Summary
A wide range of filtering tools, security software, ESPs, and email receivers click links in emails for various reasons, including security scanning, reputation assessment, engagement tracking, and inbox placement testing. Google crawlers, Microsoft's Safe Links, Cisco's Email Security Appliance, Proofpoint's URL Defense, and Spamhaus all actively analyze links for malicious content, spam detection, and reputation. Automated systems, including those used for link tracking, image proxying, and URL wrapping, trigger clicks. These bot clicks, often caused by security software pre-fetching URLs or validating links, can inflate click rates, but can be differentiated from legitimate clicks by analyzing user agents and IP addresses. Email authentication failures and the use of link cloaking or shortening can also be indicators of automated scanning.
Key findings
- Security Software Scans: Security software and filters, including those from major providers like Microsoft and Cisco, actively scan links in emails.
- URL Wrapping/Rewriting: URL wrapping and rewriting for security or tracking purposes generates automated clicks.
- Reputation Checks: Link reputation checks by email receivers and security tools trigger clicks.
- Bot Clicks Inflate Rates: Automated bot clicks can significantly inflate click-through rates in email campaigns.
- Analysis Enables Differentiation: Analyzing user agents and IP addresses can help differentiate bot clicks from genuine user interactions.
Key considerations
- Monitor User Agents: Regularly monitor user agents to identify automated systems and unusual activity.
- Track IP Addresses: Track IP addresses to identify potential bot activity and block suspicious sources.
- Assess Authentication: Investigate links between email authentication failures and security scanning.
- Review Security Settings: Review ISP and corporate filter settings for automated URL pre-fetching.
- Consider Honeypot Links: Use honeypot links to identify and block malicious bots.
- Monitor Link Cloaking: Understand how link cloaking and shortening services impact automated scanning and click rates.
What email marketers say
9 marketer opinions
Filtering tools, security scanners, and email providers often click on links in emails for various reasons, including checking for malicious content, tracking user engagement, validating links, and gathering data for inbox placement testing. This automated link clicking can be triggered by URL defense mechanisms, image proxying, link tracking, seed testing, and even link cloaking/shortening services. Consequently, these automated clicks may inflate click rates, requiring careful analysis of user agents and IP addresses to differentiate them from genuine user interactions.
Key opinions
- Security Scanning: Filtering tools and security scanners actively click links to identify malicious content.
- Engagement Tracking: Email providers use link clicks to track user engagement and gather data.
- Link Validation: Many email clients automatically validate links, generating clicks even without user interaction.
- Inbox Placement Testing: Seed testing for inbox placement involves link clicks to assess deliverability.
- Inflated Click Rates: Automated link clicking by bots and scanners can artificially inflate click-through rates.
Key considerations
- Differentiate Bot Clicks: Analyze user agents and IP addresses to differentiate bot clicks from genuine user clicks.
- Monitor Link Cloaking Impact: Be aware that link cloaking and URL shortening can be influenced by automated scanners.
- Review Security Settings: Understand that security settings may automatically be triggering some URL clicks.
- Utilize Honey Pot Links: Create and leverage honey pot links to identify and block bots.
- Implement IP Tracking: Track the IP addresses of bots to understand the scale of the impact and block IPs where necessary.
Marketer view
Email marketer from StackExchange says that sometimes scanners will click on all the links in your email at once, and that it's possible to track the bot's IP address or create honey pot links to block the bot.
23 May 2023 - StackExchange
Marketer view
Email marketer from Email on Acid notes that many email clients and security programs automatically validate links in emails, resulting in clicks being registered even if a human recipient doesn't click the link.
29 Dec 2021 - Email on Acid
What the experts say
3 expert opinions
Filtering tools, security software, ISPs, and email receivers actively click links in emails for security scanning and reputation assessment purposes. Bot clicks are a tangible phenomenon, often triggered by security software and filters pre-fetching URLs or wrapping URLs to check their reputation. Distinguishing these bot clicks from legitimate user clicks is possible through analysis of user agents and IP addresses, especially in the context of potential email authentication failures which might indicate security scanning.
Key opinions
- Bot Clicks Real: Security software scans links, and ISPs/corporate filters prefetch URLs.
- URL Wrapping Causes Clicks: URL wrapping by security tools and ESPs can result in clicks.
- Reputation Checks: Email receivers use URL wrapping and link reputation checks to assess senders.
- Differentiation Possible: Bot clicks can be differentiated by user agent or IP address analysis.
Key considerations
- Analyze User Agent: Carefully analyze the user agent to identify automated systems.
- Monitor IP Addresses: Track IP addresses associated with link clicks to identify potential bot activity.
- Consider Authentication: Email authentication failures may correlate with security scanning behavior.
- Review Filter Settings: Investigate ISP and corporate filter settings that might pre-fetch URLs.
Expert view
Expert from Spamresource answers that url wrapping and link reputation checks are used by many email receivers to assess the reputation of the sender of the mail.
28 Apr 2022 - Spamresource
Expert view
Expert from Word to the Wise explains that URL wrapping by security tools and some ESPs can result in clicks, and email authentication failures might suggest a possible link between authentication and security scanning.
4 Oct 2023 - Word to the Wise
What the documentation says
5 technical articles
Email filtering tools, including those from Google, Microsoft, Cisco, Proofpoint, and Spamhaus, actively click on links in emails for various security and analytical purposes. Google's crawlers may follow links in publicly accessible emails. Microsoft's Safe Links feature checks URLs before opening them. Cisco's Email Security Appliance scans URLs for malicious content. Proofpoint's URL Defense rewrites URLs and checks destination safety, logging initial clicks. Spamhaus employs automated systems to analyze links for spam detection and reputation assessment. These processes all result in data showing that filtering tools are clicking on links in emails.
Key findings
- Google Crawlers: Google crawlers may follow links in publicly accessible emails.
- Microsoft Safe Links: Microsoft's Safe Links checks URLs before opening them, warning users of malicious websites.
- Cisco Email Security: Cisco's Email Security Appliance scans URLs for malicious content.
- Proofpoint URL Defense: Proofpoint's URL Defense rewrites URLs and checks their safety in real-time, logging clicks.
- Spamhaus Link Analysis: Spamhaus analyzes links in emails for spam detection and reputation assessment.
Key considerations
- Public Accessibility: Understand that publicly accessible emails may be crawled and links followed by Google.
- Safe Links Impact: Be aware that Microsoft Safe Links checks can trigger link verifications before user access.
- Security Appliance Scanning: Cisco email security appliances can follow links in emails.
- URL Rewriting: Proofpoint's URL rewriting can log initial clicks from automated checks.
- Spamhaus Reputation: Link analysis by Spamhaus affects sender reputation.
Technical article
Documentation from Cisco explains that their Email Security Appliance scans URLs in emails, and this may involve following the links to analyze the content for malicious behavior before delivering the email to the recipient.
14 Oct 2022 - Cisco
Technical article
Documentation from Spamhaus outlines that they employ various methods to track and detect spam, including analyzing links in emails. This process involves automated systems that may follow links to assess the content and sender reputation.
26 Mar 2023 - Spamhaus
Can link security checkers cause false no-js reports in email analytics?
Do email security software solutions click hyperlinks in emails?
Do free email services click links in emails to check for spam?
How can I identify and handle bot clicks and opens, particularly from Microsoft/Outlook domains, in email marketing campaigns?
How can I intentionally deliver emails to the spam folder?
How long does it typically take for anti-spam bots to click links in emails?
