Securing Your Image

You put a lot into picking the best images for your email creative. You make sure they look great in mobile and desktop client layouts. You even include a tracking pixel to gain valuable insight into how subscribers engage with your email.

Your subscriber opens your email, and sees a browser warning icon in the address bar. They click the icon and see this:


Browser warning for Yahoo! Mail in Firefox

Or this:


Browser warning for Yahoo! Mail in Chrome

Why are your subscribers getting security warnings from viewing your email?! The reason is although you picked a great image and tracking pixel, you delivered them via an insecure connection using HTTP instead of HTTPS.

This browser warning is due to mixed passive content. Mixed passive content is when a secure website using HTTPS loads an insecure resource, such as an image, using HTTP. The subscriber’s browser is telling them that although they think they’re using a secure website, they actually are not because there is insecure data. Thus malicious third parties could view the image and even modify it.

More and more ISPs are defaulting users to secure web access, including Yahoo! Mail and As these webmail clients are HTTPS sites, any rendered email using HTTP images will trigger the mixed passive content browser warning. Furthermore, these ISPs will not tell your tracking pixel details about the subscriber as they do not trust your insecure image server . Yahoo! and will tell your tracking pixel that it was requested, but provide no specifics that can tell you that Yahoo! or was used by your subscriber.

So there are three large downsides to using HTTP images and tracking pixels:

  1. Malicious third parties can intercept and modify your images.
  2. Subscribers may see browser security warnings.
  3. You receive little information from your tracking pixel.

Return Path’s Email Client Monitor helps you avoid these issues by providing a secure HTTPS tracking pixel to each and every Return Path customer. Email Client Monitor offers powerful custom tagging combined with a secure pixel to ensure you know which subscribers are using specific email clients. Starting this week we are defaulting new Email Client Monitor customers to secure HTTPS tracking pixels. If you are an existing Email Client Monitor customer, we suggest you switch to the secure HTTPS tracking pixel as well. All you need to do is switch ‘http’ to ‘https’ in your tracking pixel URL.

If you are using insecure HTTP images for your email creative, consider looking into secured HTTPS images as well. There are many misconceptions about HTTPS, so we recommend investigating it with an open mind. The industry as a whole is valuing security, as shown by Google giving preference to HTTPS sites in search rankings, so moving to HTTPS will reap many rewards for you beyond email.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time