Skip to main content

Architecture overview

Email Tracker uses a client-server architecture where the Chrome extension injects tracking pixels and the Node.js server records open events.

Component responsibilities

Chrome extension

The extension has three main parts: Content script (extension/src/content/gmailCompose.js:161-315)
  • Detects Gmail compose dialogs using MutationObserver
  • Extracts recipient and sender email from compose UI
  • Requests tracking data from background worker
  • Injects 1x1 transparent pixel into message body
  • Renders inbox badges showing open counts
  • Scans thread images for sender suppression
Background service worker (extension/src/background/serviceWorker.js)
  • Generates stable user_id (stored in chrome.storage)
  • Creates unique email_id (UUID) for each message
  • Encodes tracking token with email metadata
  • Fetches dashboard data and caches results
  • Sends POST /mark-suppress-next signals
Popup UI (extension/src/popup/*)
  • Configuration interface for tracker URL and dashboard token
  • Debug view showing recent tracked emails
  • Quick links to dashboard

Node.js server

The server is an Express application with the following structure: Main application (server/src/index.ts:1-24) 
import express from "express";
import { initDb } from "./db/sqlite.js";
import { dashboardRouter } from "./routes/dashboard.js";
import { trackRouter } from "./routes/track.js";

const app = express();
const port = Number(process.env.PORT ?? 8080);

app.set("trust proxy", true);
app.use(express.json({ limit: "16kb" }));
initDb();

app.get("/health", (_req, res) => {
  res.json({ ok: true });
});

app.use(dashboardRouter);
app.use(trackRouter);

app.listen(port, () => {
  console.log(`Tracker server listening on :${port}`);
});
Tracking routes (server/src/routes/track.ts)
  • GET /t/:token.gif - Serves transparent pixel and records open
  • POST /mark-suppress-next - Receives sender suppression signals
  • GET /metrics/gmail-proxy-latency - Returns latency statistics
  • GET /metrics/suppress-signals - Debug endpoint for suppression events
Dashboard routes (server/src/routes/dashboard.ts)
  • GET /dashboard - Serves dashboard HTML UI
  • GET /dashboard/api/emails - Returns tracked emails with open counts
  • GET /dashboard/api/open-events - Returns detailed open event history
  • All dashboard APIs require X-Tracker-Token header matching DASHBOARD_TOKEN

SQLite database

The database uses two main tables: tracked_emails (server/src/db/schema.sql:3-11) 
CREATE TABLE IF NOT EXISTS tracked_emails (
  email_id TEXT PRIMARY KEY,
  user_id TEXT NOT NULL,
  recipient TEXT NOT NULL,
  sender_email TEXT,
  sent_at TEXT NOT NULL,
  open_count INTEGER NOT NULL DEFAULT 0,
  created_at TEXT NOT NULL DEFAULT (datetime('now'))
);
open_events (server/src/db/schema.sql:13-31) 
CREATE TABLE IF NOT EXISTS open_events (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  email_id TEXT NOT NULL,
  user_id TEXT NOT NULL,
  recipient TEXT NOT NULL,
  opened_at TEXT NOT NULL DEFAULT (datetime('now')),
  ip_address TEXT,
  user_agent TEXT,
  geo_country TEXT,
  geo_region TEXT,
  geo_city TEXT,
  latitude REAL,
  longitude REAL,
  device_type TEXT NOT NULL DEFAULT 'other',
  is_duplicate INTEGER NOT NULL DEFAULT 0,
  is_sender_suppressed INTEGER NOT NULL DEFAULT 0,
  suppression_reason TEXT,
  FOREIGN KEY (email_id) REFERENCES tracked_emails(email_id)
);
Open events are always recorded, even if marked as duplicate or sender-suppressed. The open_count only increments for non-duplicate, non-suppressed opens.

End-to-end lifecycle

Here’s the complete flow from installation to analytics:

1. Install and configure

  • Operator installs dependencies and builds workspaces: 
    npm install
npm --workspace=shared run build
npm --workspace=server run build
  • Operator starts server with environment variables: 
    PORT=8090 DASHBOARD_TOKEN=secret npm --workspace=server run start
  • Operator loads extension in Chrome and configures popup with tracker URL and token

2. Sender composes and sends

  • Gmail content script detects compose dialogs using document.querySelectorAll('div[role="dialog"]')
  • On send intent (click, keyboard shortcut), content script extracts recipient and sender
  • Content script sends message to background worker: 
    const response = await chrome.runtime.sendMessage({
  type: "tracker:getComposeTrackingData",
  recipient,
  senderEmail
});
  • Background worker generates token and returns pixel URL
  • Content script injects hidden pixel (extension/src/content/gmailCompose.js:280-286): 
    const img = document.createElement("img");
img.src = response.pixelUrl;  // https://your-domain/t/token.gif
img.width = 1;
img.height = 1;
img.alt = "";
img.style.cssText = "width:1px;height:1px;opacity:0;display:block;border:0;";
body.appendChild(img);

3. Message arrives in recipient mailbox

  • Recipient’s email client renders the HTML message
  • When pixel URL is in viewport (or pre-fetched), client makes GET /t/token.gif request
  • Some clients (Gmail, Outlook) use image proxy servers that pre-fetch images

