Privacy with Read Receipt and Link Tracking

How do read receipts and link tracking work? I’m concerned about the privacy of my messages, and the anonymity of my recipients. Spying ain’t cool!

On that note, how can I prevent others from finding out I read their message or clicked their link?

Hey there! We care about privacy too. That’s one of the reasons Mailspring exists; to provide some of these features without actually exposing your data, or that of your recipients, to others. (Some email clients do, which is just not cool. :angry:)

If you’re only looking for how to use these features, see this answer:

How Read Receipt/Open Tracking Works

Mailspring performs open tracking in the same way it is performed across the industry. When you send an email with open tracking enabled, we add a 1 square pixel (1px by 1px) image to the end of your email. When the recipient opens the email, the image is loaded, and that involves a request to our servers. This request allows us to deduce that the email has been opened.

The only information we receive is that which is normally associated with a web request, plus any information that we attached to the image source URL (such as the message ID). We do NOT store information about the recipient or the message contents, nor can we acquire such information from the information attached to the tracking URL.

Recipients who are concerned about their privacy can configure their mail client to not automatically load images when they open an email. Many email clients offer this feature (including ours).

How Link Tracking Works

The same principles work for link tracking. We create a new link on our servers with some additional information to associate it with a message and recipient.

When the link is opened in a browser, the user’s browser briefly visits our server, and the server knows this. The user is immediately redirected to the link originally provided, and Mailspring reports to the sender that the link was clicked.

Where does the message ID come from?

For each email in your mailbox, Mailspring hashes the headers to create a unique ID, and it associates its own metadata with that ID—it does not send the messages, their headers, or other identifying message data to the cloud.

The recipient ID is created by hashing the receipient email address.

In both cases, the hash can never be decrypted. A hash is something like a shredder that creates a unique value from some of the pieces, while throwing most of the information away.

Prove It.

Only fair! To demonstrate this, I sent an email to myself, and included a link in it.

The tracking pixel at the end of the email has the URL: https://link.getmailsp= b407742&recipient=3DY29kZW1vdXNlOTJAb3V0bG9vay5jb20%3D. You can see three pieces:

  • The Message ID: BE1B1C1E-9FF0-49EC-A6FA-F81F716D7D99
  • The sender: 3Df=b407742
  • The recipient: Y29kZW1vdXNlOTJAb3V0bG9vay5jb22

That’s all the information the server receives. There’s no way for the Mailspring service to ever find out what the message says, or who the recipient was.

Meanwhile, consider the tracked link in that same email. The link - might be turned into There’s three pieces of information here:

  • The Message ID: BE1B1C1E-9FF0-49EC-A6FA-F81F716D7D99
  • The link to be visited: (there are special codes for some symbols in URLs.)
  • The recipient: Y29kZW1vdXNlOTJAb3V0bG9vay5jb22

Same message, same recipient, but there’s no way you would ever be able to know what the message was, or who the recipient is. When anyone visits that URL, the Mailspring service notices that the (apparent) recipient Y29kZW1vdXNlOTJAb3V0bG9vay5jb22 clicked the link in BE1B1C1E-9FF0-49EC-A6FA-F81F716D7D99.

The sender’s Mailspring client on their machine asks the server for this information. The client alone knows which message and recipient are associated with those IDs. The server never sees the message or recipient information.

1 Like