You’re optimizing your Klaviyo and you want to get rid of bot clicks. You want clean data, accurate attribution, and a list that’s free of junk profiles. So you tweak a few settings. Maybe you shorten your attribution window, or segment out blocks and Apple Privacy opens.
Smart, right?
Well, maybe not.
Depending on how your setup works, you might be excluding real customers across your campaigns. Even worse, you could be misattributing revenue in flows, while those same profiles still enter the automation. Either way, you’re getting an inconsistent picture of performance, and you may be losing out on real revenue.
In this blog, we’ll break down how inbox security systems can skew your email data, and what that means for your revenue attribution. We’ll also look at why some filters might be doing more harm than good.
So What are Bot Clicks, Really?
On most email platforms (like Klaviyo), a bot click is a link click that appears to come from a non-human interaction, like a script or automated process.
But not all “bot clicks” come from actual bots.
Some inbox providers, like Gmail or corporate email servers, use security filters that automatically click every link in incoming emails. This is a safety measure to scan for malicious content.
The problem is that email service providers (ESPs) can’t always tell the difference. If a security system clicks a link on behalf of a human user, Klaviyo still logs it as a bot click and flags the profile. That usually leads to removing the profile from the list.
So, even if that real customer opens, reads, and purchases later…you might never email them again. They’re on the bot list, and they won’t get future email marketing campaigns and email marketing flows.
When Bot Clicks Exclusion Goes Wrong: Real Revenue Horror Stories
We recently helped a store who had changed their attribution model from 3 to 5 days. They had also begun to exclude bot clicks, which they had not done before.
A couple of totally predictable things happened:
- Email-attributed revenue dropped. This is inevitable, because Klaviyo was now linking less revenue to emails.
- Engagement also dropped. Again, this was not surprising: at least some of the opens they had been getting were genuine bot clicks and machine opens.
But then we noticed something far more important: website sessions coming from Klaviyo also dropped.
After digging in, we found that the majority (yes, MAJORITY) of these profiles were real customers. They had been engaging and shopping with the brand before the change. But the bot clicks exclusion had cut them out of all email communication.
These exclusions were cutting valuable (human) subscribers out of the loop. These were profiles who had:
- Opened multiple emails
- Clicked multiple links (beyond the security auto-clicks)
- Completed purchases
They weren’t bot clicks. They were buyers.
Here’s an example of a profile that ended up on the exclusion list, even though there was a purchase history for the profile.
Okay, that looks like a pretty small order. Maybe the data clarity we got from excluding bot clicks was worth it?
Not quite. Here’s another example, but this time a loyal customer whose profile had triggered clickbot=true.
Imagine the impact of this kind of thing at scale. Excluding hundreds or even thousands of active profiles based on inaccurate bot identification could wreck your attribution model and flatten your revenue.
We even found a new customer who had converted via the welcome flow. After entering that flow, the system misidentified it as a bot click. This customer wouldn’t get any more future communication. And the brand would have cheated itself out of repurchase revenue.
Apple Privacy Opens: The Other Silent Revenue Killer
It’s not just bot clicks that brands need to worry about.
Apple’s Mail Privacy Protection (MPP) makes a complex picture even messier. It preloads email content on Apple devices, even if the recipient never opens the message.
That means:
- Opens appear as “machine activity”
- Klaviyo (and other ESPs) can’t always tell if the recipient actually read the mail
- Some marketers choose to exclude Apple Privacy opens from email flows and email campaigns
But again, this can be dangerous.
It’s possible for a recent customer to end up in the “machine opens” category. So, if you exclude Apple Privacy Opens from your sends, you could be excluding active customers and losing out on revenue.
Here’s an example of a one-time customer that the system thinks is a machine open, even though they have placed an order.
At the end of the day, it’s better to have slightly noisy data than to lose out on revenue opportunities.
One of our expert email marketing strategists, Liana Mouradian, puts it like this:
“Consistency is more important than precision. If your metrics stay stable over time, even with some inflation, you’ll still spot the trends that matter.”
So Should You Ever Exclude Bot Clicks?
Yes, but only strategically.
In some rare cases, filtering might be necessary:
- During a list bombing attack
- If you notice a surge of invalid or junk profiles
- If a deliverability consultant recommends it for list hygiene or domain health reasons
But even then, proceed with caution. Flagging a security filter as a bot is a blunt tool. Unless you’re pairing it with additional signals, like no site activity, no purchase behavior, or hard bounces, you could be throwing out valuable profiles.
How to Check if You’re Excluding Real Customers
Here’s what we recommend for every Klaviyo user:
1: Audit your bot clicks regularly
Go into your database and identify any profiles triggering the bot classification. Check if they:
- Have a purchase history
- Engaged with multiple emails
- Revisited your site
You can establish this by segmenting these profiles. For example, filter for profiles that met “clickbot=true in the last 30 days” AND have ever placed an order. Those are customers, so keep them.
For active subscribers, you can segment further by digging into engagement levels like “active on site,” and “viewed product”.
We recommend having these botclick+MPP segments in place, and monitoring them regularly.
2: Don’t panic over inflated open/click rates
It’s a trade-off. Yes, some metrics may appear inflated. But excluding too aggressively can cost you more than just some messy data.
- Use engagement and conversion data: Look beyond opens and clicks. Track sessions, add-to-carts, and purchases to get a fuller picture.
- Validate before excluding: If a profile is flagged but has a recent purchase or strong behavioral signals, reconsider excluding it.
- Adjust segmentation logic: For example, instead of excluding all Apply Privacy Opens, exclude only those with no other engagement for 90+ days.
Don’t Let “Clean Data” Kill Your Conversions
Email marketing is messy. Between bots, privacy tools, and engagement filters, it’s hard to know what’s real and what’s noise.
But we’ve learned that over-correcting is just as dangerous as under-analyzing. The best move is a balanced, evidence-based segmentation strategy that combines behavioral signals, clear exclusion logic, and ongoing monitoring.
If you’re not sure whether you’re excluding the right profiles (or the wrong ones), Hustler Marketing can help you audit your lists, segments, attribution settings and engagement filters to make sure you’re not ghosting your best customers.