How do mailbox providers track engagement with authentication emails?

While senders track opens using pixels and clicks via redirect links, mailbox providers (MBPs) use more sophisticated methods. For webmail and app interfaces, they track direct user interactions like marking as read, scrolling, and time spent viewing. For desktop clients, they may track IMAP flag changes. Many major MBPs state they do not use clicks as a deliverability signal.

Do magic links improve deliverability more than OTPs by generating clicks?

No, from a pure deliverability standpoint, there's little difference. Both are transactional emails, often given higher priority. What truly impacts deliverability is your overall sender reputation and proper email authentication (SPF, DKIM, DMARC).

What are the main security risks associated with one-time links?

Magic links can be vulnerable to automated scanning by security software or web crawlers, which can prematurely invalidate the link. There's also a risk of them being cached or even indexed by search engines. These issues can lead to broken links for users or, in severe cases, unauthorized access, potentially harming your sender reputation and potentially causing your domain to be put on a blocklist (or blacklist).

What are best practices for securing authentication emails?

For OTPs, ensure short expiration times (e.g., 5-10 minutes) and clear instructions. For magic links, implement short expiration, single-use, and consider IP address validation. Both methods benefit from rate limiting on requests and always using HTTPS for all links, as secure HTTPS links improve deliverability .

Are there other factors more important for email deliverability than the choice between OTPs and links?

Yes, factors like proper SPF, DKIM, and DMARC configuration, your domain's historical reputation, low complaint rates, and consistent positive user engagement (beyond just opens/clicks) are far more impactful. These foundational elements ensure your transactional emails reach the inbox reliably.

Are one time passwords better than one time links for deliverability? - Basics - Email deliverability - Knowledge base

The debate between using one-time passwords (OTPs) and one-time links, often called magic links, for user authentication is common in the email deliverability world. Both methods offer a passwordless login experience, enhancing security by eliminating static passwords. However, when it comes to how these methods might impact your email deliverability, the nuances are often misunderstood. Many believe that getting a click on a magic link is inherently better for sender reputation than a user simply reading an OTP in an email.

The core of the argument often revolves around user engagement metrics that senders track: opens and clicks. For senders, a click on a magic link seems like a clear signal of engagement, while an OTP email might just be opened, or even just read in a preview pane, without triggering a traditional 'open' pixel if images are blocked. This leads to the perception that magic links could boost deliverability more effectively by generating measurable clicks.

However, the reality of how mailbox providers (MBPs) assess engagement and deliverability is far more complex than simple open and click metrics. Their sophisticated algorithms look at a multitude of signals, many of which are not visible to senders. Understanding these underlying mechanisms is crucial for making informed decisions about your authentication email strategy.

How mailbox providers track engagement

A common misconception is that mailbox providers rely solely on image loading (often a tracking pixel) to detect if an email has been opened. This isn't accurate. While image loading is one signal, MBPs, especially those with their own webmail interfaces or mobile apps like

Gmail, have more sophisticated ways of tracking user engagement. They can track interactions within their proprietary web interfaces and applications directly. This includes actions like scrolling, starring, forwarding, marking as read (which often de-bolds an email in the inbox list), and even the duration a user spends viewing an email.

For mail clients not owned by the MBP (like desktop mail clients that use IMAP), the primary signal is typically the IMAP flag changing from 'unread' to 'read'. This is a direct indication to the server that the message has been accessed. So, whether it's an OTP or a magic link email, an MBP has ways to determine if a user has engaged with it, regardless of whether a tracking pixel fires.

Clicks, while valuable for your internal analytics, are not universally tracked by mailbox providers as a primary deliverability signal. Historically, some major providers, including Yahoo and Microsoft (and Google), have stated that they do not track clicks for deliverability purposes, citing privacy concerns. Your ESP might report clicks to you, but these are often tracked via their own redirect links, not directly by the recipient's MBP. So, while you might see a higher click rate with magic links, this doesn't necessarily translate to a direct deliverability boost from the MBP's perspective.

