Link Tracking Protection in iOS 17 & macOS Sonoma: Important changes for marketers
Update: Marketo has responded to the changes here
At this year’s WWDC, Apple announced the upcoming release iOS 17 and iPadOS 17, both scheduled for release in September, along with macOS Sonoma, scheduled for sometime in the fall.
These updates will bring a range of security and privacy updates, many of which have significant implications for marketers.
‘Link Tracking Protection’ in Messages, Mail, and Safari
This is the big change for marketers, as Apple has committed to reducing the number of tracking parameters that can be used in URLs across Mail, Messages and Safari.
From Apple’s press release:
“Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing.”
In short, Apple plans to remove what they call “known trackers” from links when they are clicked on or shared.
They’ll do this by stripping away certain URL tracking parameters, while leaving the remainder of the URL intact, as shown in this video from Apple.
Which tracking parameters are affected?
Jeff Johnson reported in a recent blog post that Apple will be using a static list of trackers, rumoured to be taken from this list of “Tracking query parameters” from PrivacyTests.org.
Parameter | PrivacyTests.org Description |
---|---|
__hsfp | HubSpot tracking parameter |
__hssc | HubSpot tracking parameter |
__hstc | HubSpot tracking parameter |
__s | Drip.com email address tracking parameter |
_hsenc | HubSpot tracking parameter |
_openstat | Yandex tracking parameter |
dclid | DoubleClick Click ID (Google) |
fbclid | Facebook Click Identifier |
gclid | Google Click Identifier |
hsCtaTracking | HubSpot tracking parameter |
mc_eid | Mailchimp Email ID (email recipient’s address) |
mkt_tok | Adobe Marketo tracking parameter |
ml_subscriber | MailerLite email tracking |
ml_subscriber_hash | MailerLite email tracking |
msclkid | Microsoft Click ID |
oly_anon_id | Omeda marketing ‘anonymous’ customer id |
oly_enc_id | Omeda marketing ‘known’ customer id |
rb_clickid | Unknown high-entropy tracking parameter |
s_cid | Adobe SiteCatalyst tracking parameter |
vero_conv | Vero tracking parameter |
vero_id | Vero tracking parameter |
wickedid | Wicked Reports e-commerce tracking |
yclid | Yandex Click ID |
Parameter | __hsfp |
PrivacyTests.org Description | HubSpot tracking parameter |
Parameter | __hssc |
PrivacyTests.org Description | HubSpot tracking parameter |
Parameter | __hstc |
PrivacyTests.org Description | HubSpot tracking parameter |
Parameter | __s |
PrivacyTests.org Description | Drip.com email address tracking parameter |
Parameter | _hsenc |
PrivacyTests.org Description | HubSpot tracking parameter |
Parameter | _openstat |
PrivacyTests.org Description | Yandex tracking parameter |
Parameter | dclid |
PrivacyTests.org Description | DoubleClick Click ID (Google) |
Parameter | fbclid |
PrivacyTests.org Description | Facebook Click Identifier |
Parameter | gclid |
PrivacyTests.org Description | Google Click Identifier |
Parameter | hsCtaTracking |
PrivacyTests.org Description | HubSpot tracking parameter |
Parameter | mc_eid |
PrivacyTests.org Description | Mailchimp Email ID (email recipient’s address) |
Parameter | mkt_tok |
PrivacyTests.org Description | Adobe Marketo tracking parameter |
Parameter | ml_subscriber |
PrivacyTests.org Description | MailerLite email tracking |
Parameter | ml_subscriber_hash |
PrivacyTests.org Description | MailerLite email tracking |
Parameter | msclkid |
PrivacyTests.org Description | Microsoft Click ID |
Parameter | oly_anon_id |
PrivacyTests.org Description | Omeda marketing ‘anonymous’ customer id |
Parameter | oly_enc_id |
PrivacyTests.org Description | Omeda marketing ‘known’ customer id |
Parameter | rb_clickid |
PrivacyTests.org Description | Unknown high-entropy tracking parameter |
Parameter | s_cid |
PrivacyTests.org Description | Adobe SiteCatalyst tracking parameter |
Parameter | vero_conv |
PrivacyTests.org Description | Vero tracking parameter |
Parameter | vero_id |
PrivacyTests.org Description | Vero tracking parameter |
Parameter | wickedid |
PrivacyTests.org Description | Wicked Reports e-commerce tracking |
Parameter | yclid |
PrivacyTests.org Description | Yandex Click ID |
Our internal tests so far also confirm that it’s only parameters on this list (and their values) that are being targeted by these changes. Any other custom parameters (such a customer_id=xyz
or utm_campaign=xyz
) do not appear to be affected at all.
