Blog

Link Tracking Protection in iOS 17 & macOS Sonoma: Important changes for marketers

  • Nicole Merlin

    Nicole Merlin

    Head of Email Strategy and Development, Knak

Published Jun 30, 2023

Link Tracking Protection in iOS 17 & macOS Sonoma

Update: Marketo has responded to the changes here

At this year’s WWDC, Apple announced the upcoming release iOS 17 and iPadOS 17, both scheduled for release in September, along with macOS Sonoma, scheduled for sometime in the fall.

These updates will bring a range of security and privacy updates, many of which have significant implications for marketers.

This is the big change for marketers, as Apple has committed to reducing the number of tracking parameters that can be used in URLs across Mail, Messages and Safari.

From Apple’s press release:

“Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing.”

In short, Apple plans to remove what they call “known trackers” from links when they are clicked on or shared.

They’ll do this by stripping away certain URL tracking parameters, while leaving the remainder of the URL intact, as shown in this video from Apple.

Which tracking parameters are affected?

Jeff Johnson reported in a recent blog post that Apple will be using a static list of trackers, rumoured to be taken from this list of “Tracking query parameters” from PrivacyTests.org.

Parameter

__hsfp

PrivacyTests.org Description

HubSpot tracking parameter

Parameter

__hssc

PrivacyTests.org Description

HubSpot tracking parameter

Parameter

__hstc

PrivacyTests.org Description

HubSpot tracking parameter

Parameter

__s

PrivacyTests.org Description

Drip.com email address tracking parameter

Parameter

_hsenc

PrivacyTests.org Description

HubSpot tracking parameter

Parameter

_openstat

PrivacyTests.org Description

Yandex tracking parameter

Parameter

dclid

PrivacyTests.org Description

DoubleClick Click ID (Google)

Parameter

fbclid

PrivacyTests.org Description

Facebook Click Identifier

Parameter

gclid

PrivacyTests.org Description

Google Click Identifier

Parameter

hsCtaTracking

PrivacyTests.org Description

HubSpot tracking parameter

Parameter

mc_eid

PrivacyTests.org Description

Mailchimp Email ID (email recipient’s address)

Parameter

mkt_tok

PrivacyTests.org Description

Adobe Marketo tracking parameter

Parameter

ml_subscriber

PrivacyTests.org Description

MailerLite email tracking

Parameter

ml_subscriber_hash

PrivacyTests.org Description

MailerLite email tracking

Parameter

msclkid

PrivacyTests.org Description

Microsoft Click ID

Parameter

oly_anon_id

PrivacyTests.org Description

Omeda marketing ‘anonymous’ customer id

Parameter

oly_enc_id

PrivacyTests.org Description

Omeda marketing ‘known’ customer id

Parameter

rb_clickid

PrivacyTests.org Description

Unknown high-entropy tracking parameter

Parameter

s_cid

PrivacyTests.org Description

Adobe SiteCatalyst tracking parameter

Parameter

vero_conv

PrivacyTests.org Description

Vero tracking parameter

Parameter

vero_id

PrivacyTests.org Description

Vero tracking parameter

Parameter

wickedid

PrivacyTests.org Description

Wicked Reports e-commerce tracking

Parameter

yclid

PrivacyTests.org Description

Yandex Click ID

Our internal tests so far also confirm that it’s only parameters on this list (and their values) that are being targeted by these changes. Any other custom parameters (such a customer_id=xyz or utm_campaign=xyz) do not appear to be affected at all.

These results also stack up with research shared by Steve Atkins from Word to the Wise, and Peter Jakuš from Bloomreach Engagement.

What is removed and where

URLs with parameters

Steve Atkins shared his research on clicking links in the Mail app, where the actual href of each link contained the parameters, e.g:

<a href="https://www.example.com?customer_id=abc&mkt_tok=abc">Link</a>

His tests showed that the parameters in the PrivacyTests.org table (shown above) were all removed, whereas any parameters not on that list remained. The resulting URL after clicking our example in Mail would be this URL opening in Safari:

https://www.example.com?customer_id=abc

URLs that point to a redirection server

Peter Jakuš also shared his research, which involved clicking links from Mail and Messages and opening them in Safari and Safari Private Browsing on iOS 17.

His links were all using a redirection server, meaning the href of each link in the email was something like this, which is set up to redirect to the URL above once opened in a browser.

<a href="https://click.track.example.com/8743b52063cd65d1633f5c74f5">Link</a>

After clicking this link in Mail, it would resolve to the full URL in Safari normal browsing mode, with all parameters intact:

https://www.example.com?customer_id=abc&mkt_tok=abc

However, if the redirect link was opened in Safari Private Browsing mode, it would resolve to a URL with any parameters in the PrivacyTests.org table (shown above) stripped away:

https://www.example.com?customer_id=abc

We ran some of our own internal tests which corroborate both Steve and Peter’s research. Below is a breakdown of the behaviour across all the affected apps and types of links.

