Summary
Link security checkers and corporate firewalls can indeed cause false no-js reports in email analytics. These systems often pre-scan or proxy links in emails for security purposes, but do so without executing JavaScript. This results in inflated click rates, misrepresentation of user behavior, and inaccurate data, as Google Analytics relies on JavaScript for data collection. The issue is further complicated by bot clicks mimicking users without JavaScript and the influence of Email Transport Agents (MTAs). Strategies to mitigate this include using hidden links to discard bot clicks and utilizing User-Agent sniffing to identify environments without JavaScript support.
Key findings
- False Positives: Link security tools and corporate firewalls often execute links in a no-JS environment, leading to false positives.
- Inflated Clicks: Pre-scanning by security software can result in inflated click rates, misrepresenting genuine user engagement.
- Inaccurate Data: Corporate networks and security tools interact with links without executing JavaScript, skewing analytics data.
- GA Dependency: Google Analytics requires JavaScript; its absence leads to incorrect hit attribution.
- Bot Mimicry: Bot clicks can simulate users without JavaScript, exacerbating the issue of inaccurate analytics.
- User-Agent Sniffing: User-Agent sniffing helps identify environments without JavaScript support, aiding in identifying discrepancies.
- Security Software Rewrite URLs: Some security software will rewrite URLs in emails to proxy them through their own servers to protect users but these proxy servers typically do not execute JavaScript.
Key considerations
- Analytics Interpretation: Consider the potential impact of link security checkers, MTAs, and bot activity when interpreting email analytics.
- Security Impact: Acknowledge that security measures, while essential, can inadvertently distort email analytics and require careful consideration.
- Alternative Tracking: Explore alternative tracking methods to differentiate between genuine user clicks and automated security scans.
- Hidden Link Strategy: Implement strategies like hidden links to identify and discard bot clicks, improving data accuracy.
- User-Agent Analysis: Employ User-Agent sniffing to identify and account for discrepancies caused by non-JavaScript environments.
- Tooling Review: Review behavior of Safe Links and other pre-scanning tools to understand their effects on email analytics.
What email marketers say
10 marketer opinions
Link security checkers and corporate firewalls often pre-scan links in emails, executing them in environments without JavaScript support. This pre-scanning can lead to inflated click rates and inaccurate analytics, misrepresenting user behavior by falsely attributing clicks to users without JavaScript enabled. This is further complicated by bot clicks mimicking users without JavaScript, potentially triggering false reports.
Key opinions
- False Positives: Link security tools and firewalls often execute links in a no-JS environment, leading to false positives in analytics reports.
- Inflated Clicks: Pre-scanning by security software can result in inflated click rates, misrepresenting genuine user engagement.
- Inaccurate Data: Corporate networks and security tools may interact with links without executing JavaScript, skewing analytics data.
- Bot Mimicry: Bot clicks can simulate users without JavaScript, exacerbating the issue of inaccurate analytics.
Key considerations
- Analytics Interpretation: When interpreting email analytics, consider the potential impact of link security checkers and bot activity on the accuracy of no-JS reports.
- Security Impact: Acknowledge that security measures, while essential, can inadvertently distort email analytics and require careful consideration.
- Alternative Tracking: Explore alternative tracking methods to differentiate between genuine user clicks and automated security scans.
- Review Tooling: Review and understand the behaviour of corporate firewalls that may be executing the URLs in a sandbox environment.
Marketer view
Email marketer from EmailOnAcid explains that security software may pre-scan links in emails, resulting in inflated click rates and potential misrepresentation of user behavior due to no-JS environments.
31 Jan 2025 - EmailOnAcid
Marketer view
Email marketer from EmailToolTester explains that false or inaccurate tracking can be caused by corporate firewalls or security tools that examine links in a sandbox environment, potentially without JavaScript support.
4 May 2024 - EmailToolTester
What the experts say
3 expert opinions
Link security checkers can indeed cause false no-js reports in email analytics. Security software and tools often pre-fetch links to protect users, sometimes without executing JavaScript, leading to inaccurate data. A mitigation strategy involves using hidden links to discard clicks from these automated scans, helping differentiate between bot and genuine user clicks.
Key opinions
- False Positives: Link scanning behavior causes false positives due to pre-fetching by security tools without JavaScript support.
- Proxy Servers: Security software rewrites URLs, proxying them through servers that don't execute JavaScript, resulting in false no-JS clicks.
- Hidden Links: Hidden links can be used to identify and discard bot clicks.
Key considerations
- Data Accuracy: Be aware that security scans can skew click data, and not all clicks represent genuine user interactions.
- Mitigation Strategies: Implement mitigation strategies like hidden links to improve data accuracy.
- Tooling Behavior: Understand how security software and tools in your email ecosystem handle link scanning and JavaScript execution.
Expert view
Expert from Word to the Wise explains that link scanning behavior can cause false positives due to pre-fetching by security tools without Javascript support which may trigger inaccurate analytics data.
7 Sep 2024 - Word to the Wise
Expert view
Expert from Spam Resource explains that some security software will rewrite URLs in emails to proxy them through their own servers to protect users. These proxy servers typically do not execute JavaScript, and will therefore show up as no-js users clicking links.
22 Sep 2023 - Spam Resource
What the documentation says
5 technical articles
Link security checkers can indeed lead to false no-JS reports in email analytics because they often access links in emails without executing JavaScript. This behavior causes discrepancies in click tracking, as Google Analytics relies on JavaScript for data collection, and bot detection methods often identify clients that don't execute JavaScript. User-Agent sniffing can further highlight these discrepancies. Tools like Microsoft's Safe Links pre-scan URLs, which can trigger visits without JavaScript support.
Key findings
- GA Dependency: Google Analytics relies on JavaScript, and its absence leads to incorrect hit attribution when link checkers are involved.
- Bot Detection: Bot detection methods often flag clients lacking JavaScript, influencing link security checker assessments.
- User-Agent Sniffing: User-Agent sniffing reveals environments without JavaScript support, highlighting discrepancies from link security checkers.
- MTA Access: Email Transport Agents and security gateways access links, affecting click tracking accuracy in no-JavaScript environments.
- Safe Links impact: Microsoft Safe Links pre-scanning URLs triggers visits lacking Javascript support.
Key considerations
- Analytics Accuracy: Acknowledge that link security checkers and MTAs can distort email analytics due to their access methods.
- User-Agent Interpretation: Utilize User-Agent sniffing to identify and account for discrepancies caused by non-JavaScript environments.
- Tooling impact: Be mindful of tools like Safe Links when reviewing analytics as they impact the results.
Technical article
Documentation from OWASP explains that bot detection often involves identifying clients that do not execute JavaScript, which can influence how link security checkers are perceived in email analytics.
14 Oct 2024 - OWASP
Technical article
Documentation from Google Analytics support explains that if JavaScript is disabled, Google Analytics cannot collect data, which may cause some hits to be incorrectly attributed when link checkers are involved.
20 Nov 2021 - Google Analytics
Are HTTP links penalized by spam filters in email marketing?
Are people still falling for email scams?
Do email security software solutions click hyperlinks in emails?
Do ISPs re-fetch email tracking images, and what causes delayed email opens?
How can I detect and segment bot clicks in email campaigns?
How can I identify and handle bot clicks and opens, particularly from Microsoft/Outlook domains, in email marketing campaigns?
What are some examples of email bots or checkers that provide data about sent emails?
Why are images from a reputable vendor's email blocked by my network?
