How Email Tracking Pixels Work — And How to Block Them

How Email Pixels Work

In the modern digital landscape, the emails arriving in your inbox are rarely simple plain-text messages. Instead, the vast majority of commercial newsletters, transactional notifications, and marketing communications are composed as rich HTML documents. Because HTML emails support the same markup and rendering capabilities as standard web pages, they can execute network requests to external servers. This capability is exploited by the marketing industry to deploy "spy pixels"—or email tracking pixels—designed to monitor your behavior without your knowledge.

Technically, a tracking pixel is a transparent image file, typically sized at 1×1 pixel, embedded in the body of an HTML email using a standard image tag:

<img src="https://track.crm-provider.com/pixel.gif?u=9f82c3&c=88d12" width="1" height="1" style="display:none;" />

As illustrated in this snippet, the src attribute of the image does not point to a static file on a CDN. Instead, it references a dynamic endpoint hosted by a Customer Relationship Management (CRM) platform (such as HubSpot, Salesforce, Klaviyo, or Mailchimp). The URL includes unique query parameters (such as u for user ID and c for campaign ID) that correlate the request to your specific email address.

When your email client parses the HTML of the message and encounters the <img> tag, it automatically initiates an HTTP GET request to fetch the image. The CRM’s server intercepts this request, parses the query parameters to identify you as the recipient, records the "open" event in their tracking database, and returns a transparent 1x1 GIF or PNG (or an HTTP 204 No Content status code). This process occurs in milliseconds, invisible to the user.

What Senders Learn

By executing a single, silent HTTP GET request, the tracking server harvests a wealth of telemetry about you and your device. Senders typically compile the following data points:

Precise Time and Date of Opens

The tracking server records the exact timestamp when your email client requests the pixel. If you reopen the email hours, days, or weeks later, your client will execute a new network request, allowing the sender to map your engagement over time.

IP Geolocation

The HTTP request header transmits your public IP address. Senders pass this IP through commercial geolocation databases (such as MaxMind GeoIP) to determine your country, state, city, ZIP code, and internet service provider (ISP).

User-Agent Profiling

The HTTP User-Agent header transmitted by your browser or email client reveals your operating system (e.g., Windows, macOS, iOS, Android) and your specific email client (e.g., Apple Mail, Thunderbird, Outlook).

Device Classification

Using the user-agent string and screen dimensions, the tracking system determines whether you read the email on a mobile device, tablet, or desktop computer.

Interactive Clickpaths

If you click any links within the email, they are routed through redirection links (e.g., https://track.crm.com/click?url=https://target.com). This maps your click behavior and links it directly to the initial pixel open event, creating an unbroken chain of behavioral profiling.

The Problem

While tracking pixels are often marketed as harmless metrics for calculating newsletter open rates, they present a significant privacy and security risk. This data is fed into automated CRM scoring algorithms that calculate your "lead score." A high score—indicating that you have opened an email multiple times or clicked a link—triggers automated sales responses, including aggressive follow-up emails, targeted social media ads, and cold calls.

In highly regulated or sensitive sectors, email tracking is even more concerning. In healthcare, appointment reminders or medical portals that include tracking pixels can leak sensitive health details to third parties. For example, if a patient opens an email regarding "diabetic care tips," the tracking server records the open and associates the patient's IP address with that specific medical category. Similarly, in the financial sector, tracking pixels on debt collection notices or loan applications expose sensitive financial situations to ad networks, which can use this data to target predatory loans.

How to Block Email Tracking

Fortunately, you can block email tracking pixels by adjusting your email client settings and utilizing network-level filters:

Apple Mail (iOS 15+ / macOS Monterey+)

Apple’s Mail Privacy Protection (MPP) is an effective native solution for email tracking. When enabled, Apple routes all email images through a series of proxy servers, downloading them in the background regardless of whether you actually open the message. This makes the tracking pixel fire automatically from an Apple proxy IP address, masking your real IP, hiding your location, and obscuring your actual open time.

• How to enable: Navigate to Settings → Mail → Privacy Protection on iOS or Mail → Settings → Privacy on macOS, and toggle on Protect Mail Activity.

Gmail (Web and Mobile)

Gmail uses Google’s proxy servers to cache images by default. However, this only masks your IP address; it does not block the initial GET request that records the open event. To stop tracking pixels entirely, you must configure Gmail to block automatic image rendering.

• How to configure: On the web, click the Settings gear → See all settings, scroll down the General tab to the Images section, and select Ask before displaying external images. On mobile, go to Settings → [Your Account] → Images and select Ask before displaying.

Microsoft Outlook (Desktop App)

Outlook provides robust controls to block external content, which prevents the rendering engine from making outbound network calls to tracking domains.

• How to configure: Navigate to File → Options → Trust Center → Trust Center Settings. Under the Automatic Download tab, ensure the checkbox labeled Don't download pictures automatically in standard HTML email messages is checked.

Browser-Based Email & AdShield Pro

If you read your emails using webmail services (such as Gmail, Outlook.com, or ProtonMail) inside a standard browser, AdShield Pro blocks tracking pixels automatically. AdShield Pro scans outbound network requests in real-time, matching them against blocklists that target CRM and advertising endpoints. When a marketing email attempts to load a tracking pixel from domains like hubspot.com, klaviyo.com, or sendgrid.net, AdShield Pro intercepts and drops the request. This allows your email client to render the message's layouts while preventing tracking telemetry from leaving your browser.

AdShield Pro blocks ads, trackers, and fingerprinting scripts — free for Chrome, Firefox, and Edge. Install now.