[milsebg]

> I always assume these trackers use some hidden pixel image when sending emails - but how can they trace the exact person who opened the email?

Apparently they use a hidden pixel, i.e. a separate tracking code, for each recipient. There was a discussion about this feature in Super Human: https://blog.superhuman.com/read-statuses-bdf0cc34b6a5

[pwncake]

Correct, even if you look at the URL on each link it will have IDs and tracking code embedded to be able to see who clicked what link and very rarely go straight to the actual URL it is referring to without a hop or two.

[epimetheus2]

how would that work? so every recipient would receive different email content with different pixel?

[kedean]

Sort of. It doesn't have to be a traditional file or anything, so it helps to think of it as a unique URL being accessed instead of a different pixel. What makes it work is the client automatically loading all images, which means the user accesses the URL automatically as well. It stops working if the client uses features that disable automatic image loading.

You could implement this by sending each email with an img tag that has a unique url, such as https://foo.bar/baz/id_1.jpg, which the server will route under the hood to a script. The script stores the fact that someone visited id_1, assumes it must have been the recipient since only they have the URL to get to it, and responds with image data to make the whole thing seamless.

[RegnisGnaw]

Yep. Each user gets an email unique to them.

[epimetheus2]

wouldn't then CC, BCC and TO headers not fit? and emails form different thread, i.e. in gmail?

[Tomte]

The headers are totally irrelevant for the actual delivery of the mail. For delivery the so-called envelope is relevant (MAIL FROM, RCPT TO).