Summary
Automatic opens and clicks on Office 365 hosted recipient domains are primarily attributed to Microsoft's Safe Links feature within Microsoft Defender, which proactively scans URLs for malicious content. This scanning involves URL rewriting and routing through a security service, resulting in pre-fetching images and link clicks even without user interaction. While Safe Links enhances security, it inflates open and click rates, affecting deliverability metrics and potentially unsubscribing contacts unintentionally. Other security services like Proofpoint, Cisco, and Barracuda also contribute to this issue. Solutions include analyzing IP addresses to differentiate Safe Links scans from genuine user clicks and potentially excluding trusted domains from Safe Links scanning.
Key findings
- Root Cause: Safe Links: Microsoft's Safe Links feature (part of Microsoft Defender) is the primary driver of automatic opens and clicks due to URL scanning for security purposes.
- Unsubscribe Issues: Safe Links can inadvertently click unsubscribe links, leading to unintended contact unsubscribes.
- Inflated Metrics: Safe Links' pre-scanning inflates open and click rates, distorting email engagement analytics.
- Limited Sender Control: Senders have limited ability to prevent Safe Links from scanning their emails, requiring alternative solutions.
- IP Address Analysis: Analyzing IP addresses can help identify clicks originating from Microsoft's Safe Links servers.
- Industry-Wide Impact: Multiple security services (Proofpoint, Cisco, Barracuda) contribute to the problem through similar scanning mechanisms.
- URL Rewriting Impact: Safe Links rewrites URLs, which can lead to the pre-fetching of images, inflating the rates.
Key considerations
- Monitor Unsubscribes: Closely monitor unsubscribe rates to detect and address any unintended unsubscribes caused by Safe Links.
- Analyze IP Data: Analyze click IP addresses to differentiate between genuine user interactions and Safe Links scans.
- Consider Domain Exclusion: If the impact is significant, consider excluding your domain from Safe Links scanning, balancing security needs with accurate metrics.
- Metric Adjustment: Adjust email engagement analytics to account for the influence of Safe Links and other security services, avoiding misleading interpretations of campaign performance.
- Vendor Awareness: Be aware that multiple security solutions can impact email metrics. Contact your ESP for details.
- Review Safe Links Policies: Administrators should review and configure Safe Links policies to balance security and accurate analytics.
What email marketers say
10 marketer opinions
Automatic opens and clicks on Office 365 hosted recipient domains are primarily caused by Microsoft's Safe Links feature (part of Microsoft Defender). This feature scans URLs in emails for security purposes, leading to pre-fetching of images and link clicks, which inflate open and click rates. Several email marketers have reported this issue across different platforms, noting its impact on deliverability metrics and email tracking. Excluding domains from Safe Links is possible, but excluding specific phrases isn't. Other security services also contribute to this issue.
Key opinions
- Root Cause: Microsoft's Safe Links/Defender scans URLs for security, causing automatic opens and clicks.
- Unsubscribe Issues: Safe Links can click unsubscribe links, unintentionally unsubscribing contacts.
- False Positives: ATP Safe Links generates false positives for email tracking, skewing metrics.
- IP Analysis: Analyzing IP addresses can help identify clicks originating from Microsoft's Safe Links servers.
- Limited Prevention: Senders have limited control over Microsoft's scanning; recipients disabling Safe Links is not a viable solution.
- Broader Issue: Other security services (e.g., Proofpoint) also contribute to inflated open/click rates through pre-fetching and link scanning.
Key considerations
- Monitor Unsubscribes: Keep an eye on unsubscribe rates to detect unintended unsubscribes caused by Safe Links.
- Analyze IP Data: Investigate click IP addresses to distinguish between legitimate user clicks and Safe Links scans.
- Domain Exclusion: Consider excluding your domain from Safe Links scanning if the impact is significant.
- Metric Adjustment: Be aware that Office 365 Defender impacts email engagement analytics and consider its effect when reviewing metrics.
- Security Service Awareness: Recognize that multiple security services contribute to this issue and impact open rates.
