Do email security software solutions click hyperlinks in emails?

Key findings

• Automated scanning: Email security platforms routinely follow links to assess potential threats, a core function of their protective measures.
• Real-time analysis: Many solutions perform time-of-click scanning, analyzing URLs both when the email is received and just before a user clicks.
• Dynamic URL handling: Filters may click multiple dynamically generated links to uncover the true destination, a normal process that shouldn't cause concern.
• Traffic anomalies: Unexpected spikes in click-through rates from specific domains, like healthcare or education, often indicate automated security system activity.
• Sampling behavior: Most security systems sample inbound traffic, leading to non-predictable patterns in automated link clicks across campaigns. You can read more about what data supports filtering tools clicking links.

Key considerations

• Impact on metrics: Automated clicks can inflate reported click-through rates, making it challenging to gauge genuine user engagement. This is why it is critical to know if email providers track clicks for deliverability.
• Distorted analytics: Traffic spikes resulting from these clicks may appear organic but are not driven by actual human interaction.
• Click-tracking domains: Using (or not using) click-tracking domains can influence how extensively security filters interact with your links. This is a crucial point that can help you understand why click tracking links are blocked.
• Security priority: While impacting metrics, these automated clicks are a necessary security measure to protect recipients from threats within email communications. For more context, see Cybersecurity Ventures on URL scanning.

Key opinions

• Traffic misinterpretation: Marketers frequently mistake automated security clicks for organic traffic, leading to skewed campaign performance reports.
• Campaign anomalies: Sudden, unexplained spikes in click rates, particularly on social media icons or non-primary calls to action, are often indicators of security software activity.
• Domain patterns: Clicks originating predominantly from corporate, healthcare, or educational domains are commonly associated with automated security scans.
• Deliverability impact: While not directly impacting deliverability negatively, these clicks complicate the analysis of actual recipient engagement. This ties into why marketers need to be careful with hyperlinks in email bodies.

Key considerations

• Filtering bot clicks: Marketers should develop strategies to identify and filter out bot clicks from their engagement metrics for a more accurate view of user behavior. This could involve understanding why hidden links get high bot click rates.
• Understanding intent: It's important to differentiate between security scans and actual recipient interest when analyzing campaign performance.
• Educating stakeholders: Brands and teams need to be informed that some traffic spikes are not organic but are due to necessary security processes. For example, The Digital Marketing Fairy discusses this.

Key opinions

• Standard practice: It is a widely accepted and expected behavior for email security platforms to regularly follow links within emails.
• Dynamic link challenges: When URLs are dynamically generated or serialized, security filters may click multiple variations to fully resolve the destination, which is normal and not a concern.
• Sampling traffic: Most security systems sample inbound email traffic, meaning automated clicks are not necessarily predictable or patterned across campaigns.
• Transparency vs. clicks: Not using click-tracking domains (which hide final destinations) can reduce automated clicks, as the link's true destination is immediately obvious to scanners. You can learn more about how long anti-spam bots take to click.

Key considerations

• Mitigating false positives: Understanding this behavior helps senders avoid misinterpreting inflated click rates as genuine engagement. This is especially true for Microsoft scanning links.
• Adaptive security: Security solutions are continuously evolving to detect sophisticated threats, including new methods of obscuring malicious links.
• Resource consultation: Experts recommend consulting authoritative resources like the M3AAWG Non-Human Interactions document for deeper insights into how automated systems interact with emails. This can also provide insights into which corporate filter appliances follow links.

Key findings

• Real-time scanning: Solutions like Microsoft 365 Safe Links inspect URLs dynamically at the time a user clicks them, even if initial scans passed. The East Carolina University knowledge base provides more detail.
• URL modification: Some systems, such as UW–⁠Madison Information Technology’s URL Defense, modify links from external senders to route them through their security evaluation systems. You can also review why email filters modify or break links.
• Comprehensive protection: Email security is broadly defined as implementing policies, technologies, and practices to protect communication from threats, with link analysis being a key component. The M3AAWG Non-Human Interactions report is an excellent resource.
• Preventative measures: Security features like Safe Links are designed to prevent inadvertent access to malware through links and attachments by verifying their safety. See the University of Illinois System's explanation.

Key considerations

• Layered defense: Effective email security often involves multiple layers of protection, where automated link analysis is a critical early step.
• Post-delivery analysis: Beyond initial scanning, some solutions continue to analyze emails and their links even after they've arrived in the inbox.
• Impact on deliverability: While intended for security, these automated interactions can occasionally impact how email marketing platforms track clicks or even lead to false positive phishing warnings for legitimate links. This can be why emails get phishing warnings.