The distinction between how senders track clicks and how MBPs use engagement signals is crucial. MBPs prioritize protecting their users from spam and abuse, and their algorithms are designed to detect malicious activity, not just measure marketing engagement. They focus on overall sender reputation, which is built on consistent positive interactions over time, not just individual clicks.

Deliverability impact: OTPs vs. magic links

From a pure deliverability standpoint, there's no significant difference between OTPs and one-time links. Both are transactional emails, meaning they are expected by the recipient and are critical for user access. As such, MBPs typically give these emails a higher priority than bulk marketing emails, provided your sender reputation is good. The key factor for deliverability is ensuring the email reaches the inbox promptly, regardless of whether it contains a password or a link.

What truly matters for deliverability are the underlying sending practices. Your email authentication records (SPF, DKIM, DMARC), IP and domain reputation, content quality, and historical engagement with your domain all play a much larger role. A well-authenticated email from a reputable sender is far more likely to land in the inbox, whether it's an OTP or a magic link. However, there are user experience and security trade-offs that might influence your choice.

One-time passwords (OTPs)

OTPs involve sending a numeric or alphanumeric code directly in the email body. The user then manually inputs this code into your application or website.

User experience: Requires context switching between email and application, and manual input. Can be slower for users. Some find it cumbersome.
Security: Less susceptible to pre-fetching or automated link scanning by bots, as no link needs to be clicked. However, still vulnerable to phishing if users are tricked into entering the code on a fake site.
Deliverability impact: No direct click signal for senders, but MBPs still detect engagement via read status. Overall deliverability hinges on sender reputation and authentication.

One-time links (magic links)

Magic links provide a direct, clickable URL that instantly logs the user in or verifies their identity.

User experience: Seamless, one-click login. Generally faster and more convenient for users. Reduced friction.
Security: Vulnerable to automated scanning or pre-fetching by bots or security software, which can prematurely invalidate the link. Susceptible to link interception or caching, potentially allowing unintended access. Users might also be phished into clicking malicious links.
Deliverability impact: Provides clear click data for senders' analytics. However, MBP deliverability assessment relies on broader engagement signals, not just clicks.

Security implications and deliverability

While deliverability metrics for OTPs and magic links might not differ significantly, their security implications can impact user trust and, indirectly, your sending reputation. Magic links, though convenient, face unique security challenges. Automated email scanning services, web crawlers, or even anti-virus software can sometimes pre-fetch or click on links within emails before the user sees them. This premature click can invalidate the one-time link, leading to a frustrating user experience where the link appears to be broken. Repeated instances of this can lead to users marking your emails as spam, which negatively impacts your sender reputation and deliverability.

There are also documented cases where magic links have inadvertently been indexed by search engines, making them publicly accessible. This is a severe security flaw that could allow unauthorized access to accounts, leading to data breaches or account compromises. If your domain is associated with such incidents, it could quickly be placed on a blocklist or blacklist by MBPs, severely affecting all your email communications, including critical transactional emails.

Best practices for secure authentication emails

Short expiration times: Ensure OTPs and magic links expire quickly, typically within 5-10 minutes, to minimize the window for abuse.
Single-use: Both should be strictly single-use. Once used or expired, they should not be reusable.
IP address validation: For magic links, consider linking the session to the user's IP address to prevent replaying from a different location.
Rate limiting: Implement strict rate limiting for authentication email requests to prevent abuse and denial-of-service attacks.

Factors that truly influence deliverability

Instead of fixating on whether an OTP or a magic link is better for deliverability, focus on the fundamental elements that genuinely influence where your emails land. Mailbox providers assess your sending practices holistically. Strong email authentication, positive sender reputation, and consistent engagement are paramount.