- Consult ESP: Check with your Email Service Provider for information about ways to manage this problem.
Marketer view
Marketer from Email Geeks confirms that Microsoft Defender is clicking on all links, including unsubscribe links, causing issues.
2 Oct 2023 - Email Geeks
Marketer view
Email marketer from Snov.io explains that Microsoft Defender scans all emails, including opening them and clicking on the links to check for malicious content. This results in inaccurate open and click rates. Marketers should understand the impact of Defender on their analytics.
10 Mar 2023 - Snov.io
What the experts say
2 expert opinions
Microsoft's Safe Links, a security feature, is identified as the cause of automatic opens and clicks in Office 365 hosted recipient domains. This occurs because Safe Links pre-scans URLs in emails, resulting in inflated click and open rates as the system clicks links before a human recipient.
Key opinions
- Safe Links Impact: Microsoft's Safe Links negatively affects deliverability metrics.
- Inflated Metrics: Pre-scanning of URLs leads to increased open and click rates, skewing campaign results.
Key considerations
- Metric Interpretation: Be aware of the impact of Safe Links when analyzing email campaign performance and engagement.
- Adjust Expectations: Recognize that reported open and click rates may not accurately reflect actual user engagement due to Safe Links activity.
Expert view
Expert from Word to the Wise explains that Microsoft's Safe Links can affect deliverability metrics by pre-scanning URLs in emails. This can result in inflated click rates as Safe Links clicks links before a human recipient does, skewing campaign results.
28 May 2022 - Word to the Wise
Expert view
Expert from Spam Resource explains that Microsoft uses 'Safe Links' as a security feature which unfortunately increases open rates as it pre-fetches emails, inflating engagement analytics.
20 Sep 2022 - Spam Resource
What the documentation says
5 technical articles
Automatic opens and clicks on Office 365 hosted recipient domains are largely due to security features like Microsoft's Safe Links, Cisco Email Security, and Barracuda Email Protection. Safe Links scans URLs in emails for malicious content, rewriting URLs and routing them through a security service for real-time checks. This scanning process triggers automatic clicks and opens. Administrators can exclude specific URLs from Safe Links scanning to prevent this behavior. Other security providers also perform scanning and link clicking for similar reasons.
Key findings
- Safe Links Functionality: Microsoft Safe Links proactively protects users by scanning URLs for threats, leading to automatic clicks and opens.
- URL Rewriting: Safe Links rewrites URLs and routes them through a security service, triggering a click even without user interaction.
- Exclusion Policies: Administrators can exclude trusted URLs from Safe Links scanning.
- Wider Industry Practice: Email security providers like Cisco and Barracuda also perform scanning and link clicking.
Key considerations
- Review Safe Links Settings: Administrators should review Safe Links policies and consider excluding trusted URLs.
- Understand Security Impact: Be aware that security scanning can affect email engagement metrics.
- Vendor Awareness: Recognize that multiple security solutions contribute to automatic clicks and opens.
Technical article
Documentation from Microsoft Learn details that Safe Links rewrites URLs in inbound email messages. When a user clicks a URL in a message, they are first routed through Microsoft's Safe Links service. The destination URL is checked in real time against a list of malicious URLs. This process will trigger a click on the link, even if a user does not visit the end destination.
31 Mar 2024 - Microsoft Learn
Technical article
Documentation from Barracuda explains that they offer comprehensive protection against email-borne threats. It details that they use advanced threat detection techniques to identify and block malicious emails. They also perform scanning and link clicking for security reasons.
22 Feb 2023 - Barracuda
Are there specific pixel width or SL line character limits that cause Microsoft to mark emails as spam?
Can AMP code in emails cause increased spam placement in Outlook and Hotmail, even if they don't render AMP?
How can I identify and handle bot clicks and opens, particularly from Microsoft/Outlook domains, in email marketing campaigns?
How can I identify and handle suspicious bot clicks in email marketing campaigns?
How can I identify and mitigate the impact of bot clicks on email marketing metrics?
How can I prevent bot clicks from hurting my email reputation?