These results also stack up with research shared by Steve Atkins from Word to the Wise, and Peter Jakuš from Bloomreach Engagement.
What is removed and where
URLs with parameters
Steve Atkins shared his research on clicking links in the Mail app, where the actual href
of each link contained the parameters, e.g:
<a href="https://www.example.com?customer_id=abc&mkt_tok=abc">Link</a>
His tests showed that the parameters in the PrivacyTests.org table (shown above) were all removed, whereas any parameters not on that list remained. The resulting URL after clicking our example in Mail would be this URL opening in Safari:
https://www.example.com?customer_id=abc
URLs that point to a redirection server
Peter Jakuš also shared his research, which involved clicking links from Mail and Messages and opening them in Safari and Safari Private Browsing on iOS 17.
His links were all using a redirection server, meaning the href
of each link in the email was something like this, which is set up to redirect to the URL above once opened in a browser.
<a href="https://click.track.example.com/8743b52063cd65d1633f5c74f5">Link</a>
After clicking this link in Mail, it would resolve to the full URL in Safari normal browsing mode, with all parameters intact:
https://www.example.com?customer_id=abc&mkt_tok=abc
However, if the redirect link was opened in Safari Private Browsing mode, it would resolve to a URL with any parameters in the PrivacyTests.org table (shown above) stripped away:
https://www.example.com?customer_id=abc
We ran some of our own internal tests which corroborate both Steve and Peter’s research. Below is a breakdown of the behaviour across all the affected apps and types of links.
Removal of affected parameters from links in Mail or Messages
Action taken from Mail or Messages | Links that point to a full URL with parameters | Links that point to a redirection server URL |
---|---|---|
Click link → Open in Safari | ❌ Affected parameters are removed | ✅ Resolves to full URL with parameters intact |
Click link → Open in Safari Private Browsing | ❌ Affected parameters are removed | ❌ Resolves to full URL with affected parameters removed |
Copy link → Paste (anywhere except Safari in Private Browsing mode) | ❌ Affected parameters are removed | ✅ Full redirection server URL is pasted |
Copy link → Paste in Safari Private Browsing | ❌ Affected parameters are removed | ❌ Resolves to full URL with affected parameters removed |
Click “Share…” menu → Share to destination of choice | ❌ Affected parameters are removed | ✅ Full redirection server URL is shared |
Action taken from Mail or Messages | Click link → Open in Safari |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ✅ Resolves to full URL with parameters intact |
Action taken from Mail or Messages | Click link → Open in Safari Private Browsing |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ❌ Resolves to full URL with affected parameters removed |
Action taken from Mail or Messages | Copy link → Paste (anywhere except Safari in Private Browsing mode) |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ✅ Full redirection server URL is pasted |
Action taken from Mail or Messages | Copy link → Paste in Safari Private Browsing |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ❌ Resolves to full URL with affected parameters removed |
Action taken from Mail or Messages | Click “Share…” menu → Share to destination of choice |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ✅ Full redirection server URL is shared |
Peter Jakuš’s research also indicates that Apple is not ‘pre-visiting’ the links before stripping the parameters, further confirming that no visits with the parameters will register on the server at all.
