Can link security checkers cause false no-js reports in email analytics?

Summary

Link security checkers and corporate firewalls can indeed cause false no-js reports in email analytics. These systems often pre-scan or proxy links in emails for security purposes, but do so without executing JavaScript. This results in inflated click rates, misrepresentation of user behavior, and inaccurate data, as Google Analytics relies on JavaScript for data collection. The issue is further complicated by bot clicks mimicking users without JavaScript and the influence of Email Transport Agents (MTAs). Strategies to mitigate this include using hidden links to discard bot clicks and utilizing User-Agent sniffing to identify environments without JavaScript support.

Key findings

  • False Positives: Link security tools and corporate firewalls often execute links in a no-JS environment, leading to false positives.
  • Inflated Clicks: Pre-scanning by security software can result in inflated click rates, misrepresenting genuine user engagement.
  • Inaccurate Data: Corporate networks and security tools interact with links without executing JavaScript, skewing analytics data.
  • GA Dependency: Google Analytics requires JavaScript; its absence leads to incorrect hit attribution.
  • Bot Mimicry: Bot clicks can simulate users without JavaScript, exacerbating the issue of inaccurate analytics.
  • User-Agent Sniffing: User-Agent sniffing helps identify environments without JavaScript support, aiding in identifying discrepancies.
  • Security Software Rewrite URLs: Some security software will rewrite URLs in emails to proxy them through their own servers to protect users but these proxy servers typically do not execute JavaScript.

Key considerations

  • Analytics Interpretation: Consider the potential impact of link security checkers, MTAs, and bot activity when interpreting email analytics.
  • Security Impact: Acknowledge that security measures, while essential, can inadvertently distort email analytics and require careful consideration.
  • Alternative Tracking: Explore alternative tracking methods to differentiate between genuine user clicks and automated security scans.
  • Hidden Link Strategy: Implement strategies like hidden links to identify and discard bot clicks, improving data accuracy.
  • User-Agent Analysis: Employ User-Agent sniffing to identify and account for discrepancies caused by non-JavaScript environments.
  • Tooling Review: Review behavior of Safe Links and other pre-scanning tools to understand their effects on email analytics.

What email marketers say
10Marketer opinions

Link security checkers and corporate firewalls often pre-scan links in emails, executing them in environments without JavaScript support. This pre-scanning can lead to inflated click rates and inaccurate analytics, misrepresenting user behavior by falsely attributing clicks to users without JavaScript enabled. This is further complicated by bot clicks mimicking users without JavaScript, potentially triggering false reports.

Key opinions

  • False Positives: Link security tools and firewalls often execute links in a no-JS environment, leading to false positives in analytics reports.
  • Inflated Clicks: Pre-scanning by security software can result in inflated click rates, misrepresenting genuine user engagement.
  • Inaccurate Data: Corporate networks and security tools may interact with links without executing JavaScript, skewing analytics data.
  • Bot Mimicry: Bot clicks can simulate users without JavaScript, exacerbating the issue of inaccurate analytics.

Key considerations

  • Analytics Interpretation: When interpreting email analytics, consider the potential impact of link security checkers and bot activity on the accuracy of no-JS reports.
  • Security Impact: Acknowledge that security measures, while essential, can inadvertently distort email analytics and require careful consideration.
  • Alternative Tracking: Explore alternative tracking methods to differentiate between genuine user clicks and automated security scans.
  • Review Tooling: Review and understand the behaviour of corporate firewalls that may be executing the URLs in a sandbox environment.
Marketer view

Email marketer from EmailOnAcid explains that security software may pre-scan links in emails, resulting in inflated click rates and potential misrepresentation of user behavior due to no-JS environments.

September 2021 - EmailOnAcid
Marketer view

Email marketer from EmailToolTester explains that false or inaccurate tracking can be caused by corporate firewalls or security tools that examine links in a sandbox environment, potentially without JavaScript support.

September 2022 - EmailToolTester
Marketer view

Email marketer from Litmus responds that some email clients and security tools scan links before the recipient clicks, which can result in clicks from environments without JavaScript enabled, skewing analytics.

July 2023 - Litmus
Marketer view

Email marketer from SuperOffice Blog highlights that security scans, especially within corporate networks, can interact with links in emails leading to skewed click data as they may not execute Javascript.

April 2022 - SuperOffice
Marketer view

Marketer from Email Geeks shares they see untracked clickers, especially from schools and businesses. Mentions Sailthru shows clicks with 0 pageviews and that hidden links can accidentally happen with Sailthru’s Email Composer.

April 2024 - Email Geeks
Marketer view

Email marketer from Sendinblue says that while email tracking is useful, link clicks might be automatically visited by security protocols, leading to an artificial inflation of click numbers and possibly erroneous tracking of devices with no Javascript.

