In the email client of the latest version of the iPhone software (iOS 4), there is an option called “Load Remote Images”. By default this is enabled. A privacy/security conscious user might untick that option so that the sender of an email, can’t detect when it is read, and the IP address that the reader is using.
There is a bug however. If you disable remote image loading, yet the HTML email contains the following tag:
<link rel="dns-prefetch" href="http://trackingcode.example.com/">
Then your iPhone will do a DNS lookup of “trackingcode.example.com”. Whoever controls the DNS for example.com can then detect when the message is read, and the IP address of the DNS servers the reader is using, ie the ISP/Country of the user in most cases.
I detected the bug by using the automated privacy tester at https://emailprivacytester.com/.
I have reported this privacy hole to Apple. I reported a similar problem in earlier versions of the iPhone email software whereby the video and audio HTML 5 tags were being loaded even with remote images disabled. These bugs seem to have been fixed now. Hopefully it wont take them too long to fix the dns-prefetch one too.