How do these automatic actions affect my email marketing metrics?

These automated interactions can significantly inflate your reported open rates and click-through rates. This makes it challenging to accurately assess genuine recipient engagement with your emails and could lead to misinterpretations of campaign performance. It can also cause an artificial spike in unsubscribe rates if security bots click on unsubscribe links.

How can I accurately measure engagement despite these automated actions?

You can mitigate this by adjusting your analysis to focus on deeper engagement metrics such as conversions, replies, or website visits directly from your emails. You can also filter out clicks originating from known Microsoft IP ranges or bot user agents in your analytics. Additionally, Office 365 administrators can configure Safe Links policies to exclude trusted domains from scanning, though this involves a security trade-off.

Can I prevent Microsoft from clicking on unsubscribe links?

While it is not possible to stop Microsoft Defender from scanning links for security purposes, administrators can configure exclusions for specific trusted domains in the Microsoft 365 Security Center . However, excluding common phrases like "unsubscribe" from scanning is not an option due to the potential for malicious actors to hide harmful links under such labels.

Why are we seeing automatic opens and clicks on Office 365 hosted recipient domains? - Troubleshooting - Email deliverability - Knowledge base

Q: Why am I seeing automatic opens and clicks on Office 365 domains?

Automatic opens and clicks primarily occur due to Microsoft Defender for Office 365 's Safe Links and Safe Attachments features. These tools proactively scan email content and URLs in a sandbox environment to identify potential threats before they reach the user's inbox. This pre-delivery scanning simulates opens and clicks, which are then recorded by your email service provider.

If you are managing email campaigns, you have likely noticed a puzzling trend: automatic opens and clicks reported for recipients whose mailboxes are hosted on Office 365 (now Microsoft 365). This can be confusing, especially when these interactions appear to happen instantaneously or from unusual IP addresses, sometimes even before the recipient has had a chance to view the email. It leads to questions about the accuracy of your engagement metrics and the true performance of your campaigns.

The core of this phenomenon lies in Microsoft's robust security measures, particularly within Microsoft Defender for Office 365. While designed to protect users from malicious content, these features can inadvertently trigger automated interactions that are logged as legitimate opens and clicks by your email service provider (ESP). This can make it difficult to distinguish genuine recipient engagement from security system activity.

Understanding these automated interactions is crucial for accurate email marketing analysis. It helps you avoid misinterpreting your campaign performance and can guide you in adjusting your strategies to account for these technical nuances. Let's explore why this happens and what you can do about it.

Microsoft Defender for Office 365: The culprit

The primary reason for automatic opens and clicks on Office 365 hosted domains is Microsoft Defender for Office 365's security features. These features proactively scan email content, including URLs and attachments, before they even reach the recipient's inbox. This pre-delivery scanning is a critical defense against phishing, malware, and other email-borne threats. However, it also simulates user interaction to test the safety of links and content.

Two key features contribute to this behavior: Safe Links and Safe Attachments. Safe Links rewrites URLs in incoming emails and scans them in real-time when clicked by a user. However, a preliminary scan occurs before delivery, which involves a bot clicking every link in the email to check for malicious content. This pre-click is what your ESP often registers. Safe Attachments opens attachments in a sandbox environment, which can also trigger tracking pixels, leading to false opens. Many email marketers have observed this trend since June 2023, according to reports from ClickDimensions.

Best practice: email authentication

To help ensure your emails are not unduly flagged by security systems, implement robust email authentication. This includes setting up SPF, DKIM, and DMARC. Strong authentication signals to mail servers that your emails are legitimate, reducing the likelihood of aggressive scanning that might trigger false positives. For example, Microsoft's own documentation outlines how Safe Links is part of a broader security strategy.

It is important to note that these automated actions apply to all links, including unsubscribe links. This can lead to an unusual spike in unsubscribes for Microsoft users, even when they haven't manually opted out. This behavior is a known challenge, as discussed in various forums and support communities, like the Microsoft Tech Community. Organizations are looking for ways to exempt unsubscribe links from this automated scanning, but it poses a security dilemma for Microsoft: not scanning these links could allow malicious senders to hide harmful content under an unsubscribe label.

Impact on email metrics

The immediate consequence of these automatic opens and clicks is the skewing of your email engagement metrics. Your open rates and click-through rates will appear artificially inflated, making it difficult to gauge genuine recipient interest and the effectiveness of your content. This can lead to misinformed decisions about your email marketing strategy and audience segmentation.

For instance, if you rely on open rates to identify active subscribers, you might inadvertently include recipients who haven't actually opened your emails but whose interactions were simulated by Microsoft Defender. Similarly, inflated click rates can obscure which calls to action are truly resonating with your audience. This can be particularly problematic for domains seeing a large uptick in Outlook clicks that appear to be bots.

