Fingerprinting + Security Warning = 2 reasons for placing email-trackingpixels on HTTPS

About three years ago I wrote a posting about how to determine what email clients (“mail user agents”) your subscribers are using. Including a Referrer-list for webmailers, User-Agents for desktop clients and a simple tracking pixel code. This so called fingerprinting providers senders with interesting stats about their subscribers like those shown in the figure to the right. Though it needs some update. But first: Why do so?


  • If you e.g. know that only a small percentage reads your emailings using Outlook 2010/2007, you perhaps could rely more on animated GIF-graphics. From which Outlook would only display the first frame.
  • If noone uses Gmail, why not factorise inline styles into centralized style sheets and lose some email weight? This not only cares for mobile bandwidths. But maybe also prevents message truncation in Gmail or Yahoo! Mail. (Both cut at a certain size; the full email – maybe including your bottom-based openingpixel – will load only on request).
  • And so on.

Each client has its drawbacks which restricts you when designing your newsletters. But theoretically, you only have to take them into account if they own a certain market share. Evidently it’s worth knowing. And here’s how you can gain that knowledge.

Fingerprinting Tools: Litmus & CampaignCog

Today, email senders can use various tools to find out more aboout their recipients. Some may call it “advanced email analytics” – although I’d put a much broader knowledge-discovery-scope around this term. These tools include Litmus Email Analytics and the free copycat CampaignCog. They both ask you to implement additional tracking-code in your campaigns which looks like this:


@media print{
#_t {
background-image: url('https://___DOMAIN___/_ID_');
div.OutlookMessageHeader {
table.moz-email-headers-table {
blockquote #_t {


<div id="_t"></div>
<img src="https://___DOMAIN___/___ID___" alt="" border="0">

The snippets are meant to be placed behind the <BODY>-tag. So you see the method uses special style sheets wih transparent background-trackingpixels that get triggered only on certain user actions in some mail user agents. For example forwarding an email in Thunderbird naturally adds a table of the class table.moz-email-headers-table to the email – and our snippet enriches this with a trackingpixel. Same goes for printing an email which should trigger the media-query. That’s all cool. But quite unreliable and not representative for all of your subscribers.

Use HTTPS://-Webbugs (1) to fingerprint …

Really useful is the part at the end – the <img>, a streaming tracking-pixel. It reports you how long emails where opened. By this, Litmus found out that emails are opened about 2 seconds on average. Which stands in sharp contrast to the 51 seconds Jakob Nielsen determined 2006 in a usability experiment. And which may also totally differ from the viewing time of your newsletters. Wouldn’t it be interesting to know how many readers just skim your newsletters and how many read it to the end? Try out “advanced” analytics!

But there’s another thing I want to draw your attention to. Note that the pixel is referred on a secure HTTP-connection as denoted by the HTTPS. This is important. Because more and more email recipients use a Secure Socket Layer. In Gmail it’s used by default since 2010-01-13, Facebook recommends using it etc. And your pixel will only get the Referrer when it’s also available on HTTPS. The referrer is what tells you about the webmailer in which you email was opened. No referrer, no (webmailer)-fingerprinting. You find common webmail-referrers and a PHP-code example for a trackingpixel in my previous article I mentioned at the beginning. (Not that I’m a programmer; but it may be useful anyway.)

Don’t believe that there is any difference? I ran a quick test yesterday. Here’s the

  1. mailing plus
  2. pixel-code plus
  3. result in Gmail:


<html> <head></head> <body>
    <div style="width:1000px;">
      <img src="https://___/pixel.php" width="1000"
    <div style="width:1000px;">
      <img src="http://___/pixel.php" width="1000"
</body> </html>

Webbug-Code to print the Referrer

<?php $referrer = getenv ("HTTP_REFERER");
Header ("Content-type: image/gif");
$im = imagecreate (1000, 30);
$black = ImageColorAllocate ($im, 0, 0, 0);
$white = ImageColorAllocate ($im, 255, 255, 255);
ImageTTFText ($im, 8, 0, 10, 20, $white, "./arial.ttf",
ImageGif ($im);
ImageDestroy ($im);
exit(); ?>

Result in Gmail

Gmail Referrer - Email without imagesGmail showing the referrer from SSL to SSLAs you see: From HTTPS to HTTPS the referrer is shown, whereas it stays hidden when pointing from HTTPS in Gmail to a webbug on HTTP. If you store this information to your database, you’ll have some nifty statistics about the webmailer usage within your target groups.

… and (2) to prevent Internet Explorer warnings

Another drawback of HTTP-webbugs was AFAIK first mentioned by Rob Interactive: The Internet Explorer throws an annoying warning when users read your emails on a secure HTTPS-connection and your newsletter refers to elements on a non-secure HTTP-connection. Marketers can override this, too, by locate their resources – including the webbugs – on HTTPS. Continue reading on his blog or – for German readers – on to learn more.

PS: Make sure your certificate is valid

If you uses HTTPS for your email marketing, make sure that everything runs smoothly. Otherwise your recipients will surely be confused and concerned by warning mesages from their mail user agents. Like in today’s email from LOFT. I opened it in Thunderbird; and got the following error message:

The details make things clear: is signed, but not the email-subdomain:


Enjoyed this one? Subscribe for my hand-picked list of the best email marketing tips. Get inspiring ideas from international email experts, every Friday: (archive♞)
Yes, I accept the Privacy Policy
Delivery on Fridays, 5 pm CET. You can always unsubscribe.
It's valuable, I promise. Subscribers rate it >8 out of 10 (!) on average.

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

All information is voluntary. Your email address will not be published. When commenting, you agree that your IP address will be processed and stored by Askimet in the U.S. for the purpose of recognizing comment-spam.