Why Email Opens and Clicks Can’t Be Trusted Anymore

Once upon a time, an email open meant the email was opened. A click meant the person was interested.

Not anymore. Now ‘opens’ are created automatically by email privacy features and image fetching. ‘Clicks’ are created automatically by security products checking links before a human does anything. The dashboard numbers look better than ever. There are even more clicks than opens. Oh, hang on.

Why opens are no longer reliable

An open has always been just a one-pixel empty image that the email sending software adds into the email. When the email is opened the image downloads from the server and the server registers it as an open.

That always had weaknesses. Sometimes the email was opened and not read (a false positive) and more often the email was opened but the image wasn’t downloaded because the email software (Outlook, Gmail, Thunderbird etc) has a default setting now to automatically download images (false negative).

But then it got much worse, to the point that opens are almost a pointless metric. Apple introduced its ‘Mail Privacy Protection’ in September 2021. Apple’s own documentation says Apple Mail will hide IP address information and privately download remote content in the background when a message is received rather than when it is viewed. That means a tracking pixel will fire even when the recipient has not opened the email. If the email goes into the spam inbox or is deleted before opened, it’s an ‘open’ as far as your dashboard is concerned.

Opens are now unreliable in both directions.

Clicks are no better

Clicks always felt more of an insight than opens. An open can be passive but a click is, for the most part, an intentional action.

Security products now rewrite, inspect, and check links as part of normal email protection. Microsoft says Safe Links in Defender for Office 365 rewrites URLs and verifies them to protect users from malicious destinations. That is exactly what you would want from a security product. It also means the sender thinks it has a click which is just security infrastructure doing its job.

Non-human opens and clicks can also be created by aggressive spam filters, recipient servers, and image proxies. To recognise false positives, it’s important to look at the opening IP address (if your email software reports it), ‘user agent’ (found in the email headers), and timestamp of those events to work out whether they are likely to be real. Specifically look at patterns like high numbers of clicks around the moment of delivery and repeated activity from the same IP.

What fake events usually look like

If an open or click event registers almost immediately after delivery, that is suspicious. If every link in the email gets clicked in a neat burst, that looks suspicious. If the same IP appears across many events, that looks suspicious. If the ‘user agent’ points to an image proxy, scanner, or known bot, that looks suspicious.

What now matters more than opens and clicks

A real response from the recipient or an out-of-office reply are now really the only credible signs of receipt. An out-of-office reply, an automated acknowledgement, or another similar response is not proof of interest, but it is a much stronger sign that the email reached a real mailbox and triggered a real mailbox-level process.

Why the safer view is the pessimistic one

Some real people will read emails with images blocked and never show as opens. Some real clicks will look suspicious and get treated as bot-like. The more you try to strip out machine behaviour, the more likely you are to miss some human behaviour as well. SDRs will hate us for saying this but their results, if not taken with a warehouse full of salt, are generally way too optimistic.

Where PitchKraft fits

PitchKraft.ai’s analytics offers two options on its analytics dashboard: all opens and click and opens and clicks without all chances of bot activities. The two options often differ significantly but it’s an honest range and it gives you real insight..

Use opens as rough indicators. Look at trends rather than absolutes. If your campaign had X opens with campaign A and 2X with campaign B then campaign B, all else being equal, is twice as effective.

 

 Frequently asked questions

Why are email opens no longer reliable?

Because open tracking depends on loading remote content, usually a tracking pixel. Apple Mail Privacy Protection can download that content in the background before a person reads the message, while some real recipients block images and never trigger the pixel at all.

 Why are email clicks no longer reliable?

Because security products now rewrite, inspect, and verify links automatically. Some click events are created by security systems rather than by human interest.

How can I tell if an open or click was probably caused by a bot?

Look for events that happen almost instantly after delivery, bursts of clicks across multiple links, repeated IP patterns, and user agents that point to scanners, proxies, or bots.

What should I trust more than opens and clicks?

Replies, conversions, and mailbox-level receipt signals such as auto-replies. Those are stronger operational indicators than a tracking pixel or a bare click event. This last point is an inference from how email tracking and mailbox automation work.

Does PitchKraft track these metrics?

Yes. PitchKraft’s analytics dashboard shows opens and clicks and can discount those from bots.