Microsoft Clarity Adds Robots.txt Violation Tracking: What to Do About It

Clarity's Bot Analytics now shows exactly which AI crawlers ignore your robots.txt, free, from server-side CDN logs. What the report shows, why compliance visibility matters now, and the response checklist.

RankControl7 min read
Microsoft Clarity Adds Robots.txt Violation Tracking: What to Do About It

For years, the robots.txt question founders could answer was "which bots did we allow?" The question they couldn't answer was the one that mattered: "which bots actually listened?" On June 23, Microsoft quietly shipped an answer, for free, inside a tool a lot of SaaS teams already run.

Clarity's Bot Analytics dashboard now surfaces robots.txt violations: which bots ignored your directives and what content they went after. In an era where your AI visibility depends on welcoming the right crawlers while the wrong ones impersonate them, that's the missing audit layer.

Key Takeaways

  • Microsoft Clarity's Bot Analytics now reports robots.txt violations: violation share of total bot requests, trends over time, targeted paths, and compliant vs non-compliant volumes per bot.
  • It works from server-side CDN logs, sidestepping the obvious problem that bots don't run your JavaScript tag; you'll need to connect Cloudflare, Fastly, CloudFront, Azure Front Door, or Akamai first.
  • The context is ugly: documented stealth crawling by Perplexity, Bytespider ignoring disallow rules at ~10% of AI bot traffic, and Cloudflare finding roughly a third of "GPTBot" traffic is spoofed impostors.
  • The right response is rarely "block everything": verify identity first, keep the compliant retrieval crawlers that feed your AI visibility, and WAF-block the fakes.
  • Cloudflare's September 15 default-blocking deadline makes this quarter the time to make deliberate crawler decisions instead of inheriting someone else's defaults.

What Shipped

The announcement came from the Clarity team on June 23, with the kind of plain-spoken framing you rarely get from analytics vendors:

𝗡𝗘𝗪: Clarity's Bot Analytics dashboard now surfaces robots.txt violations. 🤖 You can now see exactly which bots are ignoring your crawl rules and what content they're trying to access. → Violations as a % of total bot requests → Violation trends over time → Filter by https://t.co/LBDGbGIiRP

Microsoft Clarity@msftClarityJun 23, 2026

Their summary, preserved in paraphrase: you can now see exactly which bots are ignoring your crawl rules and what content they're trying to access, so you know which bots are playing by the rules and which ones aren't. The Violations card lives under Bot Analytics in the AI Visibility section and reports four things: violations as a percentage of total bot requests, a violation trendline, the specific paths being hit against your directives, and a side-by-side of compliant versus non-compliant request volume. Filters cover operator, bot name, and activity type, with the named roster spanning GPTBot and ChatGPT-User, the ClaudeBot family, Gemini, Copilot, and PerplexityBot.

The clever part is how it sees any of this. Bots don't execute your analytics JavaScript, so tag-based tools are structurally blind to them. Clarity instead ingests server-side logs from a connected CDN and checks each request against your robots.txt at read time. Which also explains the setup catch: nothing appears until a project admin connects a supported CDN (Cloudflare, Fastly, Amazon CloudFront, Azure Front Door, or Akamai) in project settings. WordPress sites get it wired automatically through the current Clarity plugin.

One thing I should've mentioned earlier: this is the fourth AI-visibility feature Clarity has shipped since mid-May, after the AI citations report, the expanded bot dashboard, and topic insights. Microsoft is methodically turning a free heatmap tool into the default instrumentation layer for AI-era traffic, and at the price of zero, it's working.

Why Compliance Visibility Suddenly Matters

A robots.txt file has always been a request, never a lock. What changed is the volume and the audacity of the parties ignoring it.

The rap sheet, documented rather than rumored: Cloudflare caught Perplexity stealth-crawling sites that had blocked it, using disguised browser user agents and IPs outside its published ranges. ByteDance's Bytespider routinely ignores disallow directives and has grown to roughly a tenth of all AI bot traffic. And Cloudflare's 2026 verification data found that about a third of traffic identifying as GPTBot was spoofed scraping infrastructure wearing OpenAI's name. Meanwhile AI crawling has become the majority of crawler traffic: 52% of crawler requests are now AI-related, up from 22% a year earlier.

Fair warning though: the violation percentages you'll see in Clarity need interpretation before outrage. A "GPTBot violation" is frequently not OpenAI misbehaving; it's an impostor borrowing the user agent, which is precisely why the verification step below matters more than the dashboard's red numbers.

The broader ecosystem is moving from measurement to enforcement on a schedule. Cloudflare declared July 1 its "Content Independence Day", splitting crawlers into search, agent, and training categories, and from September 15 new domains get training and agent crawlers blocked by default. Deliberate or not, your crawler policy is about to be set. Better it be set by you.

RANKCONTROL

AI search traffic grew 835% this year. Is your content ready?

RankControl generates 15+ content types optimized for ChatGPT, Claude, and Perplexity. Published on your domain, matched to your brand.

The AEO Tension: You Want (Some of) These Bots

Here's the thing that separates this blog's take from the "block all AI bots" reflex: for a SaaS company competing on AI visibility, compliant crawlers are the distribution channel. OAI-SearchBot fetching your comparison page is how you end up cited in a ChatGPT answer. Blocking retrieval crawlers to punish training scrapers is burning the storefront to stop shoplifting, a distinction we mapped bot-by-bot in our llms.txt and robots.txt checklist.

