Skip to main content
← Back to Blog
Technical Deep Dive·8 min read·

How Tracking Pixels Work (And Why Your Email Reads Like a Logbook)

A technical deep-dive on tracking pixels in 2026 — how 1×1 images, open/click tracking, link decoration, and privacy-preserving alternatives actually operate.

#tracking pixels#email tracking#link decoration#technical

Quick answer

A tracking pixel is a 1×1 transparent image (or equivalent) embedded in an email or webpage. When the client renders it, the image request reveals the user's IP, user-agent, time, referrer, and any per-recipient ID encoded in the URL. Pixels survive email privacy efforts better than cookies because they work on any mail client that loads images. Apple Mail Privacy Protection and aggressive image-proxying have weakened pixel tracking since 2021, but it is still the default in every mainstream email marketing platform in 2026.

How email open-tracking works

Your marketing email is sent to 100,000 recipients. The platform (Mailchimp, SendGrid, Klaviyo, HubSpot, etc.) rewrites every outbound message to include a hidden image URL unique per recipient:

<img src="https://track.example.com/open.gif?m=abc123&[email protected]" width="1" height="1" />

When the recipient's email client renders the HTML email, it fetches the image. The tracking server logs: recipient ID, timestamp, user-agent, IP. Open count registered.

Click tracking

Every link in the email is rewritten to pass through the tracking server:

<a href="https://track.example.com/click?m=abc123&[email protected]&u=https%3A%2F%2Fdestination.com%2Fpage">Link</a>

The server logs the click, sets a cookie for onward attribution, then 302-redirects to the real URL. The user rarely notices.

Link decoration

Outside email, links are decorated with tracking parameters: fbclid (Meta), gclid (Google), mc_eid (Mailchimp), utm_* (any platform). These parameters persist into the destination URL, allowing the destination site and third-party analytics to correlate visits to specific ad campaigns and recipient IDs.

Why pixels still work despite blocks

  • Pixels don't require cookies. They work against users who have cookies disabled.
  • Pixels work in email. Cookies do not flow between web and mail clients.
  • Pixels leak IP and user-agent. Even when email clients proxy image-loads, some metadata still reaches the sender via the proxy's call pattern.

Apple's Mail Privacy Protection

MPP, launched 2021, pre-fetches all images on mail receipt via Apple's proxy. Effects: every recipient registers "opened" regardless of reality (breaks open-rate analytics); IP of the recipient is masked by Apple's proxy; the tracking server cannot correlate open-time to human behaviour. The result: open rates of 70-100% regardless of actual engagement. Marketers have moved to click-rate and reply-rate as more reliable signals.

Web pixels (Meta Pixel, Google Analytics)

Meta Pixel and Google Tag Manager place a first-party or third-party pixel on every page of a site. On page load, the pixel fires: event name, page URL, any custom data, and (with third-party cookies enabled) the user's cross-site identifier. Used for conversion tracking and ad attribution.

What PrivacyGuard does

  • Blocks known tracker domains, preventing pixel loads at the network level.
  • Strips link-decoration parameters (fbclid, gclid, mc_eid, ~40 others) automatically.
  • Warns on email clients that leak open-tracking — suggests enabling image-blocking in Gmail/Outlook.

What you can do

  • Disable automatic image loading in your mail client.
  • Use an email reader that proxies image-loads (Apple Mail, Proton Mail).
  • Install PrivacyGuard or equivalent for web pixels.
  • Prefer plain-text email for sensitive correspondence.

Related reading

Third-party cookies · Browser fingerprinting · GeraCompliance — email GDPR