Here is a number that should change how you think about your email program: more than half of the clicks recorded in B2C email campaigns are not performed by humans. In B2B, the average is around 75% - and it is not unusual to see individual sending programs where NHI clicks exceed 90%. And in the past six months alone, the B2C rate has grown by ten percentage points.
These are not estimates based on a small sample. They come from Omnivery's Bot Detection API, which processes engagement data across high-volume sending programs using 20+ proprietary datasets developed over more than eight years. The scale of non-human interaction (NHI) in email is not a fringe problem affecting a few unlucky senders. It is the default state of email engagement data in 2026.
Non-human interactions are opens and clicks registered in your tracking system that were not performed by a human recipient. The term is specific to email - it is not the same as web bot traffic, and the detection methods are entirely different (more on that in a separate post). In email, NHI comes from three primary sources.
Security scanners at mail gateways. Enterprise email security platforms - Proofpoint, Mimecast, Barracuda, Microsoft Defender - routinely follow every link in every inbound message before the recipient sees it. The purpose is threat detection: if a URL resolves to a malicious site, the scanner can block or warn before a human clicks. The side effect is that your click tracking records an interaction that carries zero purchase intent, zero reading signal, and zero human behavior. It just looks like a click.
Apple Mail Privacy Protection. Since iOS 15 and macOS Monterey, Apple's mail client routes opens through Apple's proxy servers and pre-loads every tracking pixel - regardless of whether the recipient has opened or read the email. Ninety-nine percent of NHI opens come from Apple MPP. Crucially, because Apple publicly documents its proxy infrastructure, suppressing these automated opens is straightforward - any competent ESP should be handling this automatically. NHI opens are largely a solved problem. NHI clicks are not.
Botnets. Organized automated click campaigns target email specifically to commit ad fraud. Publishers and newsletter operators who Monetize through ad networks are paid based on clicks and impressions. Botnets simulate that activity at scale - diverse IP addresses, realistic user agents, plausible click timing distributions - to generate fraudulent revenue. Without purpose-built detection, these clicks are indistinguishable from human traffic.
The gap between B2B (75% NHI) and B2C (50%+) comes down to how enterprise mail gateways handle volume.
In B2C, a security gateway receives enormous volumes of identical or near-identical messages - millions of copies of the same campaign arriving across its user base. At that scale, clustering is efficient: scan a representative sample, confirm the URLs are safe, apply the result across the batch. The gateway does not need to follow the link in every individual message when it has already seen the same link ten thousand times that hour.
In B2B, the volume dynamic is completely different. Even a large enterprise with 100,000 mailboxes receives relatively few copies of any given message - the clusters of similar messages are too small and too infrequent for sampling to be practical or safe. The cost of a false negative - a malicious link that slips through because it was not in the sample - is too high. So the gateway scans every message individually. Every link in every email gets followed. The result is that B2B senders see their click data contaminated at a higher rate, across virtually every recipient in their program.
This is why B2B marketing teams frequently notice click rates that feel implausibly high, or see clicks arrive in clusters within seconds of sending - before any human could plausibly have opened and read the email. The 75% average masks significant variance: programs targeting enterprise audiences with advanced email security deployments routinely see 90% or more of their recorded clicks coming from non-human sources.
Ten percentage points of growth in B2C NHI over six months is significant. There are two drivers.
First, the adoption of enterprise email security continues to expand. Platforms like Proofpoint and Microsoft Defender for Office 365 are becoming standard infrastructure even at mid-market organizations. More organizations using link-scanning gateways means more automated link following on inbound email.
Second, botnet activity targeting email is growing, specifically in the context of newsletter monetization and ad network payouts. As email newsletters have become a serious business - with paid subscriptions, sponsorships, and CPM advertising - the financial incentive to deploy automated click fraud has grown with them. The economics are straightforward: a botnet that generates fraudulent clicks on a newsletter ad network payout receives real money as long as it goes undetected.
Before going further, it is worth separating the two types of NHI, because they are not equally hard to solve.
NHI opens - primarily Apple MPP - are well-understood and largely manageable. Apple publishes its proxy IP ranges. Every serious ESP should be suppressing Apple MPP opens from engagement metrics automatically. If yours is not, that is the first thing to fix, and it is not technically complex.
NHI clicks are the hard problem. Security scanners, botnets, and inbox tracking tools do not announce themselves. They do not operate from documented, static IP ranges. They actively vary their behavior to blend in with legitimate traffic. The 50% B2C and 75% B2B figures cited above refer primarily to click data - the engagement signal that email marketers rely on for segmentation, deliverability decisions, A/B testing, and ad network payouts. This is where purpose-built detection matters.
