How Email Tracking Pixels Work (And How to Block Them)

What a tracking pixel is, in one paragraph

A tracking pixel, also called a web beacon or spy pixel, is a small, often single-pixel, transparent or background-colored image placed inside an HTML email. Because it carries no visible content, the recipient never notices it (Wikipedia, "Spy pixel"). Its job is not to display anything. Its job is to be fetched. The act of your mail client requesting that image is the entire signal the sender is after.

The same technique works on web pages, where it underpins much of analytics and ad attribution, but in email it is uniquely effective because email is a long-lived, identity-linked channel: the address that opened the message is usually a real person the sender already has on file.

How the mechanism actually works

There is no clever code here. A tracking pixel is just a normal image reference, and email clients fetch images the way browsers do.

Walk through what happens when you open a tracked message:

1. The email's HTML contains an <img> tag pointing at a remote URL, often with a unique identifier baked in, for example https://track.example.com/o.gif?u=4f9c2a.
2. You open the email. If your client loads remote images automatically, which most do by default, it issues an HTTP GET to that URL.
3. The request reaches the sender's (or a third-party tracking provider's) server. Because every HTTP request carries metadata, the server now sees your IP address, your User-Agent string, and the moment the request arrived (Wikipedia, "Web beacon").
4. The server logs that data, ties it to the unique identifier (and therefore to you, the recipient that ID was issued to), and returns a tiny transparent image so nothing looks broken.
5. The sender now has a record: this address opened this campaign, at this time, from roughly this place, on this kind of device.

Because the identifier is per-recipient, opens are attributed individually. If the same pixel fires again later, that is logged as a re-open. If a forwarded copy is opened by someone else, that can be logged too. The mechanism is mundane, which is exactly why it is everywhere.

Beyond the open: link tracking

Pixels measure opens; tracked links measure clicks, and they are a separate layer. A link that displays as example.com/product is frequently wrapped so it actually points at the sender's redirector first:

Displayed: example.com/product
Actual:    click.emailservice.com/c?id=abc&to=example.com/product

You click, you briefly hit the tracking server (which logs the click against your identifier), and then you are forwarded to the real destination. Link tracking survives almost every pixel defense, because clicking a link is an explicit fetch you initiated. The practical defenses are to hover and read the real URL before clicking, to copy-paste the destination instead of clicking the wrapper, or to use a parameter-stripping extension such as ClearURLs.

What a pixel can learn about you

A single fired pixel does not reveal the contents of your screen or your keystrokes. What it reveals is the metadata attached to the request, which is more than enough to be uncomfortable:

Reporting on the 2021 BBC/Hey investigation summarized the categories the same way: spy pixels can tell a sender when a recipient opened a message, how often, their geographic location via IP, and details about their device and operating system (ProPrivacy). None of this requires you to click anything. Opening the message is the consent the system assumes.

How common are they, really

Two pieces of solid, primary research anchor the prevalence question. Both are a few years old, and both are scoped to commercial mail, so it is worth stating the numbers precisely rather than rounding them into something they do not say.

In February 2021, the email service Hey examined the mail flowing to its users on behalf of BBC News and described hidden spy pixels as "endemic." About two-thirds of the emails its users received contained one. Hey, which processes on the order of a million messages a day, said it was blocking roughly 600,000 spying attempts daily, with the average account seeing around 24 spy-pixel emails a day and the top tenth seeing more than 50 (BBC News, "Spy pixels in emails have become endemic," 17 Feb 2021; figures corroborated by ProPrivacy and Wikipedia).

The deeper academic look is the Princeton study "I never signed up for this!" (Englehardt, Han, and Narayanan, PoPETs 2018), which crawled a corpus of commercial mailing-list email. In that corpus, 85% of messages contained embedded third-party content and 70% contained resources flagged as trackers by standard tracking-protection lists (Princeton CITP). The same study found that nearly a third of those emails, about 29%, leaked the recipient's email address to at least one third party the moment the email was opened (Princeton CITP).

Two cautions on those figures. First, the Princeton percentages describe mailing-list and commercial email, not your one-to-one correspondence with a friend; personal email is far less likely to carry a pixel. Second, both data sets are snapshots (2021 and 2017 to 2018). We are not aware of a clean, current-year measurement that supersedes them, so treat them as well-established orders of magnitude rather than today's exact rate. For the volume context: the average office worker received roughly 121 emails a day in 2024 (radicati-email-statistics-2024), and almost half of all mail sent worldwide that year, 47.27%, was spam (kaspersky-spam-phishing-2024). Pixels live overwhelmingly in that commercial and marketing layer.

Who uses them, and why it matters

Tracking pixels are standard equipment in email marketing. Mainstream sending platforms add open tracking by default, so a large share of newsletters, promotions, receipts, shipping notices, and password-reset messages carry one. Individuals use them too, through Gmail and Outlook extensions that report when a personal email is read.

