The tracking pixel is a decades-old hack — a 1×1 transparent GIF embedded in HTML email, hosted on a server you control, whose URL contains a unique message identifier. When the client renders the email, it fetches the image. Your server logs the fetch and calls it an open.
In 2027 that assumption is wrong more often than it is right. To show you how wrong, we took a sample of 100,000 reported open events from a mid-volume B2B newsletter and classified each one by its HTTP fingerprint. The results are below.
The sample
The data comes from a single newsletter sending approximately 120,000 messages per broadcast to a mixed list of consumer and business subscribers. Over three broadcasts, 112,438 open events were recorded by the ESP. We deduplicated to unique opens and took the first 100,000.
For each open we captured: source IP, reverse DNS, User-Agent, time since delivery, whether a subsequent click occurred on any link, and whether the message ended up being replied to or forwarded.
The breakdown
Here is the classification, rounded:
- 38% — Apple Mail Privacy Protection proxy. Source IP in Apple's CIDR ranges, User-Agent stripped, fetch happens within 2 minutes of delivery regardless of recipient timezone.
- 22% — Gmail image proxy (
googleusercontent.com). Some fraction of these represent real human opens, some represent pre-fetch for offline availability. - 11% — Security scanners. User-Agents from Proofpoint, Mimecast, Barracuda, Cisco IronPort. These fire before the human ever sees the message.
- 7% — Microsoft Exchange Online Protection scans. Recognisable by Azure IP ranges and a specific User-Agent pattern.
- 6% — Corporate proxies and URL defenders stripping tracking links and fetching images as part of that process.
- 4% — AI summarisers and inbox assistants.
- 12% — Plausibly human. Source IP matches a residential or mobile carrier, User-Agent is a real mail client, timing matches recipient timezone, click or reply occurred within 24 hours.
In a sample of 100,000 reported opens, roughly 12,000 came from a human interaction. The remaining 88% were machine events. If your ESP reports a 45% open rate, the human-comparable figure is closer to 5%.
Signatures of each category
Apple MPP
GET /pixel/abc123.gif HTTP/1.1
Host: tracking.example.com
User-Agent: (empty or generic Apple Mail)
X-Forwarded-For: 17.241.219.0/24
Connection: closeThe give-aways are the 17.0.0.0/8 block (Apple-owned), the stripped or generic User-Agent, and the fact that the fetch arrives in a tight burst within 30 seconds of delivery. Real human opens spread across the day following recipient activity patterns.
Security scanner
GET /pixel/abc123.gif HTTP/1.1
Host: tracking.example.com
User-Agent: Mozilla/5.0 (compatible; ProofpointURLDefense/3.0)
From: bounces@defender.proofpoint.comScanners almost always identify themselves in the User-Agent — they have no motive to hide. If you see Proofpoint, Mimecast, Barracuda, Cisco, Symantec, Forcepoint, or Trend Micro in the User-Agent, it is not a human.
Gmail proxy
Gmail routes all image loads through googleusercontent.com. The challenge is that this category conflates three very different events: a human clicking the message, Gmail pre-fetching for offline, and Gmail rendering the message for spam scoring. You cannot reliably separate them from the server side.
What a real human open looks like
Human opens have a handful of characteristic features. When we filtered our sample down to the "plausibly human" 12%, the median event had:
- A residential or mobile-carrier source IP.
- A User-Agent identifying a real mail client version (Outlook 16, Gmail app, Apple Mail 16).
- A fetch timestamp that falls within the recipient's typical waking hours, inferred from their delivery-engagement history.
- Either a click, a reply, a forward, or another open within the following 48 hours.
If none of those conditions hold, calling the event a "human open" is a stretch. Most marketing dashboards apply none of them.
Why ESPs keep counting the machines
The commercial reason is obvious. Higher numbers look better in the marketing collateral, and there is no contractual obligation for an ESP to distinguish robots from humans. The technical reason is that filtering is genuinely hard: by the time a request lands on your pixel server, you have an IP and a User-Agent, and both can be spoofed or missing.
A few ESPs now report "MPP-adjusted opens" as a separate number. It is a start, but it only strips the Apple contribution. The security-scanner and Gmail pre-fetch contributions remain mixed in.
Inbox Check sidesteps the whole mess. We send your message to seed mailboxes and record where it lands — inbox, promotions, spam — by inspecting the actual folder. No pixels, no proxies, no ambiguity. Free test at the homepage, API docs at /docs.
Can you fix pixel tracking?
Not really. You can reduce the noise by filtering known proxy IP ranges and scanner User-Agents, and some vendors do sell "human open" signals that apply these filters. They help, but they cannot recover the ground truth.
The underlying problem is that the pixel was always a proxy signal for attention, and the infrastructure between sender and recipient has grown enough intelligence to fire the pixel for its own reasons. The signal is no longer about attention. No amount of filtering changes that.