Why do email security solutions click on links in emails?

Yes, it is standard practice for email security software and mail servers to click on hyperlinks within emails. They do this to scan the linked content for malware, phishing attempts, and other security threats before the email reaches a user's inbox.

How do these automated clicks affect my email analytics?

Automated clicks from security software can inflate your click-through rates and make your engagement data appear higher than actual human interaction. This can lead to misinterpretations of campaign performance if not accounted for.

How can I distinguish between security scanner clicks and genuine user clicks?

You can often identify bot clicks by analyzing their IP addresses, which typically belong to data centers or known security vendors, and their user-agent strings, which may be generic or identify as crawlers. The timing of the clicks (often instantaneous) and the specific links clicked (sometimes obscure or non-primary) can also be indicators.

Do security scanner clicks harm my sender reputation or email deliverability?

No, these clicks generally do not negatively impact your sender reputation or deliverability. Mailbox providers recognize these as legitimate security measures. It is a normal part of how email is processed and protected in modern systems.

What can I do to get a more accurate view of human clicks?

Some email service providers offer tools to filter out bot clicks from your reports. Alternatively, you can analyze raw click data, filtering by IP ranges or user-agent strings associated with known security scanners to gain a more accurate view of human engagement.

Do email security software solutions click hyperlinks in emails? - Technical - Email deliverability - Knowledge base

It's a common scenario for anyone sending emails, especially marketing or transactional messages: you check your analytics, and suddenly, you see a surge of clicks on a specific link that doesn't quite add up. Perhaps it's a social media icon in your footer or an obscure link, and the clicks are coming from unexpected domains like healthcare or educational institutions. This can be confusing, making you wonder if your tracking is accurate or if there's an issue with your campaign.

The short answer is yes, email security software solutions do frequently click hyperlinks within emails. This isn't a glitch or a sign of malicious activity on their part. Instead, it's a fundamental security measure designed to protect recipients from phishing, malware, and other online threats before the email even reaches an individual's inbox. Understanding this process is crucial for accurately interpreting your email engagement data.

The mechanism behind security link scanning

The primary reason email security software clicks on links is to preemptively identify and block malicious content. When an email arrives at a mail server, it undergoes a rigorous scanning process. This often includes sophisticated URL analysis, where the security system will visit every link in the email to check its content, analyze its redirection path, and look for any indicators of compromise, such as phishing pages or malware downloads. This happens before the email is delivered to the recipient, ensuring that potentially harmful links are neutralized.

Different types of security solutions employ this tactic, from enterprise-level email gateways to cloud-based security services. Many large organizations, particularly those in sensitive sectors like healthcare or government, invest heavily in robust email security to protect their networks and data. These systems are designed to be proactive, simulating a user click to ensure the link's safety. This proactive scanning is vital in an era where phishing and social engineering attacks are increasingly sophisticated.

Some systems even perform time-of-click scanning, where links are rewritten and checked again if a user actually clicks them, providing an extra layer of defense. This approach helps protect against zero-day threats or links that become malicious after the initial scan. It's a continuous process that reflects the evolving threat landscape.

Understanding the impact on your email analytics

These automated clicks can significantly skew your email campaign analytics. If you're seeing inflated click-through rates (CTR) or unexpected clicks on specific elements, it's very likely due to security scanners rather than genuine user engagement. This is especially true for clicks originating from corporate, government, or educational domains, as these organizations typically employ advanced security measures.

The nature of these clicks can also appear random. For example, one campaign might show an anomaly on a Twitter icon, while another campaign for the same audience might show unusual clicks on a YouTube icon. This randomness occurs because most security platforms sample inbound traffic for link scanning, meaning there isn't a consistent pattern of which specific links or campaigns get auto-clicked more than others. The purpose is to cast a wide net for threats, not to mimic user behavior perfectly.

Another factor that can increase these security clicks is the use of click-tracking domains, especially if they obfuscate the final destination of the link. While beneficial for tracking and link management, these tracking links can sometimes prompt more intensive scrutiny from security filters. Filters may need to follow multiple redirects to determine the true destination, leading to multiple recorded clicks from these systems as they resolve the full path.

Expected user clicks

Contextual engagement: Occur on calls-to-action (CTAs) or links relevant to the email's primary message.
Geographic concentration: Typically from regions aligned with your target audience.
Diverse user agents: Reflect various operating systems and browser types.

Security scanner clicks

Randomized clicks: Can occur on any link, including footers or unsubscribe links.
Concentrated IPs: Often from specific IP ranges belonging to security vendors or large organizations.
Generic user agents: May use standardized or generic user-agent strings.

