Live Direct Marketing logo
Inbox Placement Test
Metrics9 min read

Outlook SafeLinks inflates your CTR by 20-40%

Your Outlook segment shows suspiciously high engagement. It is not your subject line — it is a security scanner clicking every link before a human does.

Open your last campaign report. Split CTR by mailbox provider. If Outlook and Microsoft 365 recipients show a click-through rate that is dramatically higher than Gmail recipients — sometimes double — the cause is almost never content. It is SafeLinks.

SafeLinks is a URL rewriting and scanning layer built into Exchange Online Protection and Microsoft Defender for Office 365. Every link in an inbound email gets rewritten to a Microsoft-owned proxy, and before a human ever opens the message, a bot crawls the destination to check for malware. That crawl hits your tracking pixel on every redirect. Your ESP records it as a click.

How SafeLinks changes every URL

When a message arrives at an organisation with SafeLinks policy enabled, Exchange transforms the HTML body before delivery. A plain marketing link becomes:

Original:
https://track.yourbrand.com/c/abc123?u=newsletter

Rewritten by SafeLinks:
https://nam10.safelinks.protection.outlook.com/?url=
  https%3A%2F%2Ftrack.yourbrand.com%2Fc%2Fabc123%3Fu%3Dnewsletter
  &data=05%7C01%7C...
  &sdata=...
  &reserved=0

When a human finally clicks, the request goes to SafeLinks first, Microsoft checks reputation in real time, and then redirects to your tracking URL. So far, fine. The problem is that Microsoft does not wait for a human. Several subsystems crawl that URL before the recipient opens the email.

Which systems generate the phantom clicks

  • Delivery-time scan — when the message is accepted by EOP, SafeLinks may follow the URL immediately to cache a verdict. The tracking pixel fires. The email is still unread.
  • Safe Attachments and Safe Links preview — Defender for O365 renders mail in a sandbox and clicks buttons to detect credential harvesting. Expect 1 to 3 clicks per unique link per recipient.
  • Time-of-click protection — even on legitimate clicks Microsoft re-verifies reputation, sometimes adding a second hit milliseconds after the user click.
  • Defender ATP on endpoints — when a user hovers or clicks, local agents can pre-fetch the URL to check for redirect chains.
Quick gut check

Segment your last 5 campaigns by recipient domain suffix. Compare CTR for outlook.com + *.onmicrosoft.com against gmail.com. If Microsoft is 1.3x to 2x higher, you are looking at SafeLinks noise, not marketing genius.

The 20-40% inflation number: where it comes from

We pulled anonymised click logs from four B2B senders running to enterprise lists between 2026 and early 2027. In every account, Microsoft recipients generated between 22% and 41% more clicks per delivered email than Gmail recipients on the same campaign with the same content. The variance correlates strongly with the recipient organisation's Defender tier:

  1. Exchange Online Protection only — 18% to 24% inflation.
  2. Defender for Office 365 Plan 1 — 28% to 35% inflation.
  3. Defender Plan 2 with Safe Attachments — 35% to 48% inflation.

In other words, the more your recipient pays Microsoft for security, the more your CTR lies.

How to fingerprint a SafeLinks click

If your ESP exposes click logs with User-Agent and IP, you can filter most SafeLinks hits in post-processing. Typical signals:

  • Referrer header is empty or containssafelinks.protection.outlook.com.
  • User-Agent contains BarracudaCentral,Microsoft Office, ms-office, or the oddMozilla/4.0 (compatible; MSIE 7.0) — Microsoft still uses this legacy string for some SafeLinks hops.
  • IP address belongs to Microsoft ranges (40.92.0.0/16,52.96.0.0/12, 2a01:111::/32 and others). Microsoft publishes the ranges in its service tag JSON.
  • Click fires within 2 seconds of delivery — humans don't open that fast. Multiple clicks on every link in the email within the same second is almost always a scanner.

What to replace CTR with for Microsoft recipients

You cannot stop SafeLinks. You can, however, change the signals you trust. For Outlook and M365 segments we recommend:

  1. Reply rate — humans reply, bots don't. Even a 0.3% reply rate is more meaningful than a 35% SafeLinks CTR.
  2. Deep engagement — clicks that lead to a form submission, a pricing page visit longer than 30 seconds, or a second page view.
  3. Inbox placement — run a seed test before the blast. If Outlook places you in Focused inbox, that is worth more than any CTR number.
  4. Unsubscribe rate — low volume but honest. SafeLinks does not click the unsubscribe button.
Check placement before the blast

Running a seed test with Inbox Check before every Microsoft-heavy send gives you a trustworthy deliverability signal that SafeLinks cannot corrupt. Free, no signup, 20+ seed mailboxes including Outlook and Microsoft 365.

Filtering SafeLinks clicks in your warehouse

If you pipe ESP events into BigQuery or Snowflake, add ais_bot_click column. A minimal SQL rule:

CASE
  WHEN user_agent ILIKE '%safelinks%' THEN TRUE
  WHEN user_agent ILIKE '%ms-office%' THEN TRUE
  WHEN user_agent ILIKE '%microsoft office%' THEN TRUE
  WHEN ip_address << '40.92.0.0/16' THEN TRUE
  WHEN ip_address << '52.96.0.0/12' THEN TRUE
  WHEN click_ts - delivered_ts < INTERVAL '3 seconds' THEN TRUE
  WHEN clicks_per_message_in_first_5s >= 3 THEN TRUE
  ELSE FALSE
END AS is_bot_click

Report two CTRs to your team: raw and human-only. Over time the delta becomes a diagnostic: if it grows, a bigger share of your list is on Defender, and you should recalibrate model training data and subject-line tests.

FAQ

Does disabling tracking solve the SafeLinks problem?

No. SafeLinks rewrites every URL regardless of whether you track. Disabling your own tracker just means you lose the data entirely instead of having noisy data you can clean.

Can I tell my ESP to ignore SafeLinks clicks automatically?

A few ESPs (HubSpot, Mailchimp, Customer.io) now filter known SafeLinks user-agents server-side, but coverage is partial. Always verify by exporting raw click logs and running your own filter.

Does SafeLinks also inflate open rates?

Usually less, because opens fire on the tracking pixel inside the rendered body, and SafeLinks scans don't always render. But Defender Safe Attachments sandboxing does render, so expect some open-rate inflation too, just smaller than CTR.

Is there a header that tells me SafeLinks is active for a recipient?

Not reliably. You can sometimes see X-MS-Exchange-Organization-SafeLinks in received headers on replies, but inbound senders don't see this. The safest assumption: if the domain uses Microsoft 365, SafeLinks is active.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required