Suped

Why did a recent email campaign see an out-of-the-blue spike of triple clicks from .edu addresses?

11 Marketer opinions5 Expert opinions3 Technical articles6 Resources

Summary

The sudden spike in triple clicks from .edu addresses during a recent email campaign is primarily attributed to increased security measures implemented by educational institutions and email providers. These measures include automated systems scanning emails for malicious content by clicking on links, often multiple times, before the email reaches the recipient. Factors contributing to this include updated security filters, the high vulnerability of .edu domains to cyberattacks, and the need to protect unmanaged user machines on their networks. Services like Proofpoint's URL Defense, Cisco's AMP, and Microsoft's Safe Links rewrite URLs and scan destination websites, triggering click events. The widespread adoption of these security practices aims to protect users from phishing and malware, but results in skewed click data and website traffic.

Key findings

  • Automated Scanning: Security software automatically clicks links within emails to scan for malicious content, which leads to inflated click counts.
  • Updated Filters: Updated or newly implemented security filters trigger increased link checking activity.
  • .edu Vulnerability: .edu domains are prime targets for phishing and malware attacks, necessitating stricter security protocols.
  • Third-party services: Services like Proofpoint, Cisco, and Microsoft rewrite URLs and perform scans, generating preemptive clicks.
  • Unmanaged Machines: The security tools are an important measure because of the difficulty patching student machines

Key considerations

  • Data Inaccuracy: Email marketers should be aware of skewed click data due to automated scanning and adjust reporting accordingly.
  • Website Load: Email senders should ensure websites can handle potential traffic surges from security checks.
  • Sender Reputation: Monitor sender reputation to ensure that security systems do not flag your emails or websites as malicious.
  • Filter Clicks: Consider implementing rules to filter out clicks occurring before email opens for more accurate reporting.
  • Security vs. Metrics: Balance the need for accurate email metrics with the importance of robust security measures.

What email marketers say
11Marketer opinions

A recent email campaign experienced an unexpected surge of multiple clicks originating from .edu addresses. This phenomenon is primarily attributed to automated security measures implemented by email providers and organizations, particularly academic institutions, to safeguard against phishing and malware. These systems often scan emails for malicious content by automatically clicking on links, resulting in clicks being registered before the recipient interacts with the email. The heightened security protocols of .edu domains, driven by their susceptibility to cyberattacks, contribute to this increased link checking activity. The spike can also be caused by security systems being updated.

Key opinions

  • Automated Security: Email security software automatically clicks links to scan for malicious content.
  • Domain Security: .Edu domains have stricter security protocols due to being prime targets for attacks.
  • Link Verification: Organizations use automated tools to verify links for malicious content.
  • Spam Filter Analysis: Advanced spam filters analyze links, generating clicks, especially aggressively for .edu domains.
  • Tightened Protocols: Security software may be configured to click links multiple times to ensure safety and these settings get updated.

Key considerations

  • False Positives: Multiple clicks from security scans can skew email analytics and reporting.
  • Security Measures: Recognize that link checking is a legitimate security measure, particularly within academic institutions.
  • Sender Reputation: Understand that while clicks might be automated, a negative result from the scan can affect sender reputation and deliverability.
  • Filter Rules: Implement rules to identify and filter out clicks occurring before email opening to improve reporting accuracy.
  • Monitoring Updates: Be aware that changes in security settings by email providers or organizations can lead to sudden changes in click behavior.
Marketer view

Email marketer from Reddit explains that .edu addresses often have stricter security protocols because universities are prime targets for phishing and malware attacks. Automated link checking is a common security measure.

July 2023 - Reddit
Marketer view

Email marketer from Email Geeks explains that some domains check the email before entering the recipient mailbox and may follow links in the email, which, with tracking, can be registered as a click.

July 2023 - Email Geeks
Marketer view

Email marketer from Litmus explains that bot clicks often come from security software scanning emails, especially from corporate or academic domains. These systems might be updated without warning, causing a sudden spike in clicks.

November 2021 - Litmus
Marketer view

Email marketer from StackOverflow states that some organizations use automated tools to verify links in emails, which may generate clicks. The automated tools verify if the link has malicious content.

August 2021 - StackOverflow
Marketer view

Email marketer from SecurityForums comments that the automated link checking is a security measure to prevent malware, because .edu domains usually have a lot of students that are easily tricked.

December 2023 - SecurityForums
Marketer view

Email marketer from EmailVendorSelection explains that advanced spam filters analyze links in emails by visiting them, which generates clicks. The filters might be more aggressive for .edu domains due to their vulnerability.

July 2021 - EmailVendorSelection
Marketer view

Email marketer from Email Geeks explains If each link is being clicked, it's most likely an antispam/antimalware system probing the mail and suggests setting rules to not register a click occurring before the opening of an email.

February 2025 - Email Geeks
Marketer view

Email marketer from Mailjet explains that many email providers use security software that automatically clicks on links within emails to check for malicious content. This can result in multiple clicks from the same IP address.

September 2023 - Mailjet
Marketer view

Email marketer from Quora notes that automated systems might 'test' links in emails, particularly in academic institutions, to safeguard against malicious content. The specific number of clicks might be related to how thorough the test is.

July 2024 - Quora
Marketer view

Email marketer from SendGrid shares that email security systems can scan emails for phishing attempts and malware by automatically clicking all the links. This is especially common with organizations that have strict security protocols.