What the violations report finally enables is policy by evidence. You can hold a generous allow-list for the crawlers that earn you citations, and know within a week if something claiming to be one of them is treating your directives as decoration. The SEO community's early read matches ours; the feature made the weekly news roundups with practitioners noting it'll become a standard part of technical audits:

r/seogrowth· u/Kseniia_Seranking· Jun 30, 2026

SEO News: Google June 2026 spam update rolls out in two days, Microsoft Clarity adds robots.txt violation tracking to Bot Analytics, Google Search Console AI performance reports expand beyond the UK

The SEO world is always full of surprises, so let's stay on top of the latest events with our news digests: Updates Google June 2026 spam update rolls out in two days The June 2026 spam update began on June 24 and completed June 26. Global,...

41 upvotes21 comments
Via Reddit

And the sharpest distribution of the news came through Aleyda Solis's SEOFOMO digest, which is how most of the SEO world found out:

🚨 A new Spam Update and More SEO & AI Search News [From #SEOFOMO, June 28, 2026] 👇 * Google released and completed the rollout of the June 2026 Spam Update * ​Microsoft Clarity Now Surfaces Robots.txt Violations in Bot Analytics * ​Google’s Mueller Explains How AI Search https://t.co/UGR2BX3LAE

Aleyda Solis 🕊️@aleydaJun 28, 2026

Built by the team that got cited in 48 hours.

Content generation, backlink building, AI visibility tracking, and lead capture. One platform, zero guesswork.

Show me the platformOne platform · 7 AI agents

The Response Checklist

Five steps, about an hour for the first pass:

  1. Connect your CDN in Clarity. Project settings, AI Visibility, pick your provider. No CDN connection, no data. (If you're on Cloudflare, this pairs with their own crawl-control panel.)
  2. Read a week of violations by operator. Sort by violation share, note which bots and which paths. Expect surprises; most teams have never seen this layer of their own traffic.
  3. Verify identity before judging behavior. The major vendors publish their crawler IP ranges (OpenAI's gptbot.json, Anthropic's and Perplexity's equivalents), and forward-confirmed reverse DNS separates the real crawler from the costume. A "ClaudeBot" arriving from a residential proxy is not Anthropic.
  4. Act by category. Verified retrieval crawlers behaving well: leave them alone, they're your AI visibility. Unverified impostors: block at the WAF; Cloudflare's managed AI-scraper rules and verified-bot checks handle most of it. Genuine training crawlers: a strategy decision, not a security one, and we've made the case that training-data inclusion is a long-term brand asset for most SaaS companies.
  5. Recheck monthly, and after every bot-policy change. One footnote from Google's John Mueller this month applies here: Cloudflare's new content-signals robots.txt directive currently has "no effects whatsoever" on any crawler, so treat directives as requests you audit, never controls you trust.

The pattern underneath this feature is the same one we keep landing on: access is the first gate of AI visibility, and it's now measurable end to end. Clarity tells you who's reading your site and whether they listened, while AI visibility tracking tells you whether the reading turned into citations. Pair both with a content engine that keeps the compliant crawlers fed with something worth quoting, and the whole chain from access to answer is under observation. The teams that lose this era won't be the ones who blocked the wrong bot once. They'll be the ones who never looked.

RANKCONTROL

See your first AI citation report in under 5 minutes.

No setup calls. No onboarding meetings. Connect your domain and see where AI mentions your brand right now.

Frequently Asked Questions

Inside the Bot Analytics dashboard, Clarity now reports violations as a percentage of total bot requests, violation trends over time, the specific paths bots accessed against your directives, and compliant versus non-compliant request volumes, filterable by operator and bot. It identifies major AI crawlers including GPTBot, ClaudeBot, PerplexityBot, Gemini, and Copilot.

It doesn't rely on the JavaScript tag. Clarity ingests server-side logs from a connected CDN (Cloudflare, Fastly, CloudFront, Azure Front Door, or Akamai) and checks each bot request against your robots.txt directives. That's why the feature requires connecting a CDN in project settings before data appears.

Documented cases exist. Cloudflare accused Perplexity of stealth crawling with disguised user agents in 2025, ByteDance's Bytespider routinely ignores disallow rules, and Cloudflare's 2026 data found roughly a third of traffic claiming to be GPTBot was spoofed infrastructure impersonating it. Robots.txt is advisory; measurement is how you find out who treats it that way.

Separate identity from behavior first. Verify a suspect crawler against the vendor's published IP ranges; most 'violations' by big names turn out to be impostors spoofing the user agent, which you should block at the WAF. Genuine retrieval crawlers are usually worth allowing if AI visibility matters to you, since blocking them removes you from AI answers.

No. Bing Webmaster Tools' AI Performance dashboard (February 2026) tracks how your content appears in Copilot and Bing's AI experiences. Clarity's robots.txt violation tracking (June 2026) monitors crawler compliance on your own site. They're complementary: one watches the answers, the other watches the access.

RANKCONTROL

Get mentioned by ChatGPT, Claude, and Perplexity

Content that ranks on Google and gets cited by AI search engines. Published on your domain. Leads captured automatically.

Related Articles

THE SIGNAL

Weekly insights on AI and Google search strategy. No fluff.

Join 500+ marketers getting the latest on AI citations, Google rankings, and lead generation strategy.

No spam. Unsubscribe anytime.