How Email Open and Click Tracking Actually Works
Every time you pull up a campaign report and see “open rate 24%, click rate 3.1%”, those numbers come from a concrete mechanism: invisible pixels, redirect chains, and HTTP headers. Here’s how it works, why the data lies, and what to do about it.
Open tracking: the invisible pixel
The idea is as old as web analytics. An HTML email contains an <img> tag sized 1x1 pixel. The image source is not a file on disk but a unique URL on the sender’s server. When the email client renders the message and loads images, the browser fires a GET request to that URL. The server records the event: message for subscriber X was opened at this time, from this IP, with this User-Agent.
The URL looks roughly like this:
https://track.esp.com/open?mid=abc123&uid=user456The mid parameter identifies the campaign; uid identifies the subscriber. The server returns a transparent single-pixel GIF and writes a log entry. The pixel is invisible in the email. Subscribers don’t know it’s there. Most ESPs, Mailchimp, Brevo, SendGrid, HubSpot among them, do this by default.
Some platforms skip the dedicated pixel and route existing images through a tracking URL instead. The header logo loads via a tracking URL, same principle, one fewer DOM element. The result is identical.
Click tracking: link substitution
Before sending, the ESP rewrites every link in the email body. Instead of https://yoursite.com/promo the subscriber receives something like:
https://click.esp.com/r?mid=abc123&uid=user456&url=https%3A%2F%2Fyoursite.com%2FpromoThe subscriber clicks. The browser hits the ESP’s server. The server logs the click (who, when, which link) and issues an HTTP 302 redirect to the real URL. The subscriber lands on the destination page. The whole cycle takes 50–200 ms; nobody notices.
Many ESPs offer a Custom Link Tracking Domain option: instead of click.esp.com you use your own subdomain, such as go.yourcompany.com. It’s a CNAME in DNS pointing at the ESP’s tracking infrastructure. The benefit is twofold: a consistent domain in links improves filter trust (no third-party domains mixed in), and if you switch ESPs later you keep control of the URL.
What each metric actually counts
Not everything in your report means what you think. The main metrics broken down:
Unique opens — the number of distinct subscribers whose client loaded the pixel at least once. Three opens from the same person still counts as one unique open.
Total opens — the total pixel load count. One subscriber can generate a dozen total opens if they read the email on their phone, then on a laptop, then on the phone again.
Unique clicks — subscribers who clicked at least one link. Total clicks — all clicks across all links.
CTOR (Click-to-Open Rate) — unique clicks divided by unique opens. It tells you how well the content works for people who read it. A low open rate points to subject line and preheader problems. A low CTOR points to what’s inside the email.
Why open rate lies (and by how much)
Open tracking is the least reliable metric in email marketing. Here are the concrete reasons.
Image blocking. Outlook blocks images from unknown senders by default. Thunderbird does the same. A subscriber opened your email, read the text, clicked a link, and the pixel never loaded. That open doesn’t appear in your report. Estimates put pixel-blocking losses at 15–25% of actual opens.
Plain-text email. If someone reads mail in text mode or a CLI client like mutt, HTML doesn’t render. No pixel, no open.
Apple Mail Privacy Protection. The biggest blow to open tracking in recent years. Since iOS 15 in 2021, Apple routes all images through its own proxy servers. Images load automatically regardless of whether the person opened the email. Every delivered message to an Apple Mail user shows up as opened. Open rate for the Apple segment can hit 90–95%, which tells you nothing. IP addresses are masked too, so geolocation based on them no longer works.
According to Litmus data from 2026, Apple Mail holds roughly 55% of the email client market in B2C. For most lists, open rate as an absolute number is useless. Trends still mean something: if open rate drops by a third in a month, something broke. But comparing 24% in one industry against 30% in another is meaningless.
Security bots. Corporate mail gateways, Barracuda, Proofpoint, Mimecast, scan incoming messages for threats. They load every image and follow every link. Every message passing through such a gateway registers as opened and clicked. For B2B lists this is a serious problem: 20–40% of “opens” can be bots.
Open rate is a directional signal, not a fact. The only engagement metric you can trust is a click. A person followed a link, and that event was recorded server-side.
Click tracking: more reliable, with caveats
Clicks are more trustworthy than opens because they involve a real HTTP request that is hard to trigger by accident. That said, there are complications.
The same security bots. Proofpoint and its peers don’t just load the pixel, they follow links to check for phishing. Some do this within seconds of delivery. If you see a spike of clicks 1–3 seconds after sending, it’s almost certainly bots. A real person does not click a second after receiving an email.
You can filter bots by click time (under 2 seconds after delivery), by User-Agent (many gateways don’t disguise themselves), and by pattern: a bot clicks every link in the email simultaneously; a person clicks one or two. Most ESPs handle this out of the box, but check your settings. Not all enable bot filtering by default.
The second issue is prefetching. Some email clients, Gmail on Android and certain corporate systems, may preload link content for speed. It’s not a real click, but a HEAD or GET request to the redirect URL will still be logged by the server.
How tracking affects deliverability
Tracking modifies your email, and spam filters see those changes.
Link substitution and DKIM. Not directly, but if the ESP rewrites links with its own domain and DKIM signs the message body, any change after signing breaks the signature. In practice most ESPs sign after substitution, so this isn’t an issue. If you send through your own SMTP and add tracking via a separate service, verify the processing order.
The domain in links. All links point to the tracking domain. Spam filters check that domain’s reputation. A large ESP with a good-standing domain is fine. But shared tracking domains used by thousands of senders can get caught by filters because of someone else’s bad sending. A custom tracking domain solves this: the reputation is yours alone.
The hidden pixel. An invisible image is one of the signals filters use to identify bulk mail. On its own it won’t land you in spam. Combined with other factors, low engagement, complaints, poor domain reputation, it adds weight to the filter’s decision.
Practical takeaways
Tracking isn’t going away; email marketing is blind without it. But the numbers need to be read carefully.
Don’t treat open rate as your primary metric. For any list with Apple Mail subscribers (and that’s almost every B2C list), open rate is inflated. Watch clicks, conversions, and unsubscribes. If you want an engagement number, use CTOR. Just remember that the numerator (clicks) is more reliable than the denominator (opens).
Set up a custom tracking domain. It’s a CNAME record and ten minutes of work. You get control over link reputation, consistent-looking URLs in your emails, and portability when you change ESPs.
Filter bots. Check whether bot filtering is enabled in your ESP. For B2B senders this is critical. Without it your click data can be inflated by 20–40%.
Consider disabling tracking for transactional email. Order confirmations, password resets, shipping notifications: tracking here adds redirect latency, complicates links, and offers no marketing value. Most ESPs let you turn it off per message category.
Test pixel rendering. Send a test to Gmail, Outlook, Yahoo, and Apple Mail and confirm that tracking fires. Occasionally CSS or nested tables in the email hide the pixel so it never loads even when images are enabled.
Tracking on a dirty list is noise
Everything above assumes your emails are reaching real inboxes. If 30% of your list is invalid addresses, the resulting bounce rate damages your domain reputation, emails start landing in spam, and your tracking data reflects only the surviving fraction of your audience.
Spam traps, disposable addresses, mailboxes that have been dead for six months: none of them will ever open or click. They do corrupt your metrics and hurt your sender score. Tracking won’t tell you that part of your list is dead. That’s what validation is for.
Validating regularly, before each major send, once a month for active lists, makes tracking data mean something. When the list contains only live addresses, open rate and click rate reflect actual engagement rather than a percentage calculated over garbage.
Validate your list before the next send. uChecker gives you 30 free checks with results in minutes.
