Email tracking pixels and link tracking: how senders know you opened their mail

When a marketing email, a recruiter, or even a friend using a free plugin sends you mail, there is a good chance they get a notification the moment you open it, where you opened it from, and what device you used. This article explains the two mechanisms behind that, the 1x1 tracking pixel and the wrapped link, exactly what each one leaks, and the handful of settings that reliably stop them.

The 1x1 tracking pixel

The oldest and most common technique is the tracking pixel: a tiny image, usually 1x1 transparent GIF or PNG, embedded in the HTML body of an email. The image is not stored in the message. Instead the HTML contains a remote reference such as <img src="https://track.sender.com/o/abc123.gif">. When your mail client renders the message and fetches that image, it makes an HTTP request to the sender's server. That request is the open event.

The clever part is the unique identifier in the URL. The string abc123 is generated per recipient and per send, so when the server receives the request it knows precisely which person opened which campaign. There is no consent prompt and no visible image, which is the entire point.

The pixel can hide in plain sight in several ways. It is often a transparent GIF sized 1x1 pixels with CSS such as width:1px;height:1px;display:none, but it does not have to be invisible at all: any remote image in the message, including the company logo or a header banner, can carry the same per-recipient identifier in its URL. That is why simply spotting a tiny image is not a reliable way to find tracking. A typical campaign embeds the open pixel near the bottom of the HTML so that it fires only once the message body is actually rendered, and the same unique ID is reused across the wrapped links described below, letting the sender stitch your opens and clicks into one timeline.

What a single pixel request leaks

  • That you opened it, and when. The server timestamps the request. Open at 7:02am, open again at 1:15pm during a meeting, the sender sees the pattern.
  • How many times. Each render fires the pixel, so re-opening, scrolling back, or previewing inflates the count. Senders use this as an engagement signal.
  • Your IP address, and from it a rough location. An IP maps to a city or region and an ISP or mobile carrier. It is not your street address, but it tells a recruiter you read their mail from a different city than your CV claims.
  • Your device and mail client. The User-Agent header on the image request often reveals iPhone versus desktop, and sometimes the specific client such as Outlook or Apple Mail.
  • Forwarding, sometimes. If you forward the mail and the recipient loads images from a different IP and device, the sender may see two distinct opens from one send and infer the message was passed on.

Link wrapping and click tracking

The second mechanism survives even when images are blocked, because you actively click it. Instead of linking directly to https://example.com/pricing, the sender rewrites every link to pass through their own redirect server first: https://click.sender.com/r/abc123?u=https%3A%2F%2Fexample.com%2Fpricing. You click, the redirect server logs the click against your unique ID, then issues an HTTP 302 redirect to the real destination. The whole detour takes milliseconds and you usually never notice the intermediate hop.

Click tracking leaks the same identity and IP data as the pixel, plus which specific links interested you. A newsletter can tell that you ignored the lead story but clicked the discount code, and feed that back into what it sends next.

Wrapped links are also harder to evaluate for safety, because the visible domain is the tracking redirector rather than the real destination. The actual target sits URL-encoded in a query parameter such as ?u=https%3A%2F%2F..., where %3A is a colon and %2F is a slash. Phishers exploit exactly this pattern, hiding a malicious destination behind a trusted-looking redirect domain, so learning to decode the parameter is a security skill as much as a privacy one. Some senders chain two or three redirects together, with each hop logging the click, which is why a single newsletter click can briefly bounce through several servers before the page loads.

Who actually does this

Tracking is not limited to spammers. It runs across a spectrum:

  • Marketing platforms. Mailchimp, HubSpot, SendGrid, Klaviyo and similar bake open and click tracking into every campaign by default. Their dashboards report open rates and click maps as a core feature.
  • Sales and outreach tools. Streak, Mailtrack, Yesware, HubSpot Sales and Mixmax add tracking to ordinary one-to-one Gmail and Outlook messages. A salesperson or recruiter using these gets a desktop notification the instant you open their mail, often with a small green or read-receipt indicator on their end.
  • Individuals. Because those plugins are free or cheap, ordinary people use them on personal mail too. The friend who sends you a link may be running Mailtrack without thinking of it as surveillance.

This kind of silent cross-context data collection is exactly the broader pattern that privacyscore.dev highlights in the browser: invisible third-party requests that build a profile of you without a click of consent. Email is simply the same idea delivered to your inbox instead of a web page.

