How can email-tracking services track emails in Google
Some email-tracking services use tracking pixels to detect whether an email was opened. The idea is to add an HTML img tag with an src attribute that links to a 1x1 or 0x0 pixel image to the email body. That link uniquely identifies the email.
It looks like this: https://emailtracker.com/trace/mail/{randome-unique-id}. So whenever the user clicks the email, the browser will request the tracking URL of the image, which will then trigger and notify the person who sent the email.
After I used one of those services in my Gmail, I opened the inspector to see what the tracking pixel looked like. And to my great astonishment, this is what I found:
As you can see, the tracking pixel is a 0x0 pixel image. But its src was changed by Google!
The image was uploaded to Google servers googleusercontent.com. The dark part is a part of a long string that identifies the image in the Google servers. Meanwhile, the red part is the URL to the actual image hosted in the servers of the tracking service (the real link). But what is weird is whenever I open the email, I still get a notification that it was opened, even though the request was made to the Google servers!!
I would like to know how the service could detect that the email was opened even though the src of the tracking pixel was changed, and it points to a server other than theirs.
NB: Google changed the src of all the images in the email, so this is not a security protocol to protect from email-tracking services.