Removal of affected parameters when browsing the web in Safari
Action | Links that point to a full URL with parameters | Links that point to a redirection server URL |
---|---|---|
Click link | ✅ Parameters remain intact | ✅ Resolves to full URL with parameters intact |
Tap and hold link → select “Copy Link” → paste into destination of choice | ✅ Parameters remain intact | ✅ Full redirection server URL is pasted |
Tap and hold link → select “Share…” → share to destination of choice | ❌ Affected parameters are removed | ✅ Full redirection server URL is shared |
Action | Click link |
Links that point to a full URL with parameters | ✅ Parameters remain intact |
Links that point to a redirection server URL | ✅ Resolves to full URL with parameters intact |
Action | Tap and hold link → select “Copy Link” → paste into destination of choice |
Links that point to a full URL with parameters | ✅ Parameters remain intact |
Links that point to a redirection server URL | ✅ Full redirection server URL is pasted |
Action | Tap and hold link → select “Share…” → share to destination of choice |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ✅ Full redirection server URL is shared |
Removal of affected parameters when browsing the web in Safari Private Browsing Mode
Action | Links that point to a full URL with parameters | Links that point to a redirection server URL |
---|---|---|
Click link | ❌ Affected parameters are removed | ❌ Affected parameters are removed |
Tap and hold link → select “Copy Link” → paste into destination of choice | ❌ Affected parameters are removed | ✅ Full redirection server URL is pasted |
Tap and hold link → select “Share…” → share to destination of choice | ❌ Affected parameters are removed | ✅ Full redirection server URL is shared |
Action | Click link |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ❌ Affected parameters are removed |
Action | Tap and hold link → select “Copy Link” → paste into destination of choice |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ✅ Full redirection server URL is pasted |
Action | Tap and hold link → select “Share…” → share to destination of choice |
Links that point to a full URL with parameters | ❌ Affected parameters are removed |
Links that point to a redirection server URL | ✅ Full redirection server URL is shared |
Impact on Marketers
How might these changes impact Marketers and specifically Marketing Operations professionals?
Well, Marketo users reading this may have noticed mkt_tok
in the table above.
As Adobe defines, mkt_tok
is “the parameter used by Marketo Landing Pages and Munchkin to ensure proper tracking of person activities (like when a person unsubscribes from an email).” Simply, this parameter is vital in tracking the subsequent web session activities for the lead.
Apple’s release means when a recipient opens an email on their Apple device using Apple Mail — the mkt_tok
will be stripped.
In other words, tracking that relates to person activities post link-click will be impacted.
According to our tests, it also breaks key system functionality in Marketo, where that functionality relies on the use of mkt_tok
. For example, in our tests following the “View as webpage” link, the mkt_tok
in the URL is removed, which means the link cannot resolve properly, resulting in the view online failure page.
This is something that Marketo will no doubt be looking to address as quickly as possible.
These changes are part of Apple’s commitment to new privacy features
These changes come as part of Apple’s growing commitment to blocking the use of technologies that track individual user behaviour, as per their Tracking Prevention Policy.
Their policy acknowledges downstream effects of these changes:
There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact.
The policy also makes clear that they are aiming to drive adoption of alternative methods for tracking, such as Private Click Measurement or PCM, a technology that has been a part of iOS and iPadOS designed to enable more anonymous click attribution.
What’s next?
Some of the details may change before the final versions are released, but we can be certain from Apple’s press releases and policy details, that they are committed to making these changes in one form or another.
While the finer details may change, it’s clear that these behaviours will be implemented in all of the upcoming releases, so we will be keeping a keen eye on the situation as it develops.
Link Tracking Protection FAQ
How will iOS link tracking affect UTM tracking in Marketo emails?
UTM parameters are not removed and appear unaffected by the iOS link tracking update. This is good news for Marketo users maintaining their campaign attribution and ensuring email link clicks still have some tracking associated with them. Learn more about Marketo UTM parameters.
What does mkt_tok do?
The mkt_tok parameter is an automatically applied parameter and is how Marketo is able to track an individual user's activity from email engagement to web activity. This token contains the encoded identification for leads within your database and is passed to the Munchkin tracking script installed on your website or your landing pages.
The iOS tracking update strips this parameter making it difficult to trace individual leads from your database to website visits.
What alternatives do Marketo users have for getting analytics on email marketing?
If you are relying on the mkt_tok to generate insights about lead behavior and engagement, you will need to consider alternative strategies. Here are a few ways to get analytics about your Marketo email marketing:
- Use Marketo email reports to monitor clicks and click-through rates in aggregate
- Use lead reports to analyze individual lead behavior
- Use UTM parameters and a tool like Google Analytics 4 to evaluate the success of your email campaigns in aggregate