The stakes are not abstract. Open and click data feeds directly into the profiling economy: IP-derived location accumulated over many opens sketches where you live, work, and travel; an address confirmed to be live and monitored is a more valuable record to a data broker and a more attractive target to an attacker. The data-broker industry that buys and sells exactly this kind of signal is valued at over $250 billion (iapp-data-broker-study), and roughly 68% of internet users say they are concerned about how their data is used (pew-privacy-survey-2023). A pixel is one of the cheapest ways for that machine to confirm an address belongs to a real, attentive human.

We see the address-validation angle from the other side. Running TempMailSpot, a disposable-email service, we watch verification and marketing mail arrive within seconds of an address being created, and much of it is plainly instrumented to confirm the address is monitored. The cleanest way to deny that signal is to make sure the address opening the mail is not one tied to your identity.

Is email tracking legal?

Mostly, and it sits in a gray zone rather than a clearly forbidden one. The contents of a tracking request, at minimum your IP address, count as personal data under the EU's GDPR (gdpr-official), which means tracking arguably requires a lawful basis or consent; enforcement specifically against pixels has been limited but the legal exposure is real. In the United States, there is no statute that names tracking pixels, though the California Consumer Privacy Act gives residents the right to know and delete data collected about them, which can extend to tracking records (ccpa-official). The practical takeaway: do not rely on the law to stop a pixel from firing. Configure your client and your address so it does not matter whether it fires.

How to stop tracking pixels

Defenses fall into three tiers. The first is the one that actually closes the hole; the others reduce what leaks but are partial.

1. Turn off automatic remote-image loading (the real fix)

If the image never loads, the request never fires, and there is nothing for the sender to log. A useful property of this approach is that a blocked pixel is indistinguishable from an unopened email, so the sender cannot tell the difference. Most clients can show a one-click "load images" button for senders you trust, so you keep control without keeping the surveillance.

The trade-off is cosmetic: legitimate images show as placeholders until you choose to load them.

2. Mail-client proxying (partial: hides your IP, not your open)

Several providers route remote content through their own servers, so the tracking server sees the proxy rather than you.

Apple's Mail Privacy Protection (announced June 2021 for iOS 15, iPadOS 15, and macOS Monterey) routes all remote content through relays so the sender cannot learn your IP address (Apple; MacRumors). Crucially, it pre-loads remote content in the background by default, whether or not you actually open the message (Apple). That breaks open-tracking by firing pixels for everyone, so "opens" become meaningless. The catch is that it only helps if you use the Apple Mail app and have the feature on, and it tends to inflate open counts rather than zero them out.

Gmail has proxied all email images through Google's servers (googleusercontent.com) since December 2013, so a pixel request comes from Google's infrastructure and your real IP and browser stay hidden (Filippo Valsorda). The catch is that the request still happens: the sender still learns you opened the message and roughly when, and link clicks are unaffected. Treat both Apple's and Gmail's measures as IP-masking and open-obfuscation, not as making you untrackable.

3. Detection extensions and privacy-first providers (helpful, not complete)

For webmail, extensions such as Ugly Email and PixelBlock flag or block pixels in Gmail, and Trocker works across several webmail interfaces; on macOS, the open-source MailTrackerBlocker blocks known trackers in Apple Mail. Privacy-focused mail services such as Proton Mail, Tuta (formerly Tutanota), and Hey block or surface remote content by default, and in Hey's case actively label which messages tried to spy on you. These reduce exposure meaningfully but depend on each tool's blocklist staying current.

Disposable email: the defense that survives a fired pixel

Blocking images stops the request. Using a disposable address solves a different problem: even if a pixel does fire, it has nothing real to attach to.

When you sign up for a newsletter, download, trial, or any low-stakes service with a temporary address, a unique disposable identity stands in for your real inbox. There is no persistent profile to build, no cross-site identity to join up, and once the address expires the historical tracking is attached to something that no longer points at you. Combine the two layers, remote images off and a disposable address, and a pixel that loads still learns nothing that maps back to your real identity.

TempMailSpot is built for exactly this kind of throwaway signup. It is free with no registration, a new inbox opens immediately, and incoming mail appears on its own within seconds (it polls frequently at first, then eases off). The default inbox lasts 10 minutes with unlimited extension, you can export any message to PDF, JSON, or EML before it expires, and unlike most disposable services it can also send a reply, gated by a CAPTCHA to prevent abuse. There is a public REST API at /api/v1 and an embeddable widget if you want to wire it into your own testing flow.

One honest limit: a disposable address hides you from the sender, not from the provider of the mail service, and a pixel that loads still reveals the IP and device of whatever opened it. So pair a temporary inbox with images-off for low-stakes signups, and keep a properly configured personal account for mail you actually need to keep. The mechanics of disposable inboxes, including when not to use one, are covered in our complete guide to temporary email, and the broader playbook lives in our guide to protecting your privacy online.