Email Open and Click Tracking After Apple and Gmail Privacy Changes
A campaign showing a 97% open rate is not a good campaign — it is a campaign sent mostly to Apple Mail users. Mail Privacy Protection and similar proxy-based image loading quietly broke the pixel as a measurement tool years ago, and most sending platforms still display open rate front and center as if nothing happened. This guide explains what a tracking pixel and a wrapped link actually measure today, and which numbers a B2B outreach team can still build decisions on.
- Open tracking via pixel is structurally broken for a large share of recipients — Apple's Mail Privacy Protection pre-fetches every image regardless of whether a human opened the email.
- Click tracking is still a meaningful signal because clicking requires deliberate action, though corporate security scanners can generate false-positive clicks seconds after delivery.
- For targeted B2B cold outreach, reply rate is the metric that actually reflects whether the email worked — treat open rate as a rough deliverability signal, not an engagement signal.
- Tracking infrastructure itself affects deliverability: a cold or shared tracking domain can hurt inbox placement more than the tracking data helps your reporting.
- Pixel and link tracking are data collection and fall under GDPR and CAN-SPAM expectations regardless of how the numbers are used internally.
How open and click tracking actually work
An open tracking pixel is a one-by-one transparent image embedded in the email body, hosted on a server you control or your sending platform controls. When the recipient's mail client renders the email and requests that image, the server logs the request as an open — timestamp, IP address, sometimes a rough device or client fingerprint. No image request, no open. That single dependency — the client has to actually fetch a remote image over the network at the moment of viewing — is the entire mechanism, and it is also exactly what mailbox providers have started intercepting.
Click tracking works differently and more durably. Every link in the email body gets rewritten to point at a tracking domain first, which logs the click and then redirects the browser to the real destination URL. Because this requires the recipient's device to actually navigate to a URL — not just render an image — it has historically been a cleaner signal of intent than opens. A recipient who clicks a link is doing something; a recipient whose email client silently fetched a pixel in the background is not.
Why open rate broke: Apple MPP and Gmail image caching
Apple Mail Privacy Protection, on by default since iOS 15 and macOS Monterey, pre-fetches and caches every remote image in an email — including the tracking pixel — through Apple's own proxy servers, whether or not the recipient ever opens the message. The practical effect: every email sent to an MPP-enabled Apple Mail address registers as opened, often within seconds of delivery, regardless of whether a human ever looked at it. In lists with a heavy share of iPhone or Mac Mail users, which is most consumer inboxes and a meaningful slice of B2B ones, open rate stops distinguishing an engaged reader from an email that sat unread.
Gmail's image proxying is older and less absolute — Gmail has routed remote images through its own servers since 2013 — but it compounds the same problem from a different angle: the pixel request comes from Google's infrastructure, not the recipient's device, and a cached image may not trigger a fresh request on every viewing. Between MPP inflating opens toward 100% and Gmail's caching behavior distorting timing and repeat-open counts, the two mail ecosystems that dominate both consumer and corporate inboxes have each made the raw open number unreliable in a different way. A 60% open rate from a mixed list today tells you almost nothing about how many people actually read the email — it mostly tells you what mail clients your list uses.
A cold campaign to 200 named decision-makers reports a 68% open rate and a 4% reply rate. Pulled apart by client, the opens split almost entirely between Apple Mail (near-automatic, MPP-driven) and a smaller, more volatile Outlook segment that tracks closer to genuine reading behavior. The 4% reply rate — a normal healthy result for targeted B2B cold email — is the number that reflects whether the message actually landed and worked. The 68% open rate reflects Apple's proxy behavior more than it reflects the recipients.
Is click tracking still reliable?
Mostly, yes — with one recurring false positive worth knowing about. Corporate email security gateways, including Microsoft Defender Safe Links and comparable tools at Proofpoint, Mimecast and similar vendors, pre-scan every link in an inbound email by visiting it automatically, before the message ever reaches the recipient's inbox. That scan registers as a click in your tracking data, typically within seconds to a couple of minutes of delivery, with no human involved. In B2B sending to enterprise domains running these gateways, you should expect a baseline of scanner-generated clicks layered on top of genuine ones.
The practical fix is filtering, not abandoning the metric. Clicks that arrive within roughly the first one to two minutes after send, from data-center IP ranges rather than residential or mobile carriers, or that hit every link in the email in rapid succession rather than one link a human actually chose, are almost always security-scanner traffic and should be excluded from engagement reporting. What remains — a click minutes or hours later, from a plausible consumer or corporate ISP, on one specific link — is still a solid signal that a real person engaged with the content enough to act on it.
What to trust instead of raw open rate
For a B2B cold outreach program sending targeted volumes to named decision-makers rather than blasting a purchased list, the hierarchy of trustworthy signals looks different from what most email dashboards lead with.