Ensuring your DMARC, SPF, and DKIM records are correctly configured and aligned is critical. These protocols verify your sending identity and protect your domain from spoofing and phishing, which directly impacts your domain reputation. A poor reputation, regardless of the authentication method you choose, will lead to emails consistently landing in spam folders or being outright rejected. You can find a simple guide to DMARC, SPF, and DKIM on our site. Remember that emails fail for many reasons, and the choice between OTPs and magic links is only a small part of the deliverability puzzle.

Ultimately, both OTPs and magic links are effective for authentication. The choice often comes down to user experience preference and specific security considerations for your application. If magic links provide a smoother user experience and you've mitigated the security risks, they are a valid choice. If you prioritize simplicity and robust security against certain automated threats, OTPs can be a good option. In either case, ensure your core deliverability infrastructure is solid.

Factor	Impact on deliverability
Sender reputation	The most crucial factor, built on consistent positive engagement, low complaints, and proper authentication. This includes both IP and domain reputation.
Email authentication (SPF, DKIM, DMARC)	These DNS records verify your sending domain, preventing spoofing and improving trust with MBPs. Proper configuration is essential.
Content quality	Relevant, non-spammy content that avoids common spam trigger words and questionable formatting. Transactional emails typically fare well here.
Recipient engagement	Beyond opens and clicks, MBPs monitor replies, forwards, moving to folders, and avoiding deletion without opening. Low engagement can lead to filtering.
Low complaint rates	Users marking your email as spam is a strong negative signal that severely damages reputation and can lead to being added to a blacklist.

Views from the trenches

Best practices

Ensure your email authentication (SPF, DKIM, DMARC) is perfectly configured, as this foundational aspect overrides the choice of OTPs versus magic links for core deliverability.

Focus on building a strong sender reputation through consistent, expected emails and active list hygiene to remove unengaged or invalid addresses.

Implement two-factor authentication (2FA) for sensitive accounts, where OTPs or links act as the second factor, significantly boosting security.

Prioritize a low complaint rate by sending only to engaged users and making opt-out clear and easy.

Common pitfalls

Over-reliance on internal click metrics for deliverability assessment, as mailbox providers use broader engagement signals not always visible to senders.

Neglecting the security risks of magic links, such as pre-fetching by bots or accidental indexing by search engines, which can invalidate links.

Failing to monitor deliverability metrics like bounce rates and spam folder placement, which are more indicative of true inboxing than opens or clicks.

Ignoring the user experience of your chosen authentication method, as frustration can lead to negative engagement signals like spam reports.

Expert tips

For OTPs, consider clear instructions within the email to reduce user confusion and speed up the entry process.

With magic links, implement robust security measures like IP-based validation and short expiration times to mitigate risks from automated clicks or link sharing.

Always test your authentication email flows regularly to ensure timely delivery and proper functionality across various email clients and devices.

Leverage DMARC reporting to gain deeper insights into how mailbox providers are handling your authentication emails and to quickly detect any authentication failures.

Expert view

Expert from Email Geeks says that mailbox providers do not track whether an email is opened based on image downloads, nor do they track clicks for deliverability purposes, as senders do. MBPs utilize their webmail and app analytics for engagement metrics.

2022-11-04 - Email Geeks

Expert view

Expert from Email Geeks says that clicks primarily serve an analytical purpose for senders, helping to identify the percentage of messages acted upon, which is useful for monitoring potential spamming or dictionary stuffing attacks.

2022-11-04 - Email Geeks

Making the right choice for your authentication emails

The debate over whether one-time passwords or one-time links are superior for email deliverability boils down to a key understanding: mailbox providers prioritize overall sender reputation and robust authentication over granular engagement metrics like clicks. While magic links offer a smoother user experience and provide clear click data for your internal analytics, they can introduce security vulnerabilities if not implemented carefully.

Ultimately, the choice between OTPs and magic links should be driven by your application's specific security requirements and desired user experience, not by a perceived deliverability advantage. Focus your efforts on foundational email security, maintaining a healthy sender reputation, and ensuring your emails are properly authenticated. These are the true determinants of getting your critical transactional emails, regardless of their specific content, into the inbox.