August 2022 - Sendinblue
Marketer view

Email marketer from EmailGeekForum explains that bot clicks can mimic users without JavaScript enabled, triggering false reports in analytics due to security measures.

December 2023 - EmailGeekForum
Marketer view

Email marketer from Reddit shares that some security tools or corporate firewalls might execute links in a no-JS environment for security checks, leading to false positives in analytics.

August 2021 - Reddit
Marketer view

Email marketer from StackOverflow answers that some link scanners operate without fully rendering JavaScript, leading to potential discrepancies in analytics reports for click sources.

May 2021 - StackOverflow
Marketer view

Marketer from Email Geeks explains if a link checker may register in your analytics as a browser not supporting JavaScript, then yes, that is a possibility.

February 2022 - Email Geeks

What the experts say
3Expert opinions

Link security checkers can indeed cause false no-js reports in email analytics. Security software and tools often pre-fetch links to protect users, sometimes without executing JavaScript, leading to inaccurate data. A mitigation strategy involves using hidden links to discard clicks from these automated scans, helping differentiate between bot and genuine user clicks.

Key opinions

  • False Positives: Link scanning behavior causes false positives due to pre-fetching by security tools without JavaScript support.
  • Proxy Servers: Security software rewrites URLs, proxying them through servers that don't execute JavaScript, resulting in false no-JS clicks.
  • Hidden Links: Hidden links can be used to identify and discard bot clicks.

Key considerations

  • Data Accuracy: Be aware that security scans can skew click data, and not all clicks represent genuine user interactions.
  • Mitigation Strategies: Implement mitigation strategies like hidden links to improve data accuracy.
  • Tooling Behavior: Understand how security software and tools in your email ecosystem handle link scanning and JavaScript execution.
Expert view

Expert from Word to the Wise explains that link scanning behavior can cause false positives due to pre-fetching by security tools without Javascript support which may trigger inaccurate analytics data.

March 2024 - Word to the Wise
Expert view

Expert from Spam Resource explains that some security software will rewrite URLs in emails to proxy them through their own servers to protect users. These proxy servers typically do not execute JavaScript, and will therefore show up as no-js users clicking links.

October 2022 - Spam Resource
Expert view

Expert from Email Geeks shares you can add hidden links to the header/footer that no user could see and when those get clicks, they can help you discard other clicks at that same time from that same “user”.

September 2023 - Email Geeks

What the documentation says
5Technical articles

Link security checkers can indeed lead to false no-JS reports in email analytics because they often access links in emails without executing JavaScript. This behavior causes discrepancies in click tracking, as Google Analytics relies on JavaScript for data collection, and bot detection methods often identify clients that don't execute JavaScript. User-Agent sniffing can further highlight these discrepancies. Tools like Microsoft's Safe Links pre-scan URLs, which can trigger visits without JavaScript support.

Key findings

  • GA Dependency: Google Analytics relies on JavaScript, and its absence leads to incorrect hit attribution when link checkers are involved.
  • Bot Detection: Bot detection methods often flag clients lacking JavaScript, influencing link security checker assessments.
  • User-Agent Sniffing: User-Agent sniffing reveals environments without JavaScript support, highlighting discrepancies from link security checkers.
  • MTA Access: Email Transport Agents and security gateways access links, affecting click tracking accuracy in no-JavaScript environments.
  • Safe Links impact: Microsoft Safe Links pre-scanning URLs triggers visits lacking Javascript support.

Key considerations

  • Analytics Accuracy: Acknowledge that link security checkers and MTAs can distort email analytics due to their access methods.
  • User-Agent Interpretation: Utilize User-Agent sniffing to identify and account for discrepancies caused by non-JavaScript environments.
  • Tooling impact: Be mindful of tools like Safe Links when reviewing analytics as they impact the results.
Technical article

Documentation from OWASP explains that bot detection often involves identifying clients that do not execute JavaScript, which can influence how link security checkers are perceived in email analytics.

July 2023 - OWASP
Technical article

Documentation from Google Analytics support explains that if JavaScript is disabled, Google Analytics cannot collect data, which may cause some hits to be incorrectly attributed when link checkers are involved.

April 2022 - Google Analytics
Technical article

Documentation from MDN Web Docs shares that User-Agent sniffing can identify environments that do not fully support JavaScript, providing insights into potential discrepancies caused by link security checkers in email analytics.

June 2024 - Mozilla
Technical article

Documentation from Microsoft shares that Safe Links in Microsoft Defender may pre-scan URLs which can trigger a visit to a URL without proper javascript support.

May 2022 - Microsoft
Technical article

Documentation from IETF explains that email transport agents (MTAs) and security gateways might access links in emails for security purposes, which can influence the accuracy of click-tracking and potentially cause discrepancies due to environments without JavaScript enabled.

March 2022 - IETF