Reply rate sits at the top because it cannot be faked by a proxy or a scanner — only a human reading the email and choosing to respond produces a reply. A healthy cold B2B reply rate in most industries runs somewhere in the 3-8% range; a well-targeted, well-personalized campaign to a tight ICP can push higher, while an under-targeted list will sit well below it no matter how good the copy is.
- Reply rate — the strongest available signal; a genuine human action tied directly to the message.
- Click rate, scanner-filtered — a decent proxy for interest when links point to something worth clicking (a case study, a calendar link, a one-pager).
- Bounce rate and complaint rate — not engagement metrics, but the two numbers that most directly threaten sender reputation and deserve daily attention.
- Positive-reply or meeting-booked rate, tracked in the CRM against the dialog thread rather than the send platform — the number that actually maps to pipeline.
- Open rate, Apple-segmented — worth keeping only as a rough delivery sanity check (did the message land in the inbox at all) rather than an engagement measure.
Tracking setup and its deliverability cost
The tracking domain used to wrap links and host the pixel is itself a deliverability variable, and a poorly set up one can cost more than the tracking data is worth. A shared tracking domain reused across many unrelated senders on a sending platform inherits the reputation of everyone else using it — if another customer on the same domain gets flagged for spam complaints, your links can start getting blocked by security filters even though your own sending was clean. A dedicated tracking subdomain, authenticated with its own DNS records and warmed up gradually like any other sending asset, avoids that shared-blast-radius problem and is the standard setup for a program that sends to named decision-makers rather than a purchased list.
There is also a simpler failure mode worth checking directly: some corporate spam filters weight the presence of a remote tracking pixel itself, on top of the domain reputation, as a mild signal associated with bulk marketing mail. For very high-stakes sends to a short list of priority accounts, some teams choose to disable open tracking on that specific send and rely on click and reply data alone, trading a metric they cannot trust anyway for slightly cleaner inbox placement.
Privacy and legal considerations
A tracking pixel and a wrapped link are both forms of data collection about an identifiable person, and that puts them inside the scope of privacy regulation regardless of how small the campaign is. Under GDPR, processing that data needs a lawful basis — for B2B outreach to a named professional in the context of their role, legitimate interest is the basis most companies rely on, but that requires the underlying outreach itself to be relevant and proportionate, not just the tracking mechanism being technically legal. Under CAN-SPAM, tracking pixels and click tracking are not restricted directly, but every commercial email still needs a working opt-out mechanism and a physical postal address, and using tracking to keep emailing someone who already opted out is the actual violation, not the tracking itself.
The practical takeaway for a cold outreach team is to treat tracking data as something you would be comfortable explaining if a recipient asked what you collect and why — logging that an email was opened and a link was clicked, for the purpose of following up appropriately, is a defensible practice; building a detailed behavioral profile from it for anything beyond the sales conversation is a different, riskier use that deserves its own review.
FAQ
Why is my open rate suddenly near 100%?
This is almost always Apple Mail Privacy Protection, which pre-fetches every image in an email — including the tracking pixel — through Apple's proxy servers as soon as the email arrives, regardless of whether the recipient ever opens it. If a large share of your list uses Apple Mail on iPhone or Mac, expect open rate to trend toward 100% and stop reflecting real engagement.
Should I stop using open tracking altogether?
Not necessarily — it still gives a rough sanity check on delivery, and on non-Apple clients it retains some signal. Just stop making decisions based on it in isolation: segment opens by mail client where your platform allows it, and weight reply rate and filtered click rate far more heavily when judging whether a campaign actually worked.
Why do I get email clicks seconds after sending?
That is almost always a corporate security gateway — Microsoft Defender Safe Links and similar tools from Proofpoint, Mimecast and others — automatically pre-scanning every link in an inbound email before it reaches the recipient. Filter out clicks in the first one to two minutes from data-center IPs before trusting your click numbers.
Does adding a tracking pixel hurt deliverability?
A well-authenticated, warmed-up dedicated tracking domain has minimal impact. The risk comes from shared tracking domains that inherit other senders' bad reputation, or from stacking a tracking pixel onto an already borderline send. For your highest-priority accounts, disabling open tracking on that specific send is a reasonable trade-off since the pixel data was unreliable anyway.
What email metric should a B2B cold outreach team actually optimize for?
Reply rate, and ideally positive-reply or meeting-booked rate tracked against the CRM dialog rather than the send platform. These require a genuine human action and cannot be inflated by a mail client's privacy proxy or a security scanner, unlike open rate and, to a lesser extent, raw click rate.
Is email tracking legal under GDPR and CAN-SPAM?
Tracking itself is generally permitted, but it counts as processing personal data, so GDPR requires a lawful basis — legitimate interest is the common basis for professional B2B outreach, provided the outreach itself is relevant. CAN-SPAM does not restrict tracking directly but requires a working opt-out and a physical postal address in every commercial email, tracked or not.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us