How email tracking pixels work (and how to kill them)
Every marketing email knows when you opened it, where you were, and what device you used. Here's the 1×1 trick they're using — and how to opt out by default.
You open an email. You read two sentences. You close it. You think nothing of it.
The sender just learned:
- that you opened the email
- the exact time you opened it
- whether it was on your phone or your laptop
- a rough idea of where you were
- the email client you used
They learned all of this from a single transparent pixel. One pixel. 1×1. Hidden in the email, invisible to you, doing its full surveillance job in the background while you read the part the sender wants you to read.
This is normal. Almost every marketing email you've ever opened has done this. Here's how the trick works and what you can do about it.
The trick
When an email loads, your email client (Gmail, Apple Mail, Outlook — doesn't matter) renders the HTML. Just like a webpage. Embedded in the HTML are images. Like a webpage, your email client fetches each image from a URL when it needs to display it.
A tracking pixel is a normal <img> tag pointed at a URL on the sender's server. The image itself is a 1×1 transparent GIF. You never see it. But fetching it logs a request:
<img
src="https://track.acme.com/open?email=you@example.com&campaign=42"
width="1"
height="1"
alt=""
/>
When your email client fetches that image, it hits the sender's server. The sender's server now knows:
- You opened the email. The fetch happened. That's the open event.
- When. Server timestamp.
- Where, roughly. From your IP address. (City-level, sometimes more.)
- What you read it on. From the User-Agent header your email client sent.
- Which campaign. From the URL parameters.
- Which you. Because the URL has your email baked into it.
Marketing platforms call this an "open rate". It's not really an open rate. It's a "downloaded the pixel" rate. Same thing in practice.
What they do with it
The "open" data feeds into segmentation. People who open get more frequent emails. People who don't get re-engagement campaigns. Heavy openers get tagged as "high intent" and become more valuable when the company sells data to a "partner".
The location data becomes geographic targeting. The device data becomes device targeting. The timing data becomes send-time optimization — "you usually open at 7am on Tuesdays, so we'll send Tuesdays at 6:55."
None of this is illegal. Most of it isn't even hidden — it's in the privacy policy you didn't read. But it's also not consent in any meaningful sense, because you can't see it happening and you can't tell whether the email you just opened was just an email or a fingerprinting tool.
What "block remote content" does (and doesn't do)
Most modern email clients have a setting called something like "block remote content" or "load images only when I tap". It's better than nothing. It works by not loading any external images until you explicitly ask.
Limitations:
- It blocks all images. Including the legitimate ones you wanted to see.
- It defaults to off in many clients (Outlook, older Gmail).
- The instant you tap "show images" — usually because the email actually has a real image you want to look at — every tracker on the page fires at once.
- Apple Mail's "Mail Privacy Protection" pre-fetches all images from a proxy, which masks your IP and timing — but only on Apple devices. The senders still get an "open" event, just a useless one.
So even "I have remote content blocked" isn't a real solution. It's friction. The trackers are still there, waiting for you to slip up.
What stripping pixels actually means
There's a different approach: instead of asking your email client to refuse to load the trackers, remove the trackers from the email before it reaches your client.
That's what an email forwarding service can do. The email lands at the forwarder. The forwarder parses the HTML. The forwarder finds every <img> whose URL looks like a known tracker (and there are maintained lists of these — Hubspot, Mailchimp, Klaviyo, ActiveCampaign, hundreds more). The forwarder rewrites or removes those tags. The clean version of the email then forwards to your real inbox.
The sender's tracking server gets no fetch request. Their open rate stays at zero for you. Their re-targeting database doesn't have a record of you.
You read the email. You see the legitimate images. You don't see the pixels — because they were never sent.
You can test it yourself
Pick an email from a marketing list. View source. Search for width="1" or height="1" or look for any <img> tag pointed at track., link., email., mail., or a long URL with random-looking characters. That's the pixel.
If you've ever wondered why companies seem to know whether you opened their stuff — that's the whole trick. One image. Hidden in plain sight. In every email they send.
The good news: removing it is easy. The better news: you can remove it from every email you ever get from now on, automatically, without changing your email client.
Strip tracking pixels by default.
Every email forwarded through SecureAlias gets the trackers removed before it lands in your inbox. No setup. No 'show images' dance.
Try it free →Related reading
- Why your inbox is everyone else's billboard — the broader picture.
- SecureAlias vs SimpleLogin — comparison if you're already on an alias service.
- Email aliases for newsletter signups — the most common use case, in three steps.