Every marketing email you receive likely contains one or more invisible trackers. They measure whether you opened the message, when, how many times, from which device, and which links you clicked. Here’s how it works - and how to do better.
How open tracking works
The spy pixel: an invisible image
The mechanism is straightforward: the sender inserts a 1×1 pixel transparent image hosted on their server. When your mail client renders the message, it downloads the image. The server records:
- When: HTTP request timestamp
- From where: IP address → approximate geolocation
- With what: User-Agent → device, OS, mail client
- How often: each reload = a new “open”
<img src="https://tracking.esp.com/open/abc123-unique-id.gif"
width="1" height="1" style="display:none" alt="">
The URL is unique per recipient. That’s what lets the ESP know who opened, not just how many opened.
Variations and tricks
ESPs don’t stop at a simple 1×1 GIF. Common techniques include:
| Technique | How it works | Detection difficulty |
|---|---|---|
| Classic transparent image | 1×1 <img> at the end of the body | Easy - 1×1 dimensions |
| Embedded in design | Pixel injected into a visible image (logo, banner) | Hard - URL is tracked but image looks legitimate |
CSS background-image | <style> tag loads a tracked URL | Medium - requires CSS analysis |
<link rel="prefetch"> | Some clients execute the prefetch | Rare but exists |
Worth noting: some sales engagement tools (Yesware, Mailtrack, Streak, Superhuman) add a tracking pixel even to individual 1-to-1 emails. Your colleague might know exactly when you read their messages.
Link wrapping: tracking every click
How it works
Instead of inserting the real link in the email, the ESP replaces it with an intermediary URL that routes through its server:
Displayed link: "View our offers"
Actual URL in HTML: https://click.esp.com/r/abc123/https://yoursite.com/offers
When the recipient clicks:
- The browser contacts
click.esp.com - The server logs the click (who, when, which link)
- It redirects (302) to the final URL
yoursite.com/offers
What the sender gets
- Which link was clicked
- How many times
- By whom (tied to the recipient’s unique identifier)
- Time elapsed between open and click
The pitfalls of link wrapping
Shared domain reputation. If the ESP uses a shared tracking domain (click.espname.com), reputation is shared across all customers. A spammer on the same platform can impact your deliverability.
Suspicious URLs for spam filters. Links routing through a third-party domain different from the From: trigger phishing heuristics in some filters.
Broken links after ESP migration. If you switch ESPs, all tracked links in your old emails are dead - they point to the former provider’s infrastructure.
HTML bloat. Each wrapped URL is longer than the original. In an email with 20 links, that adds up. Combined with inlined CSS, you risk Gmail’s 102 KB clipping threshold.
The limits of open tracking
False positives: “opens” that aren’t real
Several mechanisms generate fake opens:
- Security proxies (Barracuda, Mimecast, Proofpoint): scan all links and images before inbox delivery. The email is “opened” without the recipient seeing it.
- Antivirus and pre-filtering: some download resources to analyze content.
- Apple Mail Privacy Protection (MPP): since iOS 15 / macOS Monterey, Apple preloads all images through a proxy, regardless of whether the email was actually opened.
- Preview pane clients: half a second in the preview pane = a logged open.
False negatives: invisible opens
Conversely, some real opens are never detected:
- Images blocked by default: Outlook desktop, Thunderbird, and many business clients don’t load images without explicit action.
- Plain text mode: recipients reading in plain text don’t trigger any image.
- Forwarded emails: forwarding can strip images or reload them from a different context.
The real problem: unreliable metrics
Combining false positives and false negatives, your open rate no longer reflects reality:
| Segment | Displayed open rate | Likely reality |
|---|---|---|
| Apple Mail users (MPP) | ~100% | Unknown - everything is preloaded |
| Outlook desktop users | ~10% | Probably higher - images blocked |
| B2B audience (security proxies) | Inflated | Artificial opens from filters |
| B2C mobile audience | Relatively reliable | But polluted by MPP |
Direct consequence: if you segment your lists based on “opens” (inactive for 90 days → deleted), you risk removing contacts who actually read your emails but block images.
Click tracking: a more reliable metric
Unlike open tracking, click tracking requires a voluntary action from the recipient. Nobody clicks a link by accident.
Advantages:
- Resistant to proxies and image preloading
- Indicator of real engagement (the recipient interacted)
- Less sensitive to variations between mail clients
Limitations:
- Security scanners may “click” links to verify URLs (ESPs typically filter these bot clicks via User-Agent or timing)
- Lower volume than opens → need more data to be statistically significant
Best practice: base your segmentation on clicks, not opens. It’s the only metric that proves genuine engagement.
Best practices for ethical tracking
1. Prefer click tracking over open tracking
If you don’t need open rates to drive your campaigns, disable the pixel. Less data collected = less GDPR risk, and your click metrics are more actionable.
2. Use a first-party tracking domain
Instead of click.espname.com, configure a dedicated subdomain: track.yourdomain.com. Benefits:
- The tracking domain’s reputation is yours (not shared)
- Spam filters see a domain consistent with the
From: - If you switch ESPs, you keep the domain
3. Limit the number of trackers
An email with 5 different tracking domains (ESP pixel + Google Analytics + CRM tool + retargeting + URL shortener) sends a negative signal to filters. Each third-party domain is a friction point.
4. Be transparent
State in your privacy policy that your emails contain tracking mechanisms. GDPR requires a legal basis for this processing (legitimate interest or consent).
5. Respect unsubscribe preferences
Tracking doesn’t replace consent. If a recipient unsubscribes, stop all tracking immediately - not just sending.
What Sender Audit detects
When you analyze an email with Sender Audit, the Tracking section automatically identifies:
- Tracking domains present in your email (from a database of 400+ known domains: ESPs, CRMs, analytics, ad networks, URL shorteners)
- Total tracker count detected
- Cookies and ETags used in image URLs (advanced fingerprinting technique)
- Blacklisted domains (RBL) - a blacklisted tracker impacts your deliverability
This analysis tells you exactly what your emails “say” to spam filters and privacy-conscious recipients.
Checklist: audit your trackers
- Check how many tracking domains are present in your emails → Analyze an email
- Configure a first-party tracking domain on your ESP
- Disable open tracking if you’re not actively using it for segmentation
- Base your engagement segmentation on clicks, not opens
- Document your tracking usage in your privacy policy
- Verify your tracking domains aren’t on blacklists → Check blacklists
Further reading
- Email headers explained - understand the headers that reveal tracking
- Email deliverability: the complete guide - how tracking impacts inbox placement
- Understanding email blacklists - when your tracking domains get listed