Identifying and managing bot clicks in your data

Identifying clicks from security software requires careful analysis of your click data. While it's not always straightforward, there are a few indicators that can help distinguish bot activity from genuine human engagement.

One key area to investigate is the IP address of the clicks. Security scanners often operate from specific, known IP ranges that can be associated with data centers, security vendors, or large corporate networks, rather than individual residential IPs. Many Microsoft and other security providers publish details about their scanning infrastructure, which can help in filtering these clicks. Additionally, examining the user-agent strings associated with these clicks can reveal patterns. Security bots often use specific or generic user-agent strings that don't correspond to common web browsers used by humans. These patterns can be used to filter out noise in your analytics.

While security scanner clicks can inflate your analytics, they generally do not negatively impact your sender reputation. These interactions are part of the normal email security ecosystem and are recognized as such by major mailbox providers. The intent is protection, not spam or malicious activity. However, it's essential for marketers and senders to be aware of this phenomenon to avoid misinterpreting engagement metrics and making incorrect assumptions about campaign performance. For a more detailed understanding of what data supports these filtering tools clicking links, you might want to delve deeper into the available information.

For a comprehensive perspective on how non-human interactions affect email, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) offers valuable insights into the subject. Their whitepapers and guidelines provide a deeper dive into the complexities of bot traffic and its implications for email deliverability and security. Understanding these nuanced interactions can help you differentiate between legitimate security scans and other forms of bot activity or even malicious attacks.

Differentiating bot activity from human engagement

To get a clearer picture of actual human engagement, you'll need to implement strategies to filter out these automated clicks. Many email service providers (ESPs) offer tools or reports that can help segment out suspicious clicks. If your ESP doesn't provide this, you might need to export raw click data and perform your own analysis, looking for anomalies based on IP address ranges or user-agent strings.

Here's a simple comparison of how these automated clicks might appear versus genuine user clicks:

Characteristics of scanner clicks

IP address range: Often from known data centers or security vendors (e.g., from Google's or Outlook's security infrastructure).
User-agent string: May be generic, empty, or identify as a bot/crawler.
Click speed: Often instantaneous or very rapid after email receipt.
Unusual links: Clicks on obscure or non-primary links (e.g., social media icons, unsubscribe links).

Characteristics of genuine clicks

IP address range: Residential or office IPs, aligned with recipient locations.
User-agent string: Identifies common browsers and operating systems (e.g., Chrome on Windows, Safari on iOS).
Click speed: Varies, reflecting human reading and interaction time.
Primary links: Focus on the main CTAs or information within the email.

Filtering these clicks from your analytics will give you a more accurate view of your campaign performance. It's about segmenting your data to distinguish between security operations and actual recipient engagement, allowing you to optimize your strategies based on real human behavior.

Conclusion

Ultimately, the presence of email security software that clicks on hyperlinks is a protective measure. It's a necessary component of modern email security, safeguarding users from sophisticated cyber threats. While it can introduce noise into your analytics, it doesn't indicate a problem with your email deliverability or sender reputation. In fact, it often means your emails are being received by organizations with strong security postures, which is a positive sign.

As email senders, our goal remains to deliver valuable content to the inbox, and understanding the role of these security systems is part of that process. Focusing on robust email authentication like DMARC, maintaining a clean sending list, and sending relevant content will always be the most impactful factors in achieving strong deliverability and avoiding blocklists.

Views from the trenches

Best practices

Actively monitor your click data for unusual patterns or anomalies, particularly from corporate or educational domains.

Segment your audience by industry or company type to better understand the impact of security scanners.

Collaborate with your ESP to see if they offer filtering capabilities for bot clicks.

Regularly review industry reports on non-human email interactions for updated insights.

Common pitfalls

Misinterpreting security scanner clicks as genuine engagement, leading to inaccurate campaign performance assessments.

Overreacting to unusual click spikes without first investigating the source and nature of the clicks.

Failing to account for these clicks when comparing campaign performance across different industries or recipient types.

Assuming that all automated clicks are malicious, rather than a necessary security function.

Expert tips

Implement advanced analytics to differentiate between human and bot clicks, using IP ranges and user-agent strings.

Educate your marketing and sales teams about the reality of security software clicking links to manage expectations.

Consider how dynamically generated or serialised URLs might interact with security filters.

Don't solely rely on click data for engagement metrics; consider other indicators like open rates and conversions.

Expert view

Expert from Email Geeks says email security platforms frequently follow links. This is a common and expected behavior for these systems.

2022-03-08 - Email Geeks

Expert view

Expert from Email Geeks says dynamically generated or serialised URLs can cause issues because filters see different links and follow each one until resolved.

2022-03-08 - Email Geeks