Why did a recent email campaign see an out-of-the-blue spike of triple clicks from .edu addresses?

Key findings

• Automated scanning: The spike in clicks from .edu addresses is likely due to anti-spam or anti-malware security systems that automatically probe all links within an incoming email.
• Not a deliverability issue: Despite the high click activity, the emails are generally being delivered to the intended inboxes. The issue primarily affects reporting accuracy and potentially website load.
• Impact on website: The surge in traffic from these bot clicks can overwhelm a website not configured to handle such sudden loads, leading to downtime, as experienced in this scenario.
• Characteristics of bot clicks: These clicks often occur in quick succession, immediately upon receipt, and typically involve all or multiple links within the email, sometimes without a corresponding open event initially.
• .edu domain specifics: Educational domains (and government or corporate ones) frequently employ more stringent security measures due to the diverse and sometimes less secure nature of user machines within their networks.

Key considerations

• Website capacity: The fundamental issue is often the website's capacity to handle the load generated by these security scans, rather than an email deliverability problem. Organizations should ensure their web infrastructure can absorb such traffic spikes.
• Reporting accuracy: Marketers should be aware that email metrics, especially click rates, can be inflated by automated security bots. Understanding how to filter or interpret these clicks is crucial for accurate campaign analysis. Learn more about bot click activity.
• Security filter updates: A sudden spike may indicate that a receiving domain's security filter or service has been recently updated to perform more aggressive link checks.
• User agent analysis: Analyzing user agent strings in click data can help differentiate between human and bot clicks, although some bots may mimic standard browsers. Further information on how hidden links are clicked by bots is available.
• ISP-specific behavior: Some ISPs, especially those handling .edu and corporate domains (like Microsoft 365, which hosts many .edu accounts), are known for robust security scanning practices. For more details, Cyberimpact discusses robot clicks impacting email metrics.

Key opinions

• High security scanning: Many marketers agree that domains with high security, particularly .edu, .gov, and certain corporate domains, employ systems that scan emails and follow links before delivery to the recipient's mailbox.
• Reporting vs. delivery: There's a consensus that these events are primarily a reporting issue, inflating click metrics, rather than a direct email delivery problem. The emails are still getting delivered.
• Website impact: A significant concern for marketers is the potential for these automated clicks to cause a traffic surge that can overload their website, leading to service disruption.
• Consistent behavior: Some marketers observe this everything gets clicked scenario frequently across various high-security domains.

Key considerations

• Adjusting reporting: Marketers suggest implementing rules to not register clicks that occur before an email is opened, to gain more accurate engagement data. This helps in understanding true email click through rates.
• Excluding domains: Some marketers may choose to temporarily or permanently exclude highly affected domains like .edu from certain mailings to avoid traffic spikes and ensure website stability.
• Understanding user agents: Careful analysis of user agent data from click events is recommended before making decisions about suppressing specific types of devices or platforms, as common browser engines like WebKit are widely used by real users as well as bots. More information can be found on why bots are clicking on newsletters.
• Seeking more data: It's advisable to work with ESPs or data providers to access more comprehensive click event data, including IP addresses, which can help identify if clicks are originating from central security servers.

Key opinions

• Not a delivery issue: Experts firmly state that this behavior does not indicate a delivery problem, as the mail is successfully delivered. The clicks are a function of pre-delivery security checks.
• Purpose of scanners: The core purpose of these automated scanners is to identify malicious websites or content within emails. Unless the linked site serves malware, delivery should not be impacted.
• Website capacity: The actual problem often lies with the website's ability to handle the sudden influx of traffic generated by these security scans, which can lead to service disruptions.
• Academic domain specifics: Academic institutions (.edu domains) are particularly aggressive with mail server-side security because they have less control over individual user machines (e.g., personal laptops with outdated software), making inbound mail filtering critical.
• Outlook/O365 prevalence: Many of the affected .edu domains are likely hosted by Microsoft 365 (Outlook), which is known for its advanced security scanning capabilities. This could explain widespread similar behavior across different universities.

Key considerations

• Tracking errors: It is important to investigate whether there might be errors in the email tracking system itself that could be misinterpreting or over-reporting click events. Reliable deliverability rate metrics are key.
• IP analysis: Attempting to obtain IP addresses associated with these clicks can help determine if they originate from a central server (indicative of a scanner) or from individual user machines. This might require closer collaboration with the ESP or the client's data logging.
• New filter deployment: A sudden, out-of-the-blue spike suggests that a new filter or an update to an existing security filter has been deployed by the mail service providers of the affected domains.
• Inaccurate metrics: While emails may be delivered, these pre-delivery clicks can lead to misleading open and click rates, complicating campaign analysis. Understanding Google Postmaster Tools can offer some insights into domain reputation, even if not directly on click metrics.

Key findings

• Pre-delivery scanning: Email security gateways and anti-spam solutions often employ techniques such as URL pre-fetching or sandboxing, where all links within an email are visited by automated systems before the email reaches the recipient's inbox.
• Threat detection: The primary goal of these automated clicks is to detect and neutralize threats like phishing, malware, and spam by analyzing the linked content.
• Impact on metrics: These automated interactions can lead to inflated click-through rates (CTR) and inaccurate engagement metrics, as they do not represent human interaction.
• Domain reputation: While not directly a deliverability failure, a consistently high volume of suspicious automated clicks could potentially influence the sending domain's reputation if the security systems perceive unusual or risky patterns over time.

Key considerations

• Traffic management: Organizations sending emails should ensure their web servers are robust enough to handle bursts of traffic generated by these security scanners, preventing website outages. Learn how to boost email deliverability rates with robust infrastructure.
• Analytics filtering: Implement strategies within email analytics platforms to identify and filter out bot clicks, allowing for more accurate assessment of human engagement. This is critical for understanding email deliverability issues.
• Whitelisting: While not always feasible for marketing emails, in some cases, direct communication with the IT departments of large institutions (like universities) might allow for whitelisting or better understanding of their specific security protocols.