It's Time to Re-Evaluate Your Email Marketing Reports

A contact of mine shared some email campaign data recently and asked for my take. On the surface, everything looked healthy: 8,500 recipients, an average 24% click rate. That’s a number that would make any email marketer feel good about what they were seeing in their dashboard.

But they were concerned that new technologies that could check links in advance were artificially elevating their click rate. I suggested a test: add a hidden link to one of their sends — invisible to human readers, but crawlable by automated systems. The result was that on their next send, 691 of the total reported 968 clicks had come from that hidden link.

That meant that their actual email click rate, once the bot traffic was filtered out, was only 7%.

If this is the first time you’re hearing about email click rate inflation, you’re not alone! And if you’re wondering whether your own numbers might be affected, I’m here to say that sadly they probably are. Let’s look at what’s happening, why it happens, and what you can do about it.

Email metrics have two related problems that hit different parts of your report.

Problem one: Apple Mail Privacy Protection broke your open rates.

Apple launched Mail Privacy Protection (MPP) in September 2021. If you hadn’t heard of it until right now, you’re not alone. Many marketers who do email as part of a broader role have never had to deal with MPP, and I want to make sure we’re starting from the same place before getting to the click rate issue.

Here’s what MPP does: when someone uses the Apple Mail app on their iPhone, iPad, or Mac, Apple’s servers pre-load the content of that email, including the tracking pixel that registers an open, before the recipient ever sees it. That action means that your email is recorded as being opened every single time, regardless of whether a human actually read the email.

This is why open rates have been unreliable since 2021 for any list with Apple Mail users. If you’ve noticed open rates that feel suspiciously high, MPP is likely part of the story.

You might have also heard that Apple’s MPP causes click rates to be over-reported, but that isn’t the case. MPP pre-loads images and does not pre-fetch links. The click inflation problem comes from security scanners, which are an entirely separate problem.

Problem two: email security scanners are inflating your click rates.

Corporate email security tools, which include programs like Microsoft Defender Safe Links, Barracuda, and Mimecast, will automatically click every link in an incoming email before it reaches the recipient. They do this to check for malware, phishing URLs, and other threats. While that is a legitimate security function, the result is that from your email tracking’s perspective, those clicks look identical to a human clicking a link.

The result is that for lists with significant B2B or corporate subscribers and anyone whose email goes through a security gateway, a share of your reported clicks were never human clicks at all. The size of that share depends on how many of your users have this kind of technology involved in their email stack.

Let me show you what this looks like in practice, using the data my contact shared (with permission).

This is a healthy, engaged list with completely organic signups, nothing purchased. Here’s what the campaign initially reported:

• Recipients: 8,505
• Reported clicks: 968
• Reported click rate: 24%

That’s a great click rate! It looks like the content really resonated.

Unfortunately, here’s what the hidden link test revealed:

• Clicks on the hidden link (automated): 691
• Real human clicks: 277
• Click rate among the non-bot segment: 7%
• Fake clicks as a share of all reported clicks: 71%

About 8% of the list’s recipients triggered the hidden link, which means that roughly 1 in 12 people had their email scanned by an automated system that clicked every link it found, including the one invisible to human readers.

These numbers are borne out by the research as well. Mailchimp’s own research puts bot-generated clicks at roughly 1 in 5 under basic detection methods, rising toward 50% with layered detection. Brevo measured a 9.4% drop in click rate when they enabled bot filtering on their own newsletter. The exact numbers vary, but the direction is consistent: bot clicks are a substantial share of what email dashboards report as engagement.

This means that if you’re working with a list that has a lot of corporate email addresses or generally targets a B2B audience, you’re going to run into more reliability issues when it comes to click rates. That being said, I’d suggest that no matter who you target, it’s worth taking a second look at your email marketing metrics.

Let’s walk through the test my contact ran, because it’s something you can set up yourself.

The technique is sometimes called a honeypot link. The idea is that you embed a link in your email with text the same colour as the email’s background, so it’s invisible to human readers. Email security scanners crawl the full HTML of the email and will find and click it anyway.

Anyone who “clicks” the invisible link is, by definition, not a human reader. That’s your bot segment.

Here’s how to approach it:

The destination URL: It can point to any URL you want, but I recommend using a distinct page, specifically one that doesn’t appear anywhere else in the email. This will make the bot traffic easy to identify in your analytics.

Hiding the link: Wrap the link text in an inline style that sets the font colour to match your email’s background — typically white on white. The text has to be in the HTML as scanners read the source, but ideally it won’t be visible in the rendered email.

Where to put it: Put it as far down as you can in the email footer, away from any real content. You want to minimize the chance a human ever encounters it accidentally.

What to do with the results: Pull a list of every subscriber who clicked the hidden link. That’s your bot segment. Everyone who didn’t click it is your real-human engagement segment. Report click rate on the human segment only, and you’ll have a number that reflects actual reader behaviour.

Once you’ve identified your bot segment, here’s how to use that information.

Build persistent segments: Most email service providers (ESPs) let you create an audience based on who clicked a specific link. Create two: “automated clickers” (everyone who hit the honeypot link) and “human engagers” (everyone who didn’t). Report on the human engager segment going forward. Your click rate will drop, but that’s okay. You’re helping establish directional accuracy for your email data.

Check whether your ESP already has filtering: Some platforms might already be doing a version of this for you.

• Mailchimp: Bot click filtering on by default since August 2025, with multilayer detection
• Klaviyo: Configurable filtering — the most flexible option
• Beehiiv: “Verified Clicks” feature shows both filtered and unfiltered views
• Constant Contact: Basic filtering on by default
• ActiveCampaign: BotSense feature, available on Pro and Enterprise plans
• Brevo: Available but disabled by default — you’d need to enable it manually
• Kit (formerly ConvertKit): As of early 2026, no bot click filtering at all, and unfortunately this is what I use!

If you’re using Kit, the honeypot technique is currently your only option for getting cleaner click data.

You might be wondering that if your ESP already filters bots, do you actually need to bother with the hidden link test? If you’re just pulling basic reports, you’re probably fine. But if you’re curious as to which subscribers are triggering automated clicks, that honeypot test will give you subscriber-level data. You can then use that segment for list health decisions, suppression logic, or keeping separate from your core engagement reporting.

Resetting expectations with stakeholders: If you’ve been reporting a 24% click rate and you’re about to start reporting 7%, make sure to prepare for that conversation. I’d recommend framing it with something along the lines of “we improved our measurement methodology.” And that’s true, you did! The new number is more accurate and the old number was inflated. Yes, the new number is lower but it’s more trustworthy and a better representative of actual email subscriber behaviour. I will always pick a lower number I know is more reliable than a higher number that is probably incorrect.

The click rate problem isn’t going away on its own, but that doesn’t mean that you should stop reporting on click rates entirely.

Of course it’s unpleasant to learn that 71% of the clicks on your nicely curated list are bots. But this honeypot test will give you something you couldn’t see before, and that’s which subscribers are responsible for the inflation, and what your real engagement actually looks like. That’s useful information you can use going forward.

Remember, our goal is never a perfect number, instead it’s a number we can trust. And when you have that, you can make real decisions about which content is actually connecting, who’s actually engaged, and whether or not your list is healthy.