TL;DR - Almost every marketing email contains an invisible 1x1 image. The moment your email app loads it, the sender learns that you opened the email, roughly when and where, and what device you used. "Block remote content" helps a bit but breaks every time you tap "show images". The cleaner fix is to read mail through something that strips the trackers before they reach you (Apple Mail Privacy Protection, or a forwarding/alias service). The test: view an email's source and search for
width="1".
You open an email. You read two sentences. You close it. You think nothing of it.
The sender just learned:
- that you opened the email
- the exact time you opened it
- whether it was on your phone or your laptop
- a rough idea of where you were
- the email client you used
They learned all of this from a single transparent pixel. One pixel. 1x1. Hidden in the email, invisible to you, doing its full surveillance job in the background while you read the part the sender wants you to read.
This is normal. Almost every marketing email you have ever opened has done this. Here is how the trick works and what you can do about it.
The trick
When an email loads, your email client (Gmail, Apple Mail, Outlook, it does not matter) renders the HTML. Just like a webpage. Embedded in the HTML are images, and just like a webpage, your email client fetches each image from a URL when it needs to display it.
A tracking pixel is a normal image tag pointed at a URL on the sender's server. The image itself is a 1x1 transparent GIF. You never see it. But fetching it logs a request, something like:
<img
src="https://track.acme.com/open?email=you@example.com&campaign=42"
width="1"
height="1"
alt=""
/>
When your email client fetches that image, it hits the sender's server. The sender's server now knows:
- You opened the email. The fetch happened. That is the open event.
- When. Server timestamp.
- Where, roughly. From your IP address, usually city-level.
- What you read it on. From the User-Agent your email client sent.
- Which campaign, and which you. From the URL, which has your address baked into it.
Marketing platforms call this an "open rate". It is not really an open rate. It is a "downloaded the pixel" rate. Same thing in practice. The same trick powers click tracking: every link runs through a redirect on the sender's server, so they also know which links you clicked and in what order.
What they do with it
The open data feeds segmentation. People who open get more emails. People who do not get re-engagement campaigns. Heavy openers get tagged as "high intent" and become more valuable when the company sells data to a "partner".
The location data becomes geographic targeting. The device data becomes device targeting. The timing data becomes send-time optimisation: "you usually open at 7am on Tuesdays, so we will send Tuesdays at 6:55."
None of this is illegal. Most of it is not even hidden, it is in the privacy policy you did not read. But it is also not consent in any meaningful sense, because you cannot see it happening and you cannot tell whether the email you just opened was just an email or a fingerprinting tool.
What "block remote content" does (and does not do)
Most modern email clients have a setting called something like "block remote content" or "load images only when I tap". It is better than nothing. It works by not loading any external images until you explicitly ask.
Limitations:
- It blocks all images, including the legitimate ones you actually wanted to see.
- It defaults to off in many clients.
- The instant you tap "show images", usually because the email has a real image you want to look at, every tracker on the page fires at once.
- Apple Mail's "Mail Privacy Protection" pre-fetches all images through a proxy, which masks your IP and timing, but only on Apple devices. The senders still get an "open" event, just a useless one.
So even "I have remote content blocked" is not a real solution. It is friction. The trackers are still there, waiting for you to slip up.
Stripping the pixels before they reach you
There is a different approach: instead of asking your email client to refuse to load the trackers, remove the trackers from the email before it ever reaches your client.
That is what an email forwarding or alias service can do. The email lands at the forwarder, which parses the HTML, finds every image whose URL matches a known tracker (there are maintained lists: Hubspot, Mailchimp, Klaviyo, ActiveCampaign, hundreds more), and strips those tags. The clean version then forwards to your real inbox. The sender's tracking server never gets the fetch. Their open rate for you stays at zero. You still see the legitimate images.
Full disclosure: I built and ran an email-alias service called SecureAlias that did exactly this, and I am winding it down now, so take the enthusiasm with a grain of salt. But the technique stands whichever tool you use. If you want pixel-stripping plus throwaway addresses, look at Apple Hide My Email, DuckDuckGo Email Protection, Firefox Relay, or Proton's SimpleLogin. Apple Mail Privacy Protection alone will neutralise the open-tracking for most people on iPhones and Macs without any extra service at all.
You can test it yourself
Pick an email from a marketing list. View its source ("Show original" in Gmail). Search for width="1" or height="1", or look for any image tag pointed at track., link., email., mail., or a long URL full of random-looking characters. That is the pixel.
If you have ever wondered how companies seem to know whether you opened their stuff, that is the whole trick. One image, hidden in plain sight, in every email they send. The good news: removing it is easy, and you can remove it from every email you get from now on, automatically, without changing how you read your mail.
