Klaviyo says $12,000 in email revenue last month. GA4 shows email at $3,200. Direct traffic shows $9,800. The $9,800 is not people typing your URL from memory—it’s email revenue hiding in a broken attribution bucket. A server-side tracking implementation for a Danish WooCommerce store reduced direct traffic by 67.9% in February 2026 (Stape), with Paid Search attribution jumping 56.8% and total reported revenue increasing 37.5%. None of those channels gained new customers. They were always working. GA4 just couldn’t see them.

What “Direct” Actually Means in GA4#

GA4 processes traffic sources using a hierarchy: ad click data first, then UTM parameters, then HTTP referrer, then nothing. When GA4 finds nothing—no UTM, no referrer, no ad click signal—it labels the session Direct. Direct is the fallback, not a channel (Google Analytics Documentation, 2025). It means GA4 failed to identify the source, not that a human typed your URL.

If your direct traffic exceeds 30%, it almost certainly contains misattributed conversions from channels you’re actively paying for. The OWOX direct traffic guide puts this plainly: above 30%, the excess is likely broken tracking, not brand recognition. For most WooCommerce stores running Klaviyo, Facebook Ads, and Instagram—that’s a $3,000–$15,000 monthly misattribution problem sitting inside a channel that requires no ad spend to explain.

Even Google’s own analytics site isn’t immune: 45.53% of its visits classified as direct traffic in May 2025 (Cometly, 2025). Dark traffic is architectural, not a configuration failure you can fully eliminate. But for WooCommerce stores, the gap between 45% and 15% direct traffic is almost entirely recoverable.

The WooCommerce-Specific Dark Traffic Sources Nobody Mentions#

Generic direct traffic guides focus on HTTPS migration and missing GTM tags. That’s not your problem. WooCommerce stores have four dark traffic sources that standard guides ignore entirely:

Klaviyo Email Links

Klaviyo email links opened in the Gmail mobile app, Apple Mail app, or any native mobile email client frequently strip the HTTP referrer before your browser processes the click. If those links don’t carry UTM parameters, GA4 sees an untagged session from an unknown source and labels it Direct. This includes your welcome series, abandoned cart flows, post-purchase sequences, and—critically—your order confirmation emails.

Order confirmation emails are particularly damaging. Every customer gets one. Many click through to check their order status or browse related products. If that link isn’t UTM-tagged, every single click enters your GA4 as Direct—from a confirmed buyer, on a commercial intent visit, completely invisible to your email channel attribution.

Product URLs Shared via WhatsApp and Messaging Apps

Links shared through WhatsApp, iMessage, Telegram, Facebook Messenger, and similar platforms do not pass HTTP referrers to the destination browser. When your product URL circulates in a family WhatsApp group or gets forwarded between friends, every click arrives in GA4 as Direct traffic—regardless of the original post or ad that sparked the share.

QR codes from physical marketing face the same problem. Market stalls, product packaging inserts, event flyers—any QR code pointing to an untagged URL sends every scan into your direct bucket permanently.

Klaviyo Automated Flow UTM Stripping

Klaviyo’s automated flows—win-back sequences, browse abandonment, VIP triggers—can strip UTM parameters when emails are forwarded or opened in environments that modify link previews. The original recipient tagged correctly; the forwarded version arrives without attribution. In long-running flows, this accumulates into meaningful revenue invisible to email analytics.

You may be interested in: Your Tracking Broke Three Days Ago and Nobody Told You

How Safari ITP Turns Your Marketing Into Direct Traffic#

Safari’s Intelligent Tracking Prevention (ITP) expires first-party browser cookies after 7 days—dropping to just 24 hours for visitors arriving from paid ad clicks (Apple WebKit, 2025). This creates a structural attribution problem for WooCommerce stores selling products with longer consideration cycles.

A customer finds your store via a Facebook Ad on March 1st. They browse, add to cart, close the browser. They return via a Klaviyo email on March 10th—nine days later, well within a normal purchase consideration window. Safari has deleted the original session cookie. GA4 sees a new Direct visitor completing a purchase. Your Facebook campaign gets zero credit. Your email campaign gets zero credit. Direct gets the conversion.

Any customer taking longer than 7 days to complete a purchase will appear as new Direct traffic in GA4 on Safari—regardless of what brought them to your store originally. Safari holds roughly 19–20% of global browser market share. For WooCommerce stores selling to Apple-heavy demographics, this alone can account for 10–15 percentage points of inflated direct traffic.

GA4’s data-driven attribution model requires a minimum of 400 monthly conversions to function (Google Analytics Help, 2025). When enough conversions hide in the Direct bucket and your channel-attributed counts fall below this threshold, GA4 silently reverts to last-click attribution. You stop getting the sophisticated model and start seeing the bluntest possible measurement—with no notification that the switch happened.