Action taken from Mail or Messages

Click link → Open in Safari

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

✅ Resolves to full URL with parameters intact

Action taken from Mail or Messages

Click link → Open in Safari Private Browsing

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

❌ Resolves to full URL with affected parameters removed

Action taken from Mail or Messages

Copy link → Paste (anywhere except Safari in Private Browsing mode)

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

✅ Full redirection server URL is pasted

Action taken from Mail or Messages

Copy link → Paste in Safari Private Browsing

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

❌ Resolves to full URL with affected parameters removed

Action taken from Mail or Messages

Click “Share…” menu → Share to destination of choice

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

✅ Full redirection server URL is shared

Peter Jakuš’s research also indicates that Apple is not ‘pre-visiting’ the links before stripping the parameters, further confirming that no visits with the parameters will register on the server at all.

Removal of affected parameters when browsing the web in Safari

Action

Click link

Links that point to a full URL with parameters

✅ Parameters remain intact

Links that point to a redirection server URL

✅ Resolves to full URL with parameters intact

Action

Tap and hold link → select “Copy Link” → paste into destination of choice

Links that point to a full URL with parameters

✅ Parameters remain intact

Links that point to a redirection server URL

✅ Full redirection server URL is pasted

Action

Tap and hold link → select “Share…” → share to destination of choice

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

✅ Full redirection server URL is shared

Removal of affected parameters when browsing the web in Safari Private Browsing Mode

Action

Click link

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

❌ Affected parameters are removed

Action

Tap and hold link → select “Copy Link” → paste into destination of choice

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

✅ Full redirection server URL is pasted

Action

Tap and hold link → select “Share…” → share to destination of choice

Links that point to a full URL with parameters

❌ Affected parameters are removed

Links that point to a redirection server URL

✅ Full redirection server URL is shared

Impact on Marketers

How might these changes impact Marketers and specifically Marketing Operations professionals?

Well, Marketo users reading this may have noticed mkt_tok in the table above.

As Adobe defines, mkt_tok is “the parameter used by Marketo Landing Pages and Munchkin to ensure proper tracking of person activities (like when a person unsubscribes from an email).” Simply, this parameter is vital in tracking the subsequent web session activities for the lead.

Apple’s release means when a recipient opens an email on their Apple device using Apple Mail — the mkt_tok will be stripped.

In other words, tracking that relates to person activities post link-click will be impacted.

According to our tests, it also breaks key system functionality in Marketo, where that functionality relies on the use of mkt_tok. For example, in our tests following the “View as webpage” link, the mkt_tok in the URL is removed, which means the link cannot resolve properly, resulting in the view online failure page.

This is something that Marketo will no doubt be looking to address as quickly as possible.

Impact on Marketers - Marketo

These changes are part of Apple’s commitment to new privacy features

These changes come as part of Apple’s growing commitment to blocking the use of technologies that track individual user behaviour, as per their Tracking Prevention Policy.

Their policy acknowledges downstream effects of these changes:

There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact.

The policy also makes clear that they are aiming to drive adoption of alternative methods for tracking, such as Private Click Measurement or PCM, a technology that has been a part of iOS and iPadOS designed to enable more anonymous click attribution.

What’s next?

Some of the details may change before the final versions are released, but we can be certain from Apple’s press releases and policy details, that they are committed to making these changes in one form or another.

While the finer details may change, it’s clear that these behaviours will be implemented in all of the upcoming releases, so we will be keeping a keen eye on the situation as it develops.

UTM parameters are not removed and appear unaffected by the iOS link tracking update. This is good news for Marketo users maintaining their campaign attribution and ensuring email link clicks still have some tracking associated with them.

What does mkt_tok do?

The mkt_tok parameter is an automatically applied parameter and is how Marketo is able to track an individual user's activity from email engagement to web activity. This token contains the encoded identification for leads within your database and is passed to the Munchkin tracking script installed on your website or your landing pages.

The iOS tracking update strips this parameter making it difficult to trace individual leads from your database to website visits.

What alternatives do Marketo users have for getting analytics on email marketing?

If you are relying on the mkt_tok to generate insights about lead behavior and engagement, you will need to consider alternative strategies. Here are a few ways to get analytics about your Marketo email marketing:

  • Use Marketo email reports to monitor clicks and click-through rates in aggregate
  • Use lead reports to analyze individual lead behavior
  • Use UTM parameters and a tool like Google Analytics 4 to evaluate the success of your email campaigns in aggregate

Share this article

  • Nicole Merlin

    Author

    Nicole Merlin

    Head of Email Strategy and Development, Knak

Why marketing teams love Knak

  • 95%better, faster campaigns = more success

  • 22 minutesto create an email*

  • 5x lessthan the cost of a developer

  • 50x lessthan the cost of an agency**

* On average, for enterprise customers

** Knak base price

Ready to see Knak in action?

Get a demo and discover how visionary marketers use Knak to speed up their campaign creation.

Watch a Demo