True, but HSBC thinks you read the email, because somebody fetched the tracking pixel, right? The irony is that HSBC and others who use this kind of thing probably aren't in the least interested in when or how many times you open the email. Whoever came up with this idea (probably) really did think it was (just) a pretty good way of figuring out if they have your correct email.
They do work for the inferred purpose here though, assuming Gmail only downloads them when the email is successfully delivered to the mailbox (and thus the address is valid).
IIRC, google limits their opening of remote images if they're unique per email or from less reputable sources.
They also send you an email back saying your email wasn't delivered after a few days or hours, so there's little benefit in using the tracking pixel to determine if an address exists.
Don't know if they fetch images from emails sent to non-existent addresses, but I would if I were to design such a system.
I mean, they still work in some way. If you use tracking pixels to see if an email was read, I agree with you that this break the functionality. But if you just want to see if the email exists, then the fact that google fetches them (and triggers the parametric URL) still tells you something
So, why use a tracking pixel for that? Just send an email. e.g.
$ head -n 100 /dev/random | md5sum
a6cc1b7c09ccb122cb066c89e16b3140 -
And that yields an instantaneous error message https://i.imgur.com/twHhIU3.png that reads "Address not found. Your message to a6cc1b7c09ccb122cb066c89e16b3140@gmail.com was not delivered because the address could not be found".