You may be interested in: GA4 Says You Don’t Have Enough Data

How to Diagnose Your Dark Traffic#

In GA4, navigate to Reports → Acquisition → Traffic acquisition. Filter the Direct channel and segment by Landing page + query string. Look for landing pages that correspond to email campaign links, order status pages, or product pages that would typically arrive via specific campaigns. High conversion rates on direct-attributed landing pages that should only be reached via email are a strong signal that email revenue is misattributed.

Cross-reference your Klaviyo revenue dashboard against GA4’s email channel attribution for the same period. A gap larger than 20–25% points to dark traffic, not Klaviyo over-counting. Klaviyo’s revenue attribution uses click-based last-touch with a 5-day window—it’s actually stricter than GA4’s default. When Klaviyo shows significantly more email revenue than GA4, the difference is almost certainly sitting in your Direct bucket.

Fix One: UTM Audit Across Every Klaviyo Flow and Email#

Every link in every Klaviyo email needs a UTM parameter—not just campaign broadcasts. This means:

• All automated flows: Welcome, abandoned cart, post-purchase, browse abandonment, win-back, VIP, review request
• All transactional emails: Order confirmations, shipping notifications, delivery confirmations
• Social bio links: Instagram, TikTok, and Facebook profile links pointing to your store
• QR codes: Every QR code on physical materials needs a UTM-tagged destination URL

Klaviyo supports dynamic UTM tagging at the account level for campaign emails. For flows, UTM parameters must be added to individual message links or configured in Klaviyo’s flow settings. Klaviyo’s native UTM tagging applies to the click—it tags the link in the email. When that link is forwarded and stripped, the UTM travels with the URL in the query string, which survives forwarding in ways that HTTP referrers do not. This is why UTM tagging at the link level outperforms referrer-based tracking for email attribution.

Fix Two: Server-Side Session Persistence#

UTM tagging fixes attribution for emails that carry UTM parameters. It does not fix Safari ITP’s 7-day cookie deletion problem. A customer who arrives from a properly UTM-tagged Facebook Ad on March 1st and returns organically on March 10th still loses their original attribution on Safari—the browser deleted the session cookie before that return visit happened.

Server-side tracking addresses this by setting first-party cookies from your own subdomain rather than from the analytics platform’s domain. Safari ITP’s 7-day restriction applies to third-party cookies and to first-party cookies set via JavaScript on third-party subdomains. Cookies set server-side from your own subdomain receive the full browser cookie lifespan—typically one to two years. A customer returning 90 days later still carries their original attribution signal because it lives in a cookie your server set, not a cookie a third-party script set.

The Danish eyewear store in the Stape case study achieved a 67.9% reduction in direct traffic because server-side implementation simultaneously restored UTM attribution for Safari users (longer cookie persistence) and improved campaign signal capture across all browsers. Paid Search attribution increased 56.8% and Organic grew 36.1%—neither channel acquired new customers. Both were always sending those visits. GA4 was just classifying them as Direct.

Transmute Engine™ handles the server-side session persistence piece as part of its core tracking architecture. It’s a dedicated Node.js server that runs on your own subdomain (e.g., data.yourstore.com)—not a WordPress plugin. The inPIPE WordPress plugin captures events from WooCommerce hooks and sends them via API to your Transmute Engine server, which sets first-party cookies from your subdomain, enriches events with server-side data including UTM chain preservation, and routes them simultaneously to GA4, Facebook CAPI, BigQuery, and more. When a customer returns from a Klaviyo email three weeks later with an expired browser cookie, Transmute Engine matches them to their original session via the server-side first-party identifier—recapturing the attribution that GA4 would otherwise label Direct.

Key Takeaways#

• Direct traffic above 30% is a broken tracking signal, not brand recognition. For WooCommerce stores, it almost always contains misattributed email, social, and paid campaign revenue.
• Klaviyo email links opened in mobile apps strip HTTP referrers. UTM parameters on all links—including transactional emails—are non-negotiable, not optional.
• Safari ITP expires cookies after 7 days (24 hours for paid ad visitors), making any returning purchaser beyond that window appear as new Direct traffic regardless of original source.
• GA4’s data-driven attribution requires 400+ monthly conversions. Misattributed Direct conversions push stores below this threshold, triggering a silent downgrade to last-click with no notification.
• Server-side tracking with first-party cookie persistence solves the Safari ITP problem by setting cookies from your subdomain rather than from blocked third-party scripts. One implementation cut direct traffic by 67.9% for a WordPress store (Stape, Feb 2026).

Your marketing channels are doing more work than GA4 is crediting them for. See how Transmute Engine fixes the attribution gap for WooCommerce.