How to check real email and HTML without opening

Select a single questionable email message, and then run this AppleScript. It will open a dialog with the sender's email and the Return-Path server from which the email originated. If its from Apple, there will be Apple.com in that Return-Path servers address. The script just looks at the Mail message header text rather than causing blindness…

Tested on Ventura 13.0.1 using Script Editor.

-- return-path.applescript
-- Select a given message item in Apple Mail, and then run this script. It will produce a dialog
-- showing the sender's From and Return-Path addresses. Copy the entire Return-Path
-- string into the right-window of an Apple Mail rule.
-- This script *does not* alter, or remove individual email messages.
-- VikingOSX, 2019-10-23, Apple Support Communities, No warranties of any kind

use framework "Foundation"
use AppleScript version "2.4" -- Yosemite or later
use scripting additions

property NSString : a reference to current application's NSString
property NSRegularExpression : a reference to current application's NSRegularExpression
property NSRegularExpressionCaseInsensitive : a reference to current application's NSRegularExpressionCaseInsensitive

tell application "Mail"
	if not it is running then activate
	
	if not (get selection) is {} then
		set theMsg to item 1 of (get selection)
	else
		return
	end if
	
	tell theMsg
		set theSender to its sender
		set theHDR to its all headers
	end tell
end tell
set rtnpath to my return_address(theHDR) as text
set fmsg to "Sender Address:" & return & theSender & return & return & ¬
	"Return-Path:" & return & rtnpath

display dialog fmsg with title "Current Mail Item Addresses"
return

on return_address(atxt)
	set hstr to NSString's alloc()'s initWithString:atxt
	set pattern to "(?<=Return-Path:|Return-path:)\\s+<(.*?)>.*"
	set regex to NSRegularExpression's regularExpressionWithPattern:pattern options:NSRegularExpressionCaseInsensitive |error|:0
	set hrange to current application's NSMakeRange(0, hstr's |length|())
	set matches to (regex's firstMatchInString:hstr options:0 range:hrange)
	
	if matches = "" then return "Not Found"
	
	set matchrange to matches's rangeAtIndex:1
	return (hstr's substringWithRange:matchrange) as text
end return_address

Jarmaracark wrote:

Emailing programs (Constant Contact, etc.) will tell you if someone has opened the message, whether or not they have interacted with it.

Technically speaking, that's not possible. You must have some kind of interaction in order to send data back to the sender. Usually they try to get clever and include some remote content. When your e-mail client requests the remote image, that is interpreted to mean that you've looked at the e-mail.

Are you saying that OSX prevents this?

Yes. It does. When you get an e-mail with remote content, you'll see a banner warning you. The remote content will not be loaded. You will have to purposefully interact with the message by clicking the "Load Remote Content" button.

I'm pretty sure this is the default behaviour, but you can double-check this. Go to Mail > Preferences > Privacy and make sure that "Block All Remote Content" is checked.

Now for the tricky part. I'm only talking about the blocking of remote content. Apple Mail has done this for several years now. It's standard behaviour. However, Apple recently came out with iCloud Private Relay with several layers of really confusing behaviour and user interface options. Don't ask me to explain how iCloud Private Relay works with Apple Mail. I don't understand it at all. But this is completely separate from blocking of remote content. Furthermore, the best that iCloud Private Relay can do is hide your internet IP address. If you actually allow a request to go through, they will know it's you, regardless of how many anonymous servers Apple is using. Most of those webbug images are unique URLs that exist only for you. So all those confusing iCloud Private Relay settings are totally useless here.

And one last thing. I double-checked the read receipts functionality and I can confirm that Apple Mail does not send read receipts. So you don't have to worry about that either.

The default behaviour should prevent accessing any remote content. You should have to click a button to load any remote content.

Jarmaracark wrote:

But if mail automatically opens up an image, then it does let the sender know, right?

It depends. If you've made a point to disable all system security, then it might do that. I don't know what you have or haven't done so I can't make any statements on what the system should or shouldn't do. All I can speak to is the default behaviour. But I realize that many people like to get on the internet, find bad ideas, and implement them on their own computers.

Also, some e-mails may have imaged embedded in them. This is relatively rare, since most such e-mails are designed to track you. Embedded images and html are nothing but empty functionality and good user experience. Who want's that?