The practical consequences depend on what you use engagement data for.
Segmentation and deliverability decisions. If you are suppressing low-engagement recipients based on opens and clicks, you are making those decisions on data that includes automated interactions. Recipients who appear inactive may have had their links scanned - and never actually saw the email. Recipients who appear highly engaged may have been scanned by security infrastructure, with no human action behind those signals.
A/B testing. Click rate comparisons between subject lines, content variations, or send time experiments are all distorted when a significant share of clicks comes from security scanners that fire regardless of human behavior. A variation that "wins" on click rate may have simply been sent to a slightly larger proportion of recipients using gateway scanning infrastructure.
Deliverability monitoring. Spam rates and complaint rates are calculated against total engagement volume. If NHI is inflating your click totals, your complaint rate - complaints divided by total engagement - appears lower than it actually is. You may have less of a safety margin than your metrics suggest.
Ad network payouts. If your revenue depends on clicks generating ad impressions or CPM payouts, botnet activity directly costs you money through fraudulent claims by platforms that do not reimburse for NHI. Beehiiv, a major newsletter platform, identified and quantified this exposure using Omnivery's Bot Detection API - and found it amounted to over $2 million per month. Read the Beehiiv case study →
Automations and triggered flows. This is the consequence that gets the least attention but may cause the most direct, immediate damage - and it operates in both directions.
The obvious direction: bot clicks trigger flows they should not. Modern email programs fire automations on click events: click a link → enter a nurture sequence. Click a product → receive a follow-up offer. Click an interest indicator → trigger a sales alert. Click a promotional link → receive a discount code. When a security scanner follows every link in an email, it triggers every click-based automation those links are connected to. The recipient's security gateway clicked the "interested in pricing" CTA - so your CRM marks them as a hot lead and your sales team follows up with someone who never expressed any interest. The gateway clicked the promotional link - so your automation sends a 20% discount to a recipient who never saw the original email.
The less obvious direction - and in many programs the more damaging one - is that bot clicks suppress flows that should have fired. Re-engagement and win-back automations are built on absence of engagement: if a subscriber has not clicked in 30 days, send a follow-up with a stronger incentive. If there has been no engagement in 90 days, trigger a sunset sequence. If the subscriber remains inactive after a win-back attempt, suppress them.
All of this logic breaks when a security scanner clicked something last week. The subscriber who has not actually read an email in three months appears engaged in your system - their gateway clicked a link, and your platform recorded it as a human interaction. The re-engagement flow never fires. The win-back offer never sends. The sunset sequence never runs. The subscriber stays in your active list, continues receiving emails they are not reading, and your list hygiene deteriorates silently while your metrics suggest everything is fine.
In a program where 75% of B2B clicks are non-human, a large portion of your "engaged" audience may be engaged only in the sense that their security infrastructure is doing its job. The dormant subscribers who should be receiving re-engagement offers - or being suppressed to protect deliverability - are invisible behind a wall of automated scanner activity. Filtering NHI is not just about preventing the wrong automations from firing. It is about allowing the right ones to fire at all.
The scale of NHI in email is alarming, but it is a solvable problem. The key is purpose-built detection at the event level - filtering out non-human interactions before they enter your engagement database, your segmentation logic, your A/B testing results, or your ad network reporting.
This requires data that most senders do not collect or process: the source IP address and user agent string of every click and open event, cross-referenced against continuously updated behavioral profiles of known bot infrastructure. The datasets that make this detection accurate - and accurate enough to be commercially meaningful - take years to build and require constant maintenance as bot infrastructure evolves.
The alternative - continuing to make decisions on contaminated data - has a cost that compounds. Every segmentation decision made on inflated click data is slightly wrong. Every A/B test result is slightly distorted. Every deliverability conclusion is slightly off. Over time, the accumulated effect of systematically incorrect decisions is material.
Fifty percent of your B2C clicks being non-human is not a quirk of your program. It is the industry baseline in 2026. The question is what you do with that information.
Omnivery's Bot Detection API identifies non-human interactions in email engagement data using 20+ proprietary datasets. For Omnivery customers using Omnivery's open and click tracking, bot detection is included automatically. Third-party ESP integrations are available subject to vetting. Learn more
Related: Bot Detection API | Beehiiv Case Study | Transactional Email API