Mail app on macOS has a privacy setting Block All Remote Content that prevents downloaded emails from connecting to the internet. For example, HTML emails frequently include image links, which can be used for tracking: when the image is loaded from a remote server, the owner of the server knows that you've opened the email! Block All Remote Content is supposed to prevent this kind of tracking, and it did… until macOS Sonoma.
I give most of the credit for this discovery to an anonymous Reddit user and to Little Snitch. (I've not yet tried the new Little Snitch version 6, because I've been very busy, but hopefully I'll have some time this weekend.) The story starts four months ago, when I saw a Reddit post on r/MacOS:
Hello! I have some concerns about Apple Mail privacy.
In Mail settings, I enabled the "Block all remote content" checkbox.
But in Little Snitch (firewall) I see that the Mail app tries to send requests to different domains. And I can't understand why.
At the time, I was still running macOS Ventura, while the Reddit user was on Sonoma, and I couldn't reproduce their issue. However, I flagged the Reddit user's reply in Mail app for later, because I knew that I'd be updating from Ventura to Sonoma before WWDC in June, which indeed I did recently.
In Little Snitch, my Mail app rules allow outgoing connections to the IMAP servers of my email accounts (I use four different email providers LOL) and block all other outgoing connections. After reading the old Reddit post again, I checked Little Snitch Network Monitor, and sure enough it showed a number of blocked outgoing connections to random domains other than my email providers. All of these blocked connections occurred after I updated from Ventura to Sonoma. This seemed to confirm the issue previously experienced by the Reddit poster.
I searched the ~/Library/Mail/ folder for the random domains (using Find Any File). The matched emails (.emlx files) all appeared to be in Junk or Trash folders. To further diagnose the issue, I disabled my Little Snitch rule that blocked outgoing connections from Mail app. With that rule disabled, I would start to get a confirmation dialog from any outgoing connection that wasn't already allowed by the rules. In other words, I would see any connection attempts that aren't to my email providers. And I did see some!
This came from an email that Mail app had automatically marked as junk. Ironically, it wasn't actually junk. I had just signed up for a Pixabay account, and this was their "Confirm your email" message. (By the way, Mail app has another bug that started with macOS Ventura: "There's no way to mark a message as Not Junk", which I reported to Apple a year ago as FB12217912 and still isn't fixed on Sonoma.)
The remote connection attempt doesn't occur when I open the email. I can manually open the email without triggering a connection. (Note that I use the old-style Column Layout in Mail app with no preview pane, and each email opens in a separate window.) In this case, the remote connection attempt occurred when I opened Mail app itself and the new email was downloaded.
Later, I got another connection attempt to a random server. This time it was actually junk mail, but again ironically, Mail app had not marked it as junk. The message was in my inbox, and I opened it, noticed it was spam, and pressed the Junk button in the toolbar (Move selected messages to Junk). Immediately, the Little Snitch dialog appeared.
Aha! The smoking gun. For some reason, Sonoma Mail app ignores the Block All Remote Content setting and attempts to load remote content whenever an email is marked as junk, whether automatically or manually.
Apple engineers should install Little Snitch themselves, and maybe they'd catch bugs like this. Incidentally, a number of years ago (when I was still desperate), I applied for a job with the Apple Mac Mail team, but I never heard from them. I guess they didn't like my, uh, many years of Mac development experience. Anyway, their loss. Or maybe everyone's loss? It's too late now, because I'm happy and successful as an indie developer, though I could do without the Mail bugs. Yes, I'm trash talking here, but that seems apposite when the subject is spam.
I'm no longer certain that the issue is restricted to junk mail. I just got Little Snitch connection dialogs for some Reddit reply emails that were not marked as junk. However, the dialogs did appear on launch of Mail app, as the emails were downloaded, before I opened them. Whereas another Reddit reply email that I received after Mail app was already running did not trigger a Little Snitch dialog.
Moreover, someone on Mastodon told me that they experienced the same issue simply by moving a non-junk email from the inbox to another folder. Thus, it's difficult to specify exactly the conditions for triggering the bug. That's up to Apple engineers to figure out now!