I’m trying to move away from Apple Mail and Outlook for privacy reasons and to consolidate clients so I don’t have to check so many apps. Privacy Guides recommends Canary mail or Thunderbird, but Canary costs money for push notifications which I need and afaik I can’t use my school Microsoft email account on Thunderbird without a paid extension. Does anyone have any recommendations for privacy-respecting email clients that work on Mac and iOS, and support Microsoft email accounts? I’m okay with paid if it’s a one-time purchase, it just can’t cost as much as Canary. I have a feeling I might be stuck with Apple Mail, but I thought I’d reach out here first in case there’s something I’m missing.
Apple Mail is already a pretty good privacy-friendly email client imho. Apple Mail includes Mail Privacy Protection to make it harder for senders to learn about your mail activity and prevent senders from seeing if you’ve opened an email.
I have a question that is along these lines, since in the Ultimate MacOS Privacy Guides one of the recommendations for user accounts (Microsoft / Google) is to log out of them completely from the computer.
My question is, is using Apple Mail giving that much information (e.g. location / IP address) to Microsoft Exchange or Google when these are run through Apple Mail, or does AM do a good job of blocking any trackers they might otherwise have?
These are work e-mails, so I have to use them, but the only other alternative I can see is to log-in through Brave and look at e-mail through there. (Doesn’t have Apple Privacy Protection but at least uses Brave blockers to keep trackers out.)
I am not aware of this guide. Could you share the link to this?
An email client simply transfers your email back and forth from your device(s) and your email server(s). Through this process IP address is used to identify and authenticate the device that is connecting to its servers.
Emails you receive may include remote content that allows the email’s sender to learn information about you. Mail Privacy Protection block these trackers by routing all remote content through iCloud private relay.
I don’t think brave ad blocker blocks email trackers. I think you can disable remote contents in the webmail which would prevent such tracking. However, this prevents images and other multimedia elements from loading in emails.
Hope this answers your question
The guide I am referring to is in this video here. Where it talks about “Level 3” Privacy protections these include things like signing out of Apple accounts and also signing out of Google. However, I have my Gmail signed in to sync with Apple Mail, and want to know if there’s any difference (privacy-wise) between signing into Google through Apple Mail versus checking the messages through Brave.
So my understanding is that as long as there is a connection to the gmail server Google will be picking up your e-mail address?
I see, so it probably wouldn’t be much of an advantage to be logged in through Brave then versus just checking e-mails through Apple Mail.
I think so, at least I’m understanding better what e-mail does and what information it allows to be seen and what not. I am pretty new to these kinds of questions / concerns so still figuring out what privacy settings work for me and also trying to figure out why certain measures are necessary and why not.
Mostly I’d like it if the IP address, which allows location tracking, won’t be known to Google / Microsoft through e-mail but this seems to be a bit of a fool’s errand. I have tried one method which has gmail connect to Skiff mail and then to me, and that does seem to do the trick even if it’s not ideal (can’t respond from gmail account).
No difference. However, using Apple Mail increase attack surface but If the mac is well secured don’t need to worry about this.
Google can always access your emails whether you use an email client or not. Apple Mail is just accessing email stored on Google servers and downloading them locally. However, google introduce E2EE to Gmail workspace users. If this is enabled google can’t see your emails but also prevent email clients like Apple Mail accessing your emails (I don’t think Gmail have something similar to proton bridge to allow this)
Yes, other than MPP which allows you to view remote content without tracking. Apple Mail just offers a centralised place to access email from different providers and manage them.
It is also worth mentioning that IP addresses can change frequently. Additionally, the email service provider may only use your IP address for a short period of time to establish the connection, after which the IP address is no longer needed. If you are worried about location tracking, you can use an VPN to access webmail.
You mean email forwarding? Since you are not using Gmail site, your IP address is not revealed to Google. Instead, skiff mail can see your IP address.
It’s got a good randomized password and no biometric entry. I am also interested in having some of the e-mail data on the laptop itself in the event of being offline, etc.
Understood, but also helpful to know. Oddly, I don’t mind Google storing data but it’s a fact that every time I look at “Security” under account settings there is information about which devices I’m using to log on and where they are located. The VPN stops this for a short time but then if it’s turned off for whatever reason Google manages to use cookies (I think), even while using Brave, to find location. I’m not sure how worried to be about the fact Google knows which city I’m in but am not sure if there are ways to reduce this. (On the theory that Google knowing less means that random other sites and people will know less.)
Right, and here it’s just that I’m weirded out that using a VPN consistently is the only way to avoid some of these services from seeing my location. Again, not sure how worrisome it is given that the location changes and the VPN masks it a lot, but Google seems to learn from other browsing that I’m doing. At least for the purposes of its “Security” tab under account settings. Looking at the Microsoft equivalent (where it shows “log-ins”) shows that it’s a lot stupider and almost always shows me where my VPN is and not where I am. (It seems not to be learning from other browsing I’m doing, or if/when the VPN is turned off temporarily. In fact it may be less sensitive to my using a VPN at all). I don’t suppose there is any risk of location being found out with Apple Mail, unless a fetch is done at the same time as the VPN is turned off.
Well, there are two possible ways of doing it: one is forwarding (where Google sends the e-mail), the other is having Skiff logged into Google as a third-party service. I’m not sure what a huge difference there is, other than that Google seems not to learn anything about me when Skiff is getting e-mails from Gmail through the third-party log-in approach. Again this is only what I can see as a naïve user of gmail (looking at log-ins and “security” in account settings), but all things that I’ve found interesting since understanding better how these systems work.
Apple mail is fine for your privacy.
One thing to know about using Apple’s native mail clients is that Apple saves every sender you have ever sent a message to in your Apple ID. There is no way to turn this off. You can check by requesting a copy of your Apple ID data.
If this is not consistent with your threat model, you may want to use an alternative. For Mac, Thunderbird or a web app via Brave are good options. For iOS, I believe that Microsoft supports creating a web app via Safari. Apple is expected to start supporting notifications from web apps on iOS at some point relatively soon but for the time being no notifications would be the only drawback.
If this is for work apps, I would consider using the web mail options if you can. That way any tracking that is being done by the client itself will be contained to the browser and not have access to the rest of your machine. However, based on @sec76’s recommendation Apple Mail may be fine and you don’t have to worry.
It’s worth mentioning that we’re talking about mitigating tracking done by the client itself and not from the emails you receive, I think. For that, the email provider would need to provide protections like what Proton does by blocking marketing trackers how you look at your email.
Turns out that my school account is a Microsoft Exchange account, and it requires insane permissions to use it with Apple Mail, so that’s a no-go. I can’t use it with Thunderbird on Mac without a paid extension either because IMAP is disabled by the administrator. I’m probably stuck with Outlook for school and Apple mail for everything else (which is what I have been doing), because push notifications in Canary requires pro, which at $60 lifetime for just iOS or $100 for iOS + Mac is way too steep for my use case.
You mentioned that you’re willing to pay for an app in order to achieve this. When I used Thunderbird, I used Owl for Exchange. It’s 10 € a year which is a lot cheaper than Canary. This would be my recommendation if you’re opposed to webmail.
I would consider it if Thunderbird had a iOS app, but without it I can’t get push notifications on my phone which is a deal-breaker for me.
You can disable this in iCloud settings.
Isn’t Outlook a paid app as well?
No, the app itself is free.