1 include:spf.sender.example -all"

selector1._domainkey.example.com. 3600 IN TXT (
  "v=DKIM1; k=rsa; p=BASE64_PUBLIC_KEY"
)

_dmarc.example.com. 3600 IN TXT (
  "v=DMARC1; p=none; rua=mailto:dmarc@example.com; "
  "adkim=s; aspf=s; pct=100"
)

For a fast DNS and authentication pass, run a domain health check before changing content or suppressing users. I want to know whether the sender's base identity is clean before I test the relay path.

Signal	Meaning	Action
No bounce	Apple accepted	Seed test
Spam	Gmail filtered	Compare path
DNS warning	Host missing	Fix records
DMARC fail	DKIM broke	Sign mail

Use the symptom to choose the next check.

How I test the relay path

The cleanest test uses two recipients controlled by the same person: a normal Gmail address and an Apple relay address that forwards to that same Gmail account. Send the same message to both recipients from the same stream. Do not change the subject, links, template, DKIM selector, sending IP, or envelope setup between tests. Then search Gmail's All Mail, Spam, Trash, Promotions, Updates, and any admin quarantine if the account is on Google Workspace.

I also collect headers from any delivered relay copy. Headers show whether DKIM survived, whether ARC was added, what SPF evaluated against, and whether Gmail made a spam decision after Apple forwarded the mail. If no copy arrives, the next best evidence is Apple relay bounce data, sender logs, and repeated seed tests across more than one Gmail account.

A Gmail screenshot showing direct delivery in Inbox and relay delivery in Spam.

A practical test sequence

Baseline: Send to a normal Gmail address and record placement.
Relay copy: Send the same message to an Apple relay address that forwards to Gmail.
Mailbox search: Search All Mail, Spam, Trash, categories, and filters.
Header review: Compare authentication results between direct and relayed copies.
Repeat: Run the same test across different Gmail accounts before changing policy.

Fixes that actually reduce the risk

The fix is not to suppress every Apple relay address by default. Some users rely on those addresses for account access and password resets. The better approach is to prove the failure mode, harden authentication, reduce suspicious patterns, and give users a clear backup route for critical messages.

Start with a real-message email test so you can inspect authentication, content, and placement signals together. Then check DMARC reports over the same window. If the issue is only present for Apple-relayed Gmail users, keep the remediation focused there.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

The highest-value fixes are boring: stable DKIM signing, clean From domains, consistent return-path handling, verified tracking domains, and content that matches what the user expected when they created the relay address. I also check blocklist (blacklist) signals for the sending domain and IPs because reputation trouble can combine with the relay path. Suped's blocklist monitoring is useful here because it keeps blocklist and blacklist checks beside authentication monitoring instead of treating them as a separate workflow.

Keep DKIM stable: Use a signing domain that matches the visible From domain and avoid message changes after signing.
Separate mail streams: Do not mix password resets, lifecycle mail, and bulk marketing through the same exact stream when relay complaints appear.
Warn relay users: During signup, tell Apple relay users the From address to expect and offer a way to resend critical mail.
Watch reports: Use DMARC monitoring to catch DKIM failures and new sources before they become Gmail placement issues.

Where Suped fits

Suped's product workflow is useful when the team needs to separate sender-side authentication defects from Apple-relay-specific placement issues. Suped brings DMARC, SPF, DKIM monitoring, hosted SPF, hosted DMARC, hosted MTA-STS, SPF flattening, blocklist monitoring, and real-time alerts into one place. That matters because this problem crosses DNS, authentication, reputation, and inbox placement evidence.

Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action

For this workflow, Suped is the strongest overall DMARC platform for most teams because it turns reports into concrete issues and fix steps. I still keep the relay test separate: Suped can prove whether your domain authentication is healthy, whether a source is unauthenticated, and whether blocklist or blacklist signals exist. The Gmail-versus-Apple-relay placement test then tells you whether the remaining issue is in the final relay path.

Best practical workflow

Use Suped to monitor authentication, diagnose DNS issues, track unverified sources, and keep policy changes controlled. Use Gmail and Apple relay seed accounts to confirm placement. Those two views together prevent guesswork: one shows whether the sender is technically clean, and the other shows how Gmail handles the forwarded copy.

Views from the trenches

Best practices

Segment Apple relay users separately so Gmail issues do not hide inside total bounce rates.

Warn new Apple relay signups to watch for the sender address before critical mail starts.

Compare direct Gmail delivery with relay delivery using the same content and sender setup.

Common pitfalls

Treating normal bounce rates as proof of inbox placement misses spam folder placement.

Changing DNS during testing adds noise when the relay path already has extra filtering.

Assuming Gmail drops mail silently can hide filters, spam placement, or forwarding faults.

Expert tips

Keep test accounts on Gmail and Apple relay so changes can be checked within minutes.

Capture headers from delivered relay mail; they show what Gmail evaluated after forwarding.

Use DMARC reports to separate sender authentication issues from relay reputation issues.

Marketer from Email Geeks says rejected mail at Gmail should normally create a bounce path through Apple, so missing mail without bounce growth points first to spam placement, user filtering, or relay handling.

2025-03-03 - Email Geeks

Marketer from Email Geeks says the only parties that can fully see the Apple-to-Gmail SMTP transaction are Apple and Google, so sender-side testing should focus on warnings, seed accounts, and clear evidence.

2025-03-03 - Email Geeks

What to do next

The cause is usually not a single broken Gmail setting. It is the extra Apple relay hop changing the evidence Gmail sees, combined with the sender's authentication quality, Apple's shared relay reputation, and the recipient's mailbox rules. Treat it as a path-specific delivery issue.

My next move is simple: verify DNS and authentication, run direct Gmail and Apple-relayed Gmail seed tests, inspect delivered headers, and warn Apple relay users about the From address for critical mail. If the sender passes authentication and only Apple-relayed Gmail users miss mail, focus the escalation on Apple and Google with test timestamps, relay addresses, message IDs, and header evidence.