March 2022 - SendGrid
Marketer view

Email marketer from StackExchange shares that security software might be configured to click links multiple times (e.g., three times) to ensure the destination is safe. This can happen especially when security settings are updated or tightened.

January 2023 - StackExchange

What the experts say
5Expert opinions

A sudden spike in clicks, specifically triple clicks from .edu addresses in an email campaign, is likely due to updated or new security measures implemented by these educational institutions. Because the machines used on the networks are often unmanaged they need to secure their inbound mail servers as best as they can, and this often involves automated link checking. This link scanning is a proactive effort to defend against malware and phishing attacks and the spikes occur when the filtering service updates, or a new filter service is put in place, which then checks links. This security behavior is not exclusive to .edu domains as .gov and businesses implement similar.

Key opinions

  • Filter Updates: The spike is likely caused by updated filter services now actively checking links in emails.
  • Proactive Security: Clicking links is a security measure to check for malware.
  • Unmanaged machines: .Edu sites have to be extra careful on inbound emails
  • Security Focus: Educational institutions prioritize security measures due to their vulnerability to cyber threats.
  • Broader Implementation: Similar security practices are also found in .gov and business sectors.

Key considerations

  • Website Performance: Email senders should ensure their websites can handle traffic spikes from security checks.
  • Data Accuracy: The automated clicks will skew your email reporting.
  • Reputation Monitoring: It is good practice to monitor your sender reputation to prevent the security tools from seeing your website as dangerous.
  • Adapt Security Strategies: Understand that heightened security checks are the norm, and it is advisable to adapt email practices accordingly.
Expert view

Expert from Spam Resource responds that a sudden change in click behavior, such as a spike in clicks from .edu addresses, could be attributed to updated security filters on the receiving end, especially if they've implemented new link checking mechanisms.

August 2021 - Spam Resource
Expert view

Expert from Email Geeks explains that academia doesn’t have control over the user machines like corporate sites do, therefore .edu network admins are going to do _everything_ they possibly can to catch malware at the places they do control, like the inbound mailserver.

May 2023 - Email Geeks
Expert view

Expert from Word to the Wise shares that many organizations, including educational institutions, implement security measures that involve scanning links within emails. This helps protect users from phishing or malicious content, often leading to a click being recorded before the recipient sees the email.

June 2023 - Word to the Wise
Expert view

Expert from Email Geeks guesses that the spike happened because the .edu domains are using the same filter box / filter service, and that filter got updated and now checks links.

June 2023 - Email Geeks
Expert view

Expert from Email Geeks adds that the “everything gets clicked (and likely as a security measure)” scenario is real, especially for .edu, .gov and many businesses.

December 2022 - Email Geeks

What the documentation says
3Technical articles

A recent email campaign experiencing an unexpected spike of triple clicks from .edu addresses is likely due to security services like Proofpoint's URL Defense, Cisco's AMP, and Microsoft's Safe Links. These services scan URLs in emails for malicious content. By rewriting the URLs and scanning the destination website, a click event can be generated even before the intended recipient reaches the site.

Key findings

  • URL Rewriting: Security services rewrite URLs to scan destination websites for threats.
  • Preemptive Clicking: Scans can generate click events before the user reaches the intended website.
  • Threat Analysis: Services analyze URLs and website content to identify potential threats.

Key considerations

  • Data Inaccuracy: Click data may be skewed due to automated security scans.
  • Compatibility: Organizations may want to consider if their security configurations are compatible with email marketing best practices.
  • Reporting: Email marketers may want to adjust reporting to account for the inflated clicks.
Technical article

Documentation from Microsoft explains that Safe Links is a feature in Microsoft Defender for Office 365 that rewrites URLs to point to Microsoft's servers, which scan the link before redirecting the user. The scan can generate a click event.

November 2022 - Microsoft
Technical article

Documentation from Cisco details that Advanced Malware Protection (AMP) for Email scans attachments and URLs in emails. It may visit links to analyze the content for threats, which can register as a click.

July 2023 - Cisco
Technical article

Documentation from Proofpoint explains that their URL Defense service rewrites URLs in emails and scans the destination website when a user clicks the link. This can generate a click event before the user actually reaches the site.

December 2021 - Proofpoint

Related resources
6Resources

University of Florida: Home
University of Florida: Home

A top five public land-grant research university, the University of Florida creates a collaborative environment and accelerates future solutions.

University of Florida
The University of Virginia
The University of Virginia

Experience vibrant student life, unparalleled academic excellence, and the unique culture that makes UVA stand out.

The University of Virginia
Milwaukee School of Engineering
Milwaukee School of Engineering

Milwaukee School of Engineering (MSOE) is a private, non-profit university offering bachelor’s and master’s degrees in engineering, business, and nursing.

Milwaukee School of Engineering - MSOE
Georgia Southern University | Statesboro, Savannah & Hinesville
Georgia Southern University | Statesboro, Savannah & Hinesville

Soar beyond at Georgia Southern University, where you’ll find 132 different bachelor’s, master’s and doctoral programs on three campuses and online.

Georgia Southern University -
Why Your Click Rates Might Be Inflated By Bot Clicks | Inbox Collective
Why Your Click Rates Might Be Inflated By Bot Clicks | Inbox Collective

These bots are there to keep inboxes safe — but they might have a big effect on your metrics and ad strategy.

Inbox Collective
Residential Life | Mercy University
Residential Life | Mercy University

Discover the vibrant campus life at Mercy University. Explore our residential life options and find the perfect home away from home. Learn more!

Mercy University

Related questions