Mail (Apple Mail)
Overview
Apple Mail (Mail.app) is the default email client on macOS, storing email messages, metadata, and account configuration locally on disk. Mail uses a hybrid storage approach: structured metadata is stored in the Envelope Index SQLite database, while individual email messages are stored as EMLX files on the filesystem. Account configuration is managed through a shared system database at ~/Library/Accounts/Accounts4.sqlite.
Mail organizes its data in a versioned directory structure (V2 through V10) that changes with major macOS releases. Since macOS 10.15 Catalina, the current version is V10.
Starting with macOS 15 Sequoia, Apple Intelligence adds email categorization and summarization data to the Envelope Index database.
File Locations
Mail Data Directory
The Mail data directory version is determined by the macOS version:
| macOS Version | Directory | Path |
|---|---|---|
| 10.7-10.10 | V2 | ~/Library/Mail/V2/ |
| 10.11 El Capitan | V3 | ~/Library/Mail/V3/ |
| 10.13 High Sierra | V5 | ~/Library/Mail/V5/ |
| 10.14 Mojave | V6 | ~/Library/Mail/V6/ |
| 10.15+ Catalina through Sequoia | V10 | ~/Library/Mail/V10/ |
The active version can be confirmed by reading ~/Library/Mail/PersistenceInfo.plist.
Primary Artifacts
| Artifact | Path | Format |
|---|---|---|
| Envelope Index | ~/Library/Mail/V{N}/MailData/Envelope Index | SQLite |
| Envelope Index WAL | ~/Library/Mail/V{N}/MailData/Envelope Index-wal | SQLite WAL |
| Envelope Index SHM | ~/Library/Mail/V{N}/MailData/Envelope Index-shm | SQLite SHM |
| EMLX Messages | ~/Library/Mail/V{N}/{UUID}/*.mbox/**/*.emlx | Text + Plist |
| Accounts Database | ~/Library/Accounts/Accounts4.sqlite | SQLite |
Additional Artifacts
| Artifact | Path | Format |
|---|---|---|
| Mail Rules | ~/Library/Mail/V{N}/MailData/SyncedRules.plist | Plist |
| Smart Mailboxes | ~/Library/Mail/V{N}/MailData/SyncedSmartMailboxes.plist | Plist |
| Recent Searches | ~/Library/Mail/V{N}/MailData/recentSearches.plist | Plist |
| VIP Contacts | ~/Library/Mail/V{N}/MailData/VIPMailboxes.plist | Plist |
| Opened Attachments | ~/Library/Mail/V{N}/MailData/OpenedAttachmentsV2.plist | Plist |
| App Preferences | ~/Library/Preferences/com.apple.mail.plist | Plist |
Directory Structure
~/Library/Mail/V10/
MailData/
Envelope Index
Envelope Index-wal
Envelope Index-shm
SyncedRules.plist
SyncedSmartMailboxes.plist
{Account-UUID-1}/
INBOX.mbox/
{UUID}/Data/Messages/
1.emlx
2.emlx
Sent Messages.mbox/
...
{Account-UUID-2}/
...
Database Schema / File Format
Mail uses two primary data formats:
- Envelope Index -- SQLite database containing message metadata, addresses, subjects, mailbox references, and attachment info. See Envelope Index.
- EMLX files -- Individual email messages stored as byte-count-prefixed RFC 2822 content with a trailing Apple plist. See EMLX Format.
Key Fields for Analysis
- Sender and recipients: The Envelope Index
addressesandrecipientstables provide structured sender/recipient data without needing to parse EMLX files. - Message timestamps:
date_sentanddate_receivedin Unix epoch seconds. - Read/flagged/deleted status: Both individual columns (
read,flagged,deleted) and a comprehensiveflagsbitmask. - Conversation threads: The
conversation_idcolumn links related messages. - AI categorization (macOS 15+): The
message_global_datatable classifies messages as Primary, Transactions, Updates, or Promotions. - Mailbox URL: Identifies the account and folder (e.g.,
imap://user@imap.example.com/INBOX).
Timestamps
The Envelope Index uses standard Unix timestamps (seconds since 1970-01-01 00:00:00 UTC) for date_sent, date_received, and date_last_viewed.
SELECT datetime(date_received, 'unixepoch') AS received_utc FROM messages;
EMLX trailing plist metadata also uses Unix timestamps for date-received and date-last-viewed.
Analysis Notes
- Version detection: Always check
~/Library/Mail/PersistenceInfo.plistfirst. If the plist is missing, attempt paths from V10 down to V2. - Multiple accounts: Each email account has its own UUID subdirectory under the Mail version directory. EMLX files are organized by account and mailbox.
- Envelope Index as primary source: The Envelope Index provides faster access to message metadata than parsing individual EMLX files. For most forensic purposes, the Envelope Index alone is sufficient.
- EMLX for content: Full message body, headers, and inline content require parsing the EMLX files. This is necessary when message content analysis is required.
- Attachment tracking: The
OpenedAttachmentsV2.plistfile logs which attachments the user has opened, providing evidence of user interaction with email attachments. - Mail rules: The
SyncedRules.plistfile may reveal automated email handling that could be relevant in data exfiltration or evidence destruction scenarios.
Version Differences
| macOS Version | Mail Version | Notable Changes |
|---|---|---|
| 10.15 Catalina | Mail 13 | V10 directory structure introduced |
| 12 Monterey | Mail 15 | Mail Privacy Protection (remote content loading blocked) |
| 13 Ventura | Mail 16 | Undo send, scheduled send |
| 14 Sonoma | Mail 17 | Follow-up suggestions |
| 15 Sequoia | Mail 18 | Apple Intelligence: categories, summaries, priority |
Tool Support
| Tool | Support Level |
|---|---|
| macfor | Full collection: Envelope Index, EMLX, accounts, AI categorization, attachments |
| AXIOM | Full Mail support |
| Cellebrite | Full Mail support |
| emlx2mbox | EMLX conversion utility |
| sqlite3 CLI | Manual Envelope Index querying |