This only seems to work against tracking information in parameters. You can put the tracking info into the root URL. For a particularly egregious example of this see the EFAIL attack where entire decrypted messages were being sent back to the attackers in the root URL:
I doubt that HTML emails can ever be made secure in general. You are likely vunerable to a wide range of attacks and leaks if you allow images to load in your email no matter how much you attempt to sanitise things.
Some email clients try to block tracking by not download images unless the user requests images for a specific email.
- MS Outlook does this. Google gmail does this for some clients.
Other email clients automatically download all image references in email to a proxy server hosted by the email provider. If the user enables images for an email, the images are downloaded from the proxy server, not the sending server. This means that download logs are useless for tracking.
This means that download logs are useless for tracking.
Depends what sort of tracking you mean. Google still only proxies the image download if you open the mail, so it can be used to track opens (which Gmail likes because they want people to auto delete non-engaging subscribers). You can't track the end user's location or IP though, which may be enough for most.
* https://efail.de/
I doubt that HTML emails can ever be made secure in general. You are likely vunerable to a wide range of attacks and leaks if you allow images to load in your email no matter how much you attempt to sanitise things.