Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can a sender tell where I'm reading my mail?

Question:

Can someone who’s sent a mail to my Hotmail address tell what IP address I
actually read it on?

Maybe.

Or, to put it another way, if you’re not careful, absolutely. And they might
even be able to tell when. And it’s not just Hotmail.

I know this seems like it contradicts what I’ve said elsewhere: email cannot
be traced. Let me explain.

Become a Patron of Ask Leo! and go ad-free!

First, here’s how it happens, if you’re not careful:

  • If the email is in HTML format, and

  • If the sender, in that email, references images from a
    server that the sender controls, and

  • If you, the recipient, allow images to be shown in the mail
    you read

  • then the sender can see what IP address you were at when
    you viewed the email, and at what time you viewed the email. Of course they
    cannot tell whether you actually read it, only that the message was
    displayed.

Let me take each of those in order.

HTML formatted email is a very common way to display formatted messages. If
a message has different fonts in it, uses bold and italics, color and so on,
then it’s probably an HTML formatted message. HTML is the technology behind web
pages, but because it’s become so ubiquitous, it’s now being used for email
messages.

One of the things you can do with HTML is embed a picture in your web page,
or in your HTML formatted email. For example, this is a picture of a Hotmail
warning:

Hotmail Disabled Content Warning

Regardless of where or how you view this page – in email or on the web –
that image is encoded in the HTML such that it will be fetched from my server.
If you were viewing this as an email message, using my server logs, I can see
what IP downloaded that image, and when – effectively I can see when and from
where you read your email.

Now, note the warning message shown in that example image: “Hotmail has
disabled some of the content of this message for your protection”. What Hotmail
and most other mail programs do by default is prevent remote images
from being fetched. That means that if I’ve encoded an image into an HTML mail,
the mail programs won’t even try to get it by default. If they don’t
actually get the image, then you won’t see it, of course, but I also wouldn’t
be able to see anything about your having viewed that email.

Of course as soon as you say “show images” (or “enable all content” or
whatever terminology your mail program uses), it’ll go fetch the image from my
server.

It’s important to note that the image may not actually be visible, even if
you do show it. So called “web bugs” are typically 1 by 1 pixel transparent
images – essentially invisible. But they are images, and can be referenced
remotely in email. Once fetched, the person who encoded the email can then see
whether or not the email was opened, when, and by what IP address. It’s a
common tool email publishers use to track aggregate delivery and open rates for
mailing lists.

So let’s run down that list again:

  • If the email is in HTML format: none of this applies to plain text
    email – only rich text such as HTML formatted email has this issue.

  • If the sender’s email references remote images: It’s not enough to
    be rich or HTML email, the email must make some kind of a remote reference in
    order to be tracked, and an image or “web bug” is the simplest.

  • If you allow images to be shown: most mail programs will default to
    not showing pictures, so unless you turn images on, you’re not giving
    away any information.

  • “In general, as long as you’re careful to only display images in email
    you receive from known, trusted, sources, you’re in good shape.”

    then the sender can see the IP address and when the mail was
    viewed.
    Which, really doesn’t tell them very much either. It’s
    extremely difficult to track down an IP address to a specific person
    or machine. However spammers will often use this to ‘tag’ you … they won’t
    know specifically who you are, but they will know, for example, that “hey, that
    email address opened up my email! We got us a live one! Let’s send more spam!
    LOTS MORE!”

In general, as long as you’re careful to only display images in email
you receive from known, trusted, sources, you’re in good shape. And any good
email program won’t display images until or unless you tell it it’s ok to do
so.

So if all this tracing is possible, why do I say that tracing doesn’t
work?

Even though it’s possible, if you’re a sender of email, you simply cannot
count on it working, and the information isn’t all that useful for specific
tracing if it does.

As we’ve seen, email programs don’t display remote images by default. That
means as a sender, you get nothing – unless the recipient decides you’re
trustworthy and enables your images.

And even if you do get the IP address, as I’ve discussed in several
different articles here, the IP address is almost useless in determining
exactly who read the mail, or where they might have been at the time.

So as a sender, actually trying to trace a specific piece of email is so
unreliable as to be effectively useless.

A word about receipts.

Many email programs allow you to configure a “Read Receipt Request” or a
“Delivery Receipt Request” with an outgoing message. The intent is that when
the recipient of that email reads the mail, another email message is generated
automatically back to the sender indicating that the mail has been read.

For all practical purposes it does not work. Much like displaying images,
most email programs either ignore these requests, or at a minimum, ask first
before sending any automated reply. Most people should, and do, say “no”.

If, by some chance, you allow a read receipt to be sent, then yes, you are
allowing your IP address to be discovered, along with the time at which you
opened the email.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “Can a sender tell where I'm reading my mail?”

  1. I heard a great name for the software that purposefully inserts graphics (or “bugs”) in e-mail to get information on who opened the e-mail and what their IP address is… “ratware”. Furthermore, the graphic can have a unique ID code in the filename so that the person can not only tell the e-mail was opened, and what your IP address is, but associate that IP address and action with your e-mail address.

    One of the reasons many of the major mail clients and mail providers stopped showing graphics in e-mails was because of this. You’ve probably been told: “don’t unsubscribe from spam, because it confirms your address is valid, that you open spam, and you’ll just get more.”

    Okay, so people wised up and stopped unsubscribing. Then spammers realized they could use this trick to verify that your address was good and that you open spam.

    So now you have to approve the display of graphics in HTML e-mails on a case-by-case basis.

    Sheesh.

    Reply
  2. This is very interesting, it gives new meaning to “opening a can of worms”

    How are you able to view an image without leaving information that a hacker or person can obtain illegally?

    Reply
  3. I copied a link to send to other recipients instead of just forwarding the email sent to me. Well,when I sent it to my son I realized the link went directly to the email in my inbox! Giving the recipient access to my email!
    Why does it do that? Do I just have to forward everything that has been sent to me that I want to share with others?

    Only if they know your password, since they’d have to login first. (I assume this is webmail.)

    – Leo
    10-Mar-2009
    Reply
  4. i can across this email tracked called spypig and it tells when and where the email was opened BUT is it foolproof??? does it actually work because i have used it several times on different men from foreign countries.can i rely on this email tracking system??? check it out and reply back to me ASAP!!!!!!!!!!!!!!!!!!

    These systems are not foolproof, not 100% reliable and can be easily sidestepped. In fact most email programs are configured by default to sidestep the most common tracking techniques.

    Leo
    20-Jul-2010

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.