Defence one: stop loading remote images automatically

The single most effective move is to block remote image loading by default. No image fetch means no pixel fires, so the open is never recorded. Every major client supports this:

  • Gmail: Settings, then Images, then "Ask before displaying external images".
  • Apple Mail: turn off "Load remote content in messages" (and see Privacy Protection below).
  • Outlook desktop: Trust Center blocks external content by default; keep it on.
  • Thunderbird: blocks remote content by default and shows a banner with a per-sender allow option.

The tradeoff is that legitimate images in newsletters and order confirmations also stay hidden until you click to load them. For most people that is a minor inconvenience and a clear signal of which messages were tracking-heavy in the first place. There is a subtle catch worth knowing: in some clients, choosing "display images" for a single trusted message loads all remote content in it, including the pixel, so the open still gets recorded the moment you decide to view the pictures. The defence is most effective when you leave images blocked for commercial and cold senders entirely and only load them for mail where being counted as having opened it does not matter.

Defence two: understand image proxies and their limits

Some providers proxy images on your behalf, which changes the calculus.

Gmail image proxy

Since 2013 Gmail routes external images through Google's own servers. Google fetches the image, caches it, and serves it to you. The sender therefore sees Google's IP and a generic Google fetcher User-Agent, not your IP or device. This hides your location and device but does not hide the open itself. The pixel still fires when Google fetches it, so open tracking largely still works; only the IP and device fingerprint are obscured. Proxying also defeats real-time tracking less than people assume because Google often fetches on display rather than fully pre-fetching.

Apple Mail Privacy Protection

Introduced in 2021, Mail Privacy Protection (MPP) takes a more aggressive line. When enabled, Apple pre-fetches and caches remote content through its relays, routed via a proxy that hides your IP, and it does so for messages whether or not you open them. The effect is twofold: senders see an Apple relay IP and a generic location, and the open signal becomes noise because Apple may register an "open" you never made. For senders relying on Apple Mail opens, the metric is effectively poisoned. Enable it under Mail, Privacy Protection on iOS and macOS.

Defence three: plain-text mode

If your client can render messages as plain text rather than HTML, do it. Plain text cannot contain an <img> tag, so there is no pixel to fire and links appear as raw URLs you can inspect before clicking. Thunderbird offers View, then Message Body As, then Plain Text. The cost is that richly formatted newsletters look bare, so many people use plain text selectively for senders they distrust.

Defence four: link unwrapping and inspection

Before clicking a wrapped link, hover to reveal the real target, or right-click and copy the address to read the embedded destination after the redirect domain. Some privacy-focused clients and extensions unwrap known tracking redirectors automatically, rewriting click.sender.com/r/...?u=... back to the clean destination so your click is never logged. If you must visit the link but not be counted, copy the decoded destination URL and paste it directly into your browser, bypassing the redirect server entirely.

Defence five: alias and disposable addresses

Address-level defences limit the damage when tracking does get through and when your address is later sold or breached. Use a unique alias per sender so you can see who leaked your address and cut it off:

  • Apple Hide My Email generates a random forwarding address per signup, tied to your iCloud account.
  • Gmail plus-addressing ([email protected]) is trivial to set up but also trivial for a sender to strip, so treat it as organisational, not protective.
  • Dedicated aliasing services such as SimpleLogin or Firefox Relay give true per-sender addresses that forward to your real inbox and can be disabled individually.

Aliases do not stop a pixel from firing, but they break the link between the tracked address and your primary identity, and they make a breached or sold list far less useful to whoever buys it. A practical habit is to register a fresh alias for every newsletter, retailer, and forum signup; if you later start receiving spam at the alias you gave one specific shop, you have caught that shop selling or leaking your list, and you can disable that single address without touching any other relationship. This turns your inbox from an open target into a set of compartments, each of which can be sealed off the moment it is compromised.

Putting it together

A realistic, low-friction setup for 2026 looks like this: block remote images by default in your main client, enable Apple Mail Privacy Protection or rely on the Gmail proxy if you use those ecosystems, prefer plain text for cold or commercial senders, and route new signups through per-sender aliases. That combination defeats the IP and device leak entirely, neutralises or poisons most open tracking, and contains the fallout when an address inevitably leaks.

Email tracking is the same surveillance logic as web tracking, just delivered by message. Once you have hardened your browser, the next privacy hole most people overlook is the one sitting in their inbox. Check your overall exposure on privacyscore.dev, then close the email gap with the steps above.