Using Apple Mail with Gmail leaks your IP address

July 21, 2020 ☼ writing

Recently, I was debugging an issue with one of my domains and email. During this process, I was sending emails to myself and clicking View original” in Gmail’s web UI to view the raw version and headers of an email.

When looking at an email that I sent with Apple Mail on macOS, this part of an email’s headers jumped out to me:

Received: from [10.x.x.x] (c-x-x-x-x.hsd1.ca.comcast.net. [x.x.x.x])
    by smtp.gmail.com with ESMTPSA id redacted.48.2020.07.21.10.50.01
    (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);

In the headers of the raw email, my full public and private IP addresses were perfectly visible! (I’ve redacted them here for my privacy.) This is an email that I sent to a totally separate inbox on a different Google account.

To make sure I wasn’t misunderstanding what was happening, I emailed my friend Jarred.

A screenshot of a text conversation with my friend Jarred. He confirmed that he could see my public IP address.

He confirmed my suspicions: every time I send an email with Apple Mail, my IP address is leaked. I’ve replicated this behavior on the latest public versions of Apple Mail for macOS and iOS.

This is scary! IP addresses roughly represent location. With my IP, you can learn what city or even what neighborhood I live in. If the email was sent from a mobile network, you can learn someone’s cell phone provider, which may aid in sim swapping. For people who want to be pseudonymous or private online, leaking this information is a privacy disaster1.

Who’s to blame here?

The reason why my IP address is visible is because Apple Mail sends emails with SMTP. The email is sent to Google’s SMTP relay, which ultimately delivers the email. For each stop an email makes, a Recieved header is added to the message2. You can read these headers top to bottom to follow the trail of an email.

Nowadays, most email clients are cloud-based and don’t use SMTP to initiate an email, meaning that your IP isn’t leaked, but rather the IP of the server that sent the email. For example, using Gmail via the apps or website doesn’t reveal your IP.

So, how could this get fixed? I can think of a number of ways:

Email is great, but it was designed before people thought about online privacy as the fundamental right that it is today. It would be amazing if Apple or Google put this privacy concern to bed as soon as possible.

If you like this post, please consider subscribing to my newsletter.


  1. It is true that every website you visit has access to your IP address, but that’s still a lot less surprising than unkowingly passing along location related metadata with every personal message you send. When Superhuman matched email recipients’ IP addresses to locations, people were rightfully upset!

  2. RFC 5321 outlines the full SMTP spec, including how the Received header works.

  3. Received: from pv34p98im-redacted.me.com (pv34p98im-redacted.me.com. [17.143.234.142])