Your 30% CTR is really 9%: here is the math

A mid-size SaaS company ran a product-launch email to a 48,000- address B2B list in November 2026. The ESP dashboard lit up. Unique click rate: 29.7%. The team celebrated. A week later, when revenue attribution came in, only 11 qualified opportunities had been sourced from that send. Against a 29.7% CTR the expected number was closer to 40.

We were asked to audit the data. What follows is the exact math.

The starting numbers

Recipients delivered:    48,112
Unique clicks:           14,290
Unique click rate:       29.70%
Total click events:      61,840
Clicks per unique user:  4.33

That "4.33 clicks per clicker" was the first red flag. The launch email had 7 unique URLs (header logo, 3 CTAs, 2 feature teasers, footer). No reasonable human clicks 4 of them.

Step 1: strip SafeLinks / Defender

Filter by User-Agent or by IP in Microsoft ranges, plus Referrer containing safelinks.protection.outlook.com. Also drop any unique user whose first click came within 2 seconds of delivered timestamp.

SafeLinks-attributable click events:    19,210
SafeLinks unique "clickers":             4,180
Running remainder:
  Events:  42,630
  Uniques: 10,110

Almost a third of all click events were SafeLinks scanner noise, and 4,180 "clickers" were actually the Microsoft scanner. Outlook and M365 was 41% of the list by domain, so this is consistent with roughly 20% bot-click rate per Microsoft recipient.

Step 2: strip other enterprise scanners

Barracuda Link Protect, Proofpoint URL Defense, Mimecast URL Protect, Cisco Secure Email. Use UA substrings and known IP ranges.

Other scanner events:    8,430
Other scanner uniques:   1,620
Running remainder:
  Events:  34,200
  Uniques:  8,490

Step 3: strip Gmail pre-fetch and image proxy

Gmail was 37% of the list. Filter UAs containingGoogle-Safety, Google-InspectionTool,GoogleImageProxy, and any click with source IP in Google ranges with no cookie.

Google prefetch events:   2,140
Google prefetch uniques:    910
Running remainder:
  Events:  32,060
  Uniques:  7,580

Step 4: strip "all-link" rapid clickers

After the known-scanner purge, we still saw hundreds of recipients whose click pattern was: 6 to 7 unique URLs clicked within 10 seconds, no cookie, empty Accept-Language. These are unsignatured scanners — smaller vendors, custom-built gateways, or corporate EDR agents doing their own URL checks.

Unsignatured-scanner events:  3,100
Unsignatured uniques:           470
Running remainder:
  Events:  28,960
  Uniques: 7,110

Step 5: strip pre-fetch from mobile and browser tools

Apple Mail Privacy Protection aside, there are mobile mail clients that pre-fetch on open (Edison, Spark in some configs) and browser extensions (Superhuman, Shortwave, corporate archive tools) that crawl links for indexing. We tag these as "semi-human" — a human opened the mail, but the click was automated.

Semi-human-prefetch events:  1,640
Semi-human uniques:            720
Running remainder:
  Events:  27,320
  Uniques: 6,390

The cleaned number

Real human unique clickers: 4,330 after the subtraction is complete (6,390 minus an estimated 2,060 duplicate counts that survived earlier steps). Real CTR: 9.0%— a third of the dashboard figure, but consistent with the 11 real opportunities attributed downstream.

Why the 9% number is actually good news

9% unique human CTR on a launch email to a warm B2B list is strong. The team was comparing 29.7% against an industry benchmark that itself is polluted with bot clicks — everyone is running the same game, and no one controls for scanners. The real comparison should be 9% vs 3% to 6% cleaned benchmarks, which means this campaign outperformed.

The danger is not the inflation itself. The danger is decisions made on inflated numbers: training subject-line bandits on bot clicks, promoting the "winning" variant that actually hits the spam folder more often (where scanners click more), or setting attribution lift goals against unreachable baselines.

How to bake this into your workflow

Add a click_type enum to every click record:human | scanner_ms | scanner_barracuda | scanner_other | prefetch_google | prefetch_apple | semi_human | unknown.
Report two CTRs on every dashboard: ctr_reportedand ctr_human. The delta is itself a KPI.
Segment the delta by recipient domain. A growing delta means more of your list moved behind gateways (this happens as you acquire larger customers).
Never train send-time or subject-line experiments on raw CTR. Use ctr_human or, better, downstream conversion.

Get ground truth before the send

The best way to avoid this reconciliation exercise is to measure placement before you blast. Inbox Check runs your content through 20+ real mailboxes and tells you where you land. No scanners in the way. Free, no signup.

FAQ

Are these filter rates exaggerated? My CTR feels real.

They vary. Consumer B2C senders see 5–10% scanner inflation. B2B senders to enterprise lists routinely see 30–50%. The only way to know your own number is to audit your logs.

Can I just trust the ESP's built-in bot filter?

Marketo, HubSpot, and Mailchimp have partial filters. None of them catches unsignatured scanners or pre-fetchers reliably. Assume every ESP filter catches 50% to 70% of what it should.

If the real CTR is 9%, should I stop reporting the 30%?

Report both. Exec dashboards that suddenly drop 70% of a vanity metric cause more political damage than insight. Introduce the clean metric alongside and migrate over a quarter or two.

What about revenue per email? Is that cleaner?

Yes. Revenue is immune to scanner inflation. The tradeoff: attribution windows and lag make revenue-per-email a trailing metric. Use it for monthly health checks, not daily optimisation.