Pre-scan metrics

Open rates: Artificially high due to pre-delivery scanning activating tracking pixels.
Click-through rates: Inflated by Safe Links' bot activity clicking URLs, including unsubscribe links.
Unsubscribe rates: May show false increases due to automated clicks on opt-out links.

Actual engagement metrics

Open rates: Require advanced filtering to exclude bot activity for a realistic view.
Click-through rates: Best measured by unique human clicks, often identified by IP address patterns and user agent strings. You might be seeing inflated clicks.
Unsubscribe rates: Need to be cross-referenced with other engagement signals to confirm genuine recipient intent.

While your ESP may report these interactions, it is crucial for you to understand the underlying cause to interpret your data correctly. This is particularly relevant when analyzing trends or comparing campaign performance across different recipient domains. Failing to account for these automated actions could lead to misallocating resources or drawing incorrect conclusions about subscriber behavior.

Managing and mitigating false positives

One way to mitigate the impact of Microsoft Defender is through its configuration settings within the Microsoft 365 Security Center. Administrators have the option to exclude certain URLs or domains from Safe Links scanning. This can be useful for legitimate marketing domains or trusted third-party services whose links you know are safe. However, there is a trade-off, as excluding domains means these links will not be scanned for threats, potentially increasing risk.

Example PowerShell command for Safe Links exclusionPowershell

Set-ATPPolicy -Identity "SafeLinksPolicy" -ExcludedDomains "yourdomain.com", "tracking.esp.com"

While you can exclude domains from being clicked in the Security console under Policies & Rules > Threat Policies > Advanced Delivery > Phishing Simulation, it is not possible to exclude specific phrases like "unsubscribe" or "opt-out" from being scanned. This presents a challenge for marketers, as automated unsubscribe clicks can still occur. You can learn more about managing these policies on Reddit's sysadmin community.

For email marketers, the key is to adjust your data analysis to account for these automated interactions. This may involve filtering out suspicious opens and clicks, or focusing on other engagement metrics that are less susceptible to false positives, such as conversions or replies. For more insights on filtering, consider this article on identifying automated scripts and crawlers.

Understanding recipient-side security

Beyond Microsoft Defender, various other factors on the recipient's side can contribute to automatic email interactions. Email clients often have features like preview panes that display email content without the user explicitly clicking to open it. This can trigger an open tracking pixel, even if the user never fully engages with the message. Similarly, some anti-spam filters or email gateways might scan emails by opening them in a sandboxed environment, leading to false opens and clicks.

Third-party security solutions deployed by organizations can also play a role. These tools often perform their own pre-scanning of emails, which can mimic user interaction. While their methods might differ from Microsoft Defender, the outcome is the same: automated actions that inflate your engagement metrics. This makes it challenging to pinpoint the exact source of unexpected activity without deeper analysis of IP addresses and user agent strings, as mentioned in Prowly's observations.

You may also be seeing these effects if you are experiencing spam filter clicks with Hotmail and Outlook.com. Understanding these broader security measures is essential for a comprehensive view of your email deliverability and engagement. Focusing solely on reported opens and clicks without considering these underlying mechanisms can lead to a skewed perception of your campaign effectiveness.

Views from the trenches

Best practices

Always maintain strong email authentication (SPF, DKIM, DMARC) for all your sending domains to build trust with receiving mail servers.

Common pitfalls

Misinterpreting automatically generated opens and clicks as genuine human engagement, leading to inaccurate campaign performance assessments.

Expert tips

Regularly monitor your email logs for patterns of unusual activity, such as clicks from data centers or non-human user agents.

Expert view

Expert from Email Geeks says that the automated opens and clicks on Office 365 hosted recipient domains are likely due to Microsoft Defender's Safe Links feature.

2023-07-25 - Email Geeks

Marketer view

Marketer from Email Geeks says that Microsoft Defender is clicking on all links, including unsubscribe links, which leads to inflated unsubscribe rates.

2023-08-30 - Email Geeks

Conclusion: interpreting your metrics

The phenomenon of automatic opens and clicks on Office 365 hosted recipient domains is a direct consequence of advanced email security measures, primarily Microsoft Defender for Office 365. While frustrating for marketers relying on traditional engagement metrics, these automated interactions serve a vital security purpose, protecting recipients from malicious content. Remember, if you are seeing Office 365 automatically opening and clicking emails, it is a common behavior.

For accurate campaign analysis, it is essential to look beyond raw open and click rates. Focus on deeper engagement signals, such as conversions, replies, and repeat interactions, which are less prone to bot interference. Implement advanced filtering in your ESP or analytics tools to identify and exclude these automated actions, providing a clearer picture of human engagement.

By understanding the mechanisms behind these automatic interactions and adjusting your data analysis accordingly, you can continue to optimize your email marketing efforts effectively, even when dealing with sophisticated recipient-side security systems. For more on improving your deliverability, consider our guide on email deliverability issues.