Skip to main content
← Back to Blog

July 8, 2026

Your Email Open Rates Are Lying: Bots, Scanners, and What to Measure Instead

Security scanners and Apple MPP fake most email engagement in 2026. How to screen bot opens and clicks — and the metrics that still tell the truth.

By Ian Phillips, Founder & CEO, Phillips Data Solutions

Your email open and click rates are lying to you, and in 2026 they lie more than ever. In one campaign send we monitored, 164 emails produced 154 "website visits" within fifteen minutes — nearly every one of them a security scanner detonating links, not a human reading anything. If you make decisions on unscreened email metrics, you are optimizing for robots. Here is what actually pollutes the numbers, how to screen it out, and which metrics still mean something.

Where the Fake Engagement Comes From

Four sources produce almost all of it.

1. Corporate Security Scanners

Microsoft Defender for Office 365, Safe Links, Proofpoint, Mimecast — they all open your email and click every link in it inside a detonation sandbox before the recipient ever sees it. These scanners execute JavaScript, load your tracking pixel, follow your redirects, and land on your website looking like an engaged visitor. B2B lists are hit hardest, because that is where the security gateways live.

2. Apple Mail Privacy Protection

Since iOS 15, Apple Mail pre-fetches images — including tracking pixels — for a large share of consumer inboxes. Every one of those registers as an "open" whether or not the message was ever read. For consumer-heavy lists, raw open rate stopped meaning anything years ago.

3. Machine Unsubscribes

Some filters probe unsubscribe links as part of scanning. If your unsubscribe is a bare link that triggers on GET, scanners will "unsubscribe" real prospects who never asked to leave. We have watched the same unsubscribe fire from two different IP addresses minutes apart — one scanner, one echo, zero humans.

4. Plain Bots

Scripted user agents, headless browsers, monitoring probes. Individually small, collectively noisy.

The Tells: How We Screen

We built persistent bot classification into our own CRM (the one from our HubSpot replacement build), and the screening rules generalize to any stack:

  • The scan window: engagement arriving within ~2 minutes of delivery is almost never human. Humans do not click 40 seconds after the send.
  • Bursts: three or more events from the same recipient and IP inside 10–15 seconds is mechanical.
  • Missing browser headers: real browsers send an Accept-Language header. Headless scanners frequently do not.
  • Clicks that never confirm: a click that loads the page but never fires client-side JavaScript is a fetcher, not a visitor.
  • Multi-IP echoes: the same action repeated from a different network minutes later is a scanner replaying.
  • Known scanner networks: security-gateway IP ranges are published and stable enough to match against.

Individually, each rule has exceptions. Layered, they separate humans from machinery with high confidence.

What To Trust Instead

Reorder your metric hierarchy:

  1. Replies — a human wrote back. The gold standard, and worth engineering your sequences around.
  2. Confirmed unsubscribes — require a button press on a page (a POST, not a bare GET). Then honor them absolutely; a confirmed opt-out is a human decision.
  3. Screened clicks — clicks that pass the rules above, especially ones followed by multi-page website sessions.
  4. Meetings booked — the metric your revenue actually correlates with.
  5. Raw opens — directional at best. Trend them; never target them.

Dirty engagement data is a cousin of the dirty-CRM-data problem we covered in Dirty CRM Data: Why It Costs You Deals — and it has the same failure mode: automation built on polluted signals makes confident, wrong decisions at scale. A lead-scoring model fed scanner clicks will happily route robots to your sales team.

Deliverability Is the Other Half

Screening fixes your analytics; hygiene protects your sending reputation:

  • Honor unsubscribes fast — within the hour, not the next batch.
  • Stop on bounce immediately, and mirror hard bounces into a global do-not-contact list that survives re-imports.
  • Watch bounce and unsubscribe rates as trends — they are early warnings on sender reputation, and unlike opens, they are hard to fake.
  • Include the legally required physical address and working opt-out in every commercial email. Compliance failures compound quietly.

The Takeaway

The uncomfortable truth: most SMB email dashboards report scanner activity as engagement, and most teams have never checked. Screen your events, trust replies and confirmed actions, treat opens as a trend line, and keep your list hygiene automatic. Your campaign decisions will get better the moment your data stops lying.

Ready to automate? Start a free discovery at www.phillipsdatasolutions.com/contact

Ready to automate?

Start a free discovery at www.phillipsdatasolutions.com/contact — we'll map your highest-ROI automation opportunities in 30 minutes.

Book Free Discovery