DuckDuckGo Email Protection Review

This DuckDuckGo Email Protection review (beta version) will take you through all angles of the new addition to the DuckDuckGo family. I will review and show you how the Duck Email Protection performs from the perspective of the consumer and the marketing company.

"Does it work" Duck Email Protection Review
Picture of the author John Siciliano
Published June 2, 2023Updated September 2, 2021
Some of my content contains affiliate links – about

The DuckDuckGo Email Protection service is an absolute staple in the current environment. I'm very excited to have received my invite code and to create this DuckDuckGo Email Protection review.

In summary, the Email Protection service from DuckDuckGo is everything I'd hoped it to be and more. But there are issues.

My video goes over this review and has a live demo. You might be shocked! I was...

Read on to find out how this service performs for a consumer and what consequences this has for marketing companies.

Receiving the Invite Code

Duck Email Protection Invite Code
This is what the setup screen looks like.

Once I received the invite code, I was prompted to enter the Duck email address and the forward to address. Because I was an early adopter, I thought I could reserve "[email protected]," but someone beat me to it. I ended up snagging a three-letter email address, though, which was pretty neat - very easy to share with people and type into forms.

DuckDuckGo goes over their privacy policy in a super consumable format, and everything was what I'd expect from a privacy-focused company.

Let's start feeding these marketing companies my Duck email!

Receiving Email at the Duck Address

I had a hit list of companies I wanted to use my Duck email for, so I changed my email from my non-protected email to my protect Duck email.

The Duck email itself forwards emails to your existing email. So there is no Duck login, UI, inboxes, and things like that.

Duck strips email trackers out of the email then forwards the email to your regular email, all done in memory on their servers (memory is temporary storage, meaning nothing saves on their servers).

There is no noticeable delay in receiving emails.

Once the email arrives in your inbox, DuckDuckGo inserts a line at the top, letting you know how many trackers were removed, if any.

DuckDuckGo removed trackers from adobe and more
Duck shows you if trackers were removed.

I was surprised to see some companies do not have any trackers in their emails.

Privacy Report (Which Trackers were Removed)

The line inserted at the top of the email is clickable. It will say something like, "DuckDuckGo removed 1 tracker". Opening that link will render a client-side generated webpage with information on the trackers that were removed.

Duck Email Protection Report
Best Buy has a lot of trackers!

The key here is client-side. That means the webpage is generated on your computer. That fact is important because this web page displays the from address, the to address, and any trackers contained in the email. Because that's private information, DuckDuckGo opted to create a web page not generated from their servers.

The information comes from the link in the email. The link contains all the information necessary to populate the private pieces of the email, while the skeleton of the page comes from Duck's servers.

There is one piece I'm unsure about, though. The link from the email looks like this:

https://duckduckgo.com/email/privacy-report/{a bunch of "random" characters}

The "random characters" get decoded (they are Base64 encoded), which contains private information and is injected into the web page. What's unclear is if that assumption is true, then the URL might be logged on DuckDuckGo's servers as we are visiting the address. If so, that means there is a record on their servers of the from, to, and trackers removed. I could be wrong about this and likely am due to DuckDuckGo going through extensive lengths to protect privacy. I just don't have another explanation on how they could do it.

Marketing Company Perspective

This video clip goes over my demo of the marketing side of things.

What They Track

As a digital marketer, I'm aware of the ways emails are tracked.

Here are the primary two metrics:

  1. Opens
  2. Clicks

They are both the main KPIs in an email campaign. Each metric provides valuable insights into how well an email blast performs. Additional KPIs like revenue are made possible through the "clicks" functionality.

Open Trackers (Removed)

DuckDuckGo removes the "open" trackers. This is great as when you open an email with a tracker, your IP address, location, and time you opened it are sent to their server. The open tracker is made possible by putting a little script in the email the fires when the email is opened. It calls a URL with the previously mentioned info. DuckDckGo Email Protection removes these scripts.

Note: I tested this by sending an email from my marketing company, but Duck did not remove the open trackers. I suspect this was an issue due to the service still being in beta. Either way, it seemed not to carry out the basic task of the service. Additionally, I sent the email from Mailchimp, which is probably the most popular email marketing software, so there shouldn't be a reason for this not working.

The email said the trackers were removed.

Email protection report showing one tracker
It says it was removed, but...

The marketing campaign shows my interaction with the email was tracked.

Marketing campaign showing my clicks and opens were tracked
Seems like I was tracked after all! Opens should not be tracked, but clicks should be.

Click Trackers (Not Removed)

The clicks functionality is made possible by adding special URLs that redirect to the actual URLs. So if the email has a click here to view the latest products, the end URL it goes to says "myshop.com/product-1". But if that's the link displayed in the email, then click tracking isn't possible. It's made possible by adding a URL that redirects to the destination URL. So the URL might read "mailchimp.com/asdf" and when you click that, your information is tracked to Mailchimp (e.g., Joseph click X link at Y time).

Another way to track email clicks is to add query parameters to the URL that are dynamically changed based on the person who opens the email. So when an email blast goes out, the link will be slightly modified for each recipient with a unique ID to identify the person who opens it. For example, "myshop.com/product-1?recipient=1234". Then the system can correlate the ID to a user or an email campaign and understand open ratios.

DuckDuckGo Email Protection does not remove click trackers. This would require them to follow each of the URLs in an email, check for a redirect, then if there is a redirect to replace the link with the destination. I believe this is possible but would require more development and testing.

To remove the method that uses query parameters would be more difficult. If all query parameters were removed (i.e. everything after the question mark in a URL), then certain emails would break. Password reset emails typically rely on query parameters. What DuckDuckGo could do is remove the known parameters. For example, Google Analytics standards contain "?campaign=mycampaign" to track campaigns. These can be safely removed as they won't impact functionality, just tracking.

Awesome Service, Needs Work

All in all this service is only going to improve. As a member of the beta, I understand there are still kinks to work out. It seems the primary purpose of the service needs work, though. Even in the current state, it's worth it. I'd much rather give out my Duck email than my actual email - it adds a layer of separation between you and other companies.

Safeguard your info fella!

John Siciliano
WebsiteWebsite Creator
MagnetGrowth Marketer
BracketsDeveloper
Diamond on BlogContent Creator
I spend my time creating stuff online and documenting it to help others (and earn a living).