Email Privacy 101: How Tracking Pixels and Open Tracking Work

What a Tracking Pixel Actually Is

A tracking pixel—sometimes called a web beacon, pixel tag, or spy pixel—is simply an image embedded in an HTML email. It is usually a 1×1 pixel transparent GIF or PNG, small enough to be invisible to the human eye. The image is not stored inside the email itself; instead, the email contains an HTML tag that points to a file hosted on the sender's server.

In the raw HTML of the message, it looks roughly like this:

<img src="https://track.example.com/o/8f3a9c2e1b.gif"
     width="1" height="1" alt="" style="display:none" />

The important detail is the long, unique string in the URL (here 8f3a9c2e1b). That identifier is generated per recipient and per campaign. Because every copy of the email points to a slightly different URL, the sender can tell which specific person requested the image rather than just counting anonymous hits.

How Loading a Remote Image Reports an "Open"

Email clients do not store remote images locally. When your client displays a message with an <img> tag pointing at an external URL, it makes a normal HTTP request to fetch that file—exactly like a web browser loading a picture on a page. That request is the entire trick. Here is the sequence:

Crucially, no part of this requires you to click anything. Simply rendering the message body is enough, which is why the technique is so widespread in newsletters, sales outreach, and automated marketing platforms.

Click Tracking and Link Wrapping

Open tracking tells a sender that a message was rendered. Click tracking goes a step further and records which links you follow. It works by rewriting the links in the email so that they no longer point directly to the destination. Instead, they route through the sender's server first—a technique called link wrapping.

A link that appears to say https://shop.example.com/sale might actually be encoded as:

https://click.example.com/c/8f3a9c2e1b?url=https%3A%2F%2Fshop.example.com%2Fsale

When you click, your browser hits the tracking server, which logs the same kind of metadata as a pixel (identifier, timestamp, IP, User-Agent) and then immediately issues an HTTP redirect to the real page. The redirect happens in milliseconds, so you rarely notice the detour. Click tracking is harder to avoid than open tracking because following any link inevitably contacts a server, and image-blocking does not affect it.

What Senders Can and Cannot Infer

It is easy to overestimate how much these techniques reveal. The data is real, but it is also limited and frequently misleading.

A few specific caveats are worth understanding:

• IP geolocation is coarse. An IP maps to an approximate region or city, often the location of an internet provider's routing equipment rather than your home. It is routinely wrong, and on mobile networks it can place you in an entirely different city.
• An "open" is not a read. A preview pane can render the message and fire the pixel before you consciously look at it. Conversely, you can read every word and never trigger the pixel if images are blocked.
• Automated systems inflate the numbers. Spam filters, security scanners, and link-preview bots fetch images and follow links to check for threats, producing "opens" and "clicks" that no person performed.

Why Open Tracking Is Less Reliable Than It Used to Be

Over the past few years, mail providers have built defenses that substantially weaken open tracking. The two most important are image proxying and pre-fetching.

Apple Mail Privacy Protection

Introduced in 2021, Mail Privacy Protection is on by default for many Apple Mail users. When enabled, Apple downloads remote content—including tracking pixels—through its own proxy servers, often as soon as the message arrives and regardless of whether you ever open it. The sender therefore sees an Apple proxy IP instead of yours, and an "open" time that may correspond to delivery rather than reading. The result is that open data from these recipients is essentially noise.

Gmail's image proxy

Since 2013, Gmail has routed remote images through Google's own caching proxy. The request the sender sees comes from a Google server, so the recipient's real IP is hidden, and the cached copy means the image often is not re-fetched on repeat views. Open tracking still fires on the first load, but the IP and User-Agent reflect Google's infrastructure, not your device.

How to Protect Yourself

You do not need special software to limit email tracking. A few settings in your existing client go a long way:

1. 1Block remote images by default. Most clients (Gmail, Outlook, Thunderbird, Apple Mail) offer a "do not load external images automatically" setting. Images then load only when you choose, so the pixel stays inert until you decide a message is trustworthy.
2. 2Use a provider that proxies images. If you use Gmail or Apple Mail with Mail Privacy Protection, the proxying described above already masks your IP and muddies the open timestamp without any effort on your part.
3. 3Read in plain text when you can. Viewing the plain-text version of a message strips out the HTML entirely, so there is no image tag to load and no pixel to fire.
4. 4Be deliberate about clicking. Because click tracking survives image-blocking, hover to inspect a link before following it, and avoid clicking through wrapped redirect URLs unless you trust the sender.
5. 5Compartmentalize your address. Giving a single-purpose address to sign-ups you do not fully trust limits how much any one sender can correlate about you over time.

If you are a developer building or QA-testing email flows and want to inspect raw headers and HTML—including the tracking pixels and wrapped links inside a campaign—a free temporary-email tool like OpenInbox can be a convenient throwaway endpoint for examining what a message actually contains.

Frequently Asked Questions