Guide

Track Email Opens, Clicks, and Replies

Enable open, click, and reply tracking when you send email, then receive each event over a webhook — all from the terminal. This guide sends tracked mail, wires the message.opened, message.link_clicked, and thread.replied triggers, verifies the signatures, and explains why open rates overcount.

Written by Nick Barraclough Product Manager

Reviewed by Qasim Muhammad

Updated June 9, 2026

Verified — CLI 3.1.17 · Gmail, Outlook · last tested June 9, 2026

How do I track when someone opens or clicks an email?

You enable tracking at send time with two flags on nylas email send: --track-opens embeds a tracking pixel, and --track-links rewrites links so clicks are recorded. Add --track-label to tag a campaign so you can group events later. Tracking is off unless you ask for it.

nylas email send \
  --to prospect@example.com \
  --subject "Following up" \
  --body "Did you get a chance to review the proposal?" \
  --track-opens --track-links --track-label "q3-outreach" --yes

Run nylas email tracking-info to see the three event types and the flags that enable them. Opens and clicks are delivered asynchronously over webhooks, not returned inline at send time, so the next step is where the data actually arrives.

How do I receive open, click, and reply events?

You receive tracking events by registering a webhook for the three tracking triggers. The nylas webhook create command points an HTTPS endpoint at message.opened, message.link_clicked, and thread.replied in one call. Each event arrives as a POST with the message ID, a timestamp, and event-specific data.

nylas webhook create \
  --url https://your-server.example.com/email-tracking \
  --triggers message.opened,message.link_clicked,thread.replied \
  --description "outreach tracking"

An open event carries the recipient IP and user agent under a recents array; a click event lists each tracked URL with a click count. Your handler should be idempotent, because the same open can be reported more than once as a recipient re-views the message.

How do I verify tracking webhooks are authentic?

Verify every incoming webhook before you trust its contents — an unauthenticated endpoint will accept forged open and click events from anyone who finds the URL. The nylas webhook verify command checks a payload's HMAC-SHA256 signature against your signing secret locally, so you can confirm the mechanism before wiring it into your server.

# Verify a captured raw payload + signature against your webhook secret
nylas webhook verify \
  --payload-file event.json \
  --signature "$X_NYLAS_SIGNATURE" \
  --secret "$WEBHOOK_SECRET"

In production, compute the HMAC-SHA256 of the raw request body with your secret and compare it to the signature header using a constant-time check. Reject any request that doesn't match with a 401 before parsing the body. The dedicated signature verification guide shows the server-side code for each language.

Why are email open rates unreliable?

Open rates overcount because tracking pixels are pre-fetched and blocked, not viewed. Since 2021, Apple's Mail Privacy Protection pre-loads the tracking pixel for every message on receipt, registering an “open” the recipient never made, per Apple's Mail Privacy Protection documentation. Corporate image proxies and plain-text clients pull the opposite way, suppressing real opens.

Replies are the reliable signal. A thread.replied event requires the recipient to actually respond, so it can't be faked by a pre-fetch or hidden by a proxy. Weight your outreach logic toward replies and clicks, and treat the open rate as a soft directional metric, not a count of human attention.

How do I test tracking webhooks locally?

Test locally by running the built-in receiver, which prints each event to your terminal so you can inspect the exact payload shape before deploying a handler. The nylas webhook server command starts a local endpoint; point a tunnel at it, send a tracked email to yourself, and watch the open and reply events land in real time.

# Start a local receiver, then send yourself a tracked test email
nylas webhook server --port 9000

Next steps

Email read receipts: API options compared — how open tracking differs from true read receipts
Webhook signature verification — server-side HMAC checks for every language
Email webhook events reference — every trigger type and its payload
Test email webhooks locally — tunnel events to your machine during development
Command reference — every flag, subcommand, and example
Apple Mail Privacy Protection — why pixel-based open tracking overcounts since 2021
Images in Gmail — Gmail proxies and caches images, which also distorts open counts