4. Server processes pixel request

Token decoding (server/src/routes/track.ts:99) 
const payload = decodeTrackingToken(token);
const ipAddress = getRequestIp(req);
const userAgent = req.get("user-agent") || null;
const emailId = payload.email_id;
Suppression check (server/src/routes/track.ts:106-120) 
const pendingSuppression = suppressionMap.get(emailId);
const wasSuppressedBySignal = Boolean(pendingSuppression);

if (pendingSuppression) {
  suppressionMap.delete(emailId);  // consume-once semantics
  pushSuppressionDebugEvent({
    event: "suppression_consumed",
    email_id: emailId,
    at_ms: nowMs,
    delta_ms: nowMs - pendingSuppression.createdAtMs
  });
}
Open event recording (server/src/routes/track.ts:153-160) 
const result = recordOpenEvent({
  payload,
  ipAddress,
  userAgent,
  openedAtIso,
  forceSenderSuppressed: wasSuppressedBySignal,
  suppressionReason: wasSuppressedBySignal ? "mark_suppress_next" : null
});
Deduplication logic (src/services/openRecorder.ts)
  • Queries open_events for recent opens with same email_id, ip_address, and user_agent
  • If found within DEDUP_WINDOW_MS (default 30 seconds), marks as duplicate
  • Duplicate events don’t increment tracked_emails.open_count
  • All events are stored in open_events table with flags
Response (server/src/routes/track.ts:171-177) 
res.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
res.setHeader("Content-Type", "image/gif");
res.status(200).send(TRANSPARENT_PIXEL_GIF);

5. Dashboard and extension read analytics

  • Dashboard UI polls GET /dashboard/api/emails with X-Tracker-Token header
  • Extension background worker fetches inbox badge data every 10 seconds
  • Content script renders badges in Gmail inbox rows
  • Badge click opens dashboard with pre-filtered view for that email

Unique suppression model

Email Tracker uses identity-based, event-driven suppression to prevent counting sender self-opens.

Why identity-based?

Gmail is a single-page application where folder names and UI state are unreliable:
  • Sent folder vs Inbox detection is brittle with SPAs
  • URL patterns change frequently
  • Tab and thread navigation uses history API
Instead, we compare the sender email (from token) with the currently logged-in Gmail account.

How suppression works

Step 1: Content script scans images (extension/src/content/gmailCompose.js:519-570) 
function scanAndMarkSuppressNext() {
  const currentEmail = getCurrentLoggedInEmail();
  const images = document.querySelectorAll("img[src]");
  
  images.forEach((imgNode) => {
    const token = extractTokenFromTrackingSrc(imgNode.src);
    const payload = decodeTrackingPayloadFromToken(token);
    
    // Identity-based suppression: sender viewing own message
    if (payload.senderEmail !== currentEmail) {
      return;  // Different user, don't suppress
    }
    
    // Send suppression signal to server
    chrome.runtime.sendMessage({
      type: "tracker:markSuppressNext",
      emailId: payload.emailId
    });
  });
}
Step 2: Extension sends suppression signal
  • Background worker receives message from content script
  • Makes POST /mark-suppress-next request to server with email_id
  • Server stores entry in in-memory map with timestamp
Step 3: Server receives suppression signal (server/src/routes/track.ts:36-47) 
trackRouter.post("/mark-suppress-next", (req, res) => {
  const emailId = String(req.body?.email_id || "").trim();
  const nowMs = Date.now();
  
  suppressionMap.set(emailId, { createdAtMs: nowMs });
  
  res.json({ ok: true, email_id: emailId, recorded_at_ms: nowMs });
});
Step 4: Pixel request consumes suppression (server/src/routes/track.ts:106-120) 
const pendingSuppression = suppressionMap.get(emailId);

if (pendingSuppression) {
  suppressionMap.delete(emailId);  // consume-once
  const deltaMs = nowMs - pendingSuppression.createdAtMs;
  // Event is recorded with is_sender_suppressed=1
}

Key characteristics

Consume-once semantics
  • Each suppression signal is consumed by the first pixel hit
  • Subsequent opens (e.g., recipient opens) are counted normally
  • Prevents over-suppression from multiple Gmail tabs
TTL as fallback only (SUPPRESSION_TTL_MS = 10_000)
  • Entries expire after 10 seconds if not consumed
  • This is cleanup logic, not core suppression behavior
  • Normal flow: signal → pixel → consume (< 1 second)
Gmail Image Proxy latency tracking
  • Gmail pre-fetches images through proxy servers
  • Server detects proxy requests by User-Agent and IP prefix
  • Measures time delta between signal and proxy hit
  • Stores latency samples for metrics endpoint
The median latency between suppression signal and Gmail Image Proxy hit is typically 200-500ms.

Configuration options

Server environment variables
VariableDefaultDescription
PORT8080Server listen port
DASHBOARD_TOKEN(required)Authentication token for dashboard API
DB_PATHserver/data/tracker.dbSQLite database file path
DEDUP_WINDOW_MS30000Deduplication time window (30 seconds)
Extension settings (configured in popup)
  • Tracker Base URL - Your server URL (e.g., https://tracker.example.com)
  • Dashboard Token - Must match server’s DASHBOARD_TOKEN

Data flow summary

┌─────────────┐
│   Extension │ Generates token, injects pixel
└──────┬──────┘


┌─────────────┐
│ Recipient   │ Email client loads pixel
│ Email Client│
└──────┬──────┘
       │ GET /t/token.gif

┌─────────────┐
│   Server    │ Decode, dedupe, check suppression
│  (Express)  │
└──────┬──────┘


┌─────────────┐
│   SQLite    │ Store open_events, increment open_count
└──────┬──────┘


┌─────────────┐
│  Dashboard  │ Query emails and events via API
│     UI      │
└─────────────┘

Next steps

Quickstart guide

Set up the tracker locally and send your first tracked email

API reference

Explore all endpoints and authentication methods