Email tracking pixels explained (and how to beat them)
The tiny 1×1 images that reveal more about you than you think
Last week we told the story of a reader who clicked on a link his wife sent him about an education service for kids. She found the link on Facebook (🚩). After clicking on the link, he got spammed by the education services company even though he never gave them his email. That was a real eye opener for a lot of readers, who were shocked that your email is that easily obtained by a company.
We mentioned email tracking pixels in that post, but didn't go into a lot of detail. Turns out a lot of you are interested in the topic because we had a few readers reach out requesting more information.
Tracking pixels are everywhere. They're also invisible and designed to watch you. So it’s wise to understand them better and how to defeat them if you want.
This post goes deeper than just the basics from last week’s post, which you can read here:
A Short History of Tracking Pixels
Tracking pixels started out as a simple marketing tool. In the early 2000s, email marketers wanted to know if people were opening their campaigns, so they began embedding tiny 1×1 pixel images inside emails.
Each pixel was unique to the recipient. When your email client loaded it, the sender knew you opened the message. At first, that meant nothing more than “this email was read.” If they stopped there, 99% of people probably wouldn't care.
But over time, pixels became a foundation for behavioral tracking: mapping who you are, where you are, and how you respond to messages. Today, nearly every promotional email you receive contains at least one tracking pixel.
How Tracking Pixels Actually Work
Here’s the simplified anatomy of a tracking pixel:
An email is sent in HTML format (the same language web pages use).
Hidden inside is a 1×1 image tag that looks like this:
<img src="https://example.com/pixel/abc123.png" width="1" height="1" />That URL is unique to you. When your email app requests it, the sender’s server logs:
Which recipient opened it
The exact time.
Your IP address (which points to your rough location).
What device or email app you used.
Plain-text emails don’t allow this kind of tracking. But because most email clients default to HTML view, pixels remain the norm.
Beyond Marketing: Why Pixels Are a Bigger Risk
Pixels aren’t always sinister. Newsletter writers (us included) use them to measure open rates. The problem is consent and scope.
Here’s where it gets risky:
Doxxing and profiling: Malicious senders can use pixels to confirm your location, then cross-reference it with other data.
Phishing prep: Attackers use pixels to confirm that an address is real and active before sending targeted scams.
Surveillance: Employers and political groups have used pixels to quietly monitor who’s engaging with their emails.
The bottom line is that this is more than just ads. It’s also about giving away information you didn’t agree to share.
Real-World Examples
It’s one thing to talk about tracking pixels in theory. It’s another to see how they’ve been misused in practice. From email startups to healthcare giants, pixels have been at the center of controversies, breaches, and even lawsuits. Here are a few cases that show how a seemingly harmless “invisible image” can create very real privacy risks.
Superhuman (2019): The email startup Superhuman faced public outrage when it was revealed that every message sent through its platform included a tracking pixel by default. Senders could see exactly when, how often, and where recipients opened their emails. Critics called it “creepy surveillance,” and the company was forced to change its policies.
Healthcare privacy breach (2024): Kaiser Permanente disclosed that tracking pixels embedded in its websites and mobile apps leaked personal data (including names and IP addresses of 13.4 million patients) to third parties like Google and Microsoft. Similar breaches have hit Advocate Aurora and the UK’s NHS, showing how pixels can expose some of the most sensitive categories of personal information - your health data.
Class action lawsuits (Arizona, 2023–2024): A wave of lawsuits in Arizona have targeted companies embedding “spy pixels” in their marketing emails. Brands like Patagonia, PacSun, Target, Gap, and Lowe’s are accused of using hidden pixels to track when messages were opened, recipient locations, devices, and whether emails were forwarded, all allegedly without consent. These cases highlight how pixel use can cross into potential legal violations, with fines and penalties at stake.
These examples illustrate why pixels are more than just marketing overreach. When used beyond confirming an email was opened, they're morph into a meaningful privacy invasion.
How to Block Email Tracking Pixels
The good news: blocking pixels is relatively simple. You just need to stop remote images from loading automatically. Your success and effort will depend on which email service you use. Here’s how the major services handle it:
Proton Mail: Blocks tracking pixels by default. Emails won’t load remote content unless you click “Load remote content.” This makes Proton Mail one of the strongest privacy-first email providers (and why it’s in our privacy stack - see here).
Tuta: Same approach; blocks external images unless you allow them.
Fastmail: Has a “Block remote images” setting, but you need to enable it.
Gmail: Proxies images through Google’s servers, which hides your IP but still confirms the open.
Outlook: Loads images by default unless you disable it.
Apple Mail: Mail Privacy Protection masks your IP and device by pre-loading pixels through Apple servers. But it still creates a “fake open,” which keeps marketers happy.
Gmail is weak when it comes to stopping email tracking pixels. Ditching Gmail is, however, a great quick privacy win for a variety of reasons (including blocking tracking pixels). If you need help kicking your Google habit, check out our De-Google Your Life Guide here (it’s been a huge hit so far - lot of de-googling success stories already).
Do Privacy Browsers Block Email Tracking Pixels?
Not really. Browsers like Brave, Firefox, and Safari do block web trackers when you’re visiting sites. But email tracking pixels are different.
In Gmail or Outlook on the web: The browser can’t override whether those services auto-load images. If Gmail loads a pixel, Brave won’t block it.
In Proton Mail or Tuta: The service itself blocks remote images (and pixels) by default, so even if you’re using a browser, the protection comes from the email provider.
In apps like Apple Mail or Outlook: Whether pixels are blocked depends on the app’s own settings (for example, Apple Mail’s Privacy Protection feature).
✅ Bottom line: Browsers don’t stop email tracking pixels. Use an email provider or client that blocks remote images by default if you want real protection.
How This Fits Into Your Bigger Privacy Picture
Blocking tracking pixels is one of those small changes with a high privacy ROI. It stops invisible data leaks every time you check your inbox.
But it’s also part of a larger strategy. Combine pixel blocking with:
Disposable email addresses to avoid spam and profiling (see our The Inbox Firewall guide for more on disposable email address strategies, available here).
A private email provider like Proton Mail or Tuta for stronger defaults.
Use a privacy-friendly email app on desktop: Some apps (like Thunderbird with extensions, or Canary Mail) offer more granular controls over remote content and tracking.
Run your own domain for email: Having a custom domain with a privacy-respecting provider lets you control addresses more flexibly and keeps you independent of Big Tech email ecosystems.
Pair with a VPN: Even if a pixel loads, a VPN masks your real IP address and location, reducing the value of what’s leaked.
Limit newsletter sign-ups to a secondary inbox: Keep your primary inbox lean and use a dedicated account for subscriptions and promotions. This cuts down the exposure of your main identity.
Each of these moves reduces your digital footprint. Together, they stack into meaningful privacy wins, and help you to become a harder target.
Further Reading
Friendly Ask
If you found this helpful or informative, chances are your friends and family will as well. Please share it with them to help spread awareness.
Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.
Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.
If you have an iPhone, you’ll want to check out this post:
Check out our specialized privacy and security guides in our digital shop. Below is a sample of what’s available. People are really loving the De-Google your Life Guide (available here at 25% off). Browse all the guides here.
If you’re reading this but haven’t yet signed up, join for free (2.8K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇
Good write-up
DuckDuckGo also provides an email alias/forwarding service that strips trackers.