Do free email services click links in emails to check for spam?

Summary

Email providers, including free services like Gmail, Yahoo, and Outlook, employ various methods to scan emails for spam and malicious content. This includes analyzing and often clicking the links within emails to assess their safety and destination. While consumer domains might do this less frequently than business email services, it's a common practice to evaluate sender reputation, URL reputation and content to protect users. These scans are part of a broader spam filtering process, which might also involve techniques beyond simple link clicking, such as executing Javascript and observing the results. Microsoft actively clicks all links, while other providers might leverage external services or analyze links without clicking. Not all clicks are from humans, and the frequency of these scans correlates with sender reputation.

Key findings

  • Link Analysis: Email providers scan links within emails to assess their safety and destination, with Office 365 showing higher rates of spam filter clicks.
  • Sender Reputation: Sender reputation significantly influences the intensity and frequency of link scanning.
  • Sophisticated Techniques: Email providers employ sophisticated methods beyond simple click tracking, including Javascript execution and dynamic content analysis.
  • URL Reputation: Reputation systems use URL reputation to score incoming mail, even without direct clicking.
  • Microsoft's Active Scanning: Microsoft actively clicks all links, rotating between different ESPs.
  • Automated Systems: Automated systems are used by providers like Google (Gmail) and are part of Cisco's security products

Key considerations

  • Varying Frequency: The extent to which links are clicked varies, from sampling to clicking almost every link, depending on factors like sender reputation.
  • Non-Human Clicks: Not all link clicks originate from real users; many are from automated scanning systems.
  • External Link Analysis: Consumer email providers might use external services for link analysis.
  • Advanced Threat Detection: Link analysis is evolving to include loading pages, executing JavaScript, and observing dynamic content.
  • Sandboxing: Microsoft utilizes sandboxing to proactively detonate potentially malicious links

What email marketers say
11Marketer opinions

Email providers, including free services like Gmail, Yahoo, and Outlook, employ various methods to scan emails for spam and malicious content. This often includes analyzing and sometimes clicking the links within emails to assess their safety and destination. While consumer domains might do this less frequently than business email services, it's a common practice to evaluate sender reputation and content to protect users. These scans are part of a broader spam filtering process, which might also involve techniques beyond simple link clicking.

Key opinions

  • Link Analysis: Email providers scan links within emails to assess their safety and destination.
  • Varying Frequency: Consumer domains may scan links less frequently than business email services.
  • Sender Reputation: Sender reputation is a critical factor in determining whether links are scanned and how emails are filtered.
  • Broader Spam Filtering: Link analysis is one part of a broader spam filtering process that includes analyzing content and sender reputation.
  • Office 365 Scanning: Spam filter clicks can significantly exceed real clicks at Office 365.
  • External Services: Consumer providers may use other services to follow links, not just their own.

Key considerations

  • Not Always Human: Not every click on a link in your emails is from a real person; many are from automated systems.
  • Microsoft's Link Clicking: Microsoft has been actively clicking all links for almost a year, rotating between different ESPs.
  • Hit Rate Variation: The frequency of link clicking varies, from sampling to clicking every link, and correlates with sender reputation.
  • URL Reputation: URL reputation is used by providers when scoring incoming mail.
  • Beyond Click Tracking: Some ISPs are actively loading pages, executing Javascript, and observing what happens.
Marketer view

Email marketer from Litmus shares that email testing platforms can simulate how different email clients render and scan emails. This can include checking if links are properly formatted and lead to the intended destination, mimicking the behavior of spam filters.

August 2024 - Litmus
Marketer view

Email marketer from Sendinblue shares that mailbox providers use spam filters, which may include click tracking, to ensure a safe email experience. They evaluate the sender's reputation and the content of the email, sometimes clicking links to verify their safety.

April 2023 - Sendinblue
Marketer view

Marketer from Email Geeks mentions that for consumer providers you might not necessarily see the actual provider following those links, but other services. Also consumer providers don’t necessarily have to push all emails through those filers, they might decide to reject or spam filter your emails without the need to follow the links based on other signals and data sources. He also adds to not assume that every “click” you see is an actual human being.

October 2024 - Email Geeks
Marketer view

Email marketer from Reddit shares that major email providers like Gmail and Outlook often use automated systems to click links in emails as part of their spam filtering process. This helps them identify potentially malicious websites.

December 2022 - Reddit
Marketer view

Email marketer from StackExchange explains that various email services and security programs automatically scan URLs in emails to identify potential threats. They might open the URLs to check their content and see if they lead to phishing sites or malware.

February 2023 - StackExchange
Marketer view

Email marketer from MailerLite responds that some email clients and security software scan emails to detect spam and malware. This process might involve clicking links to see where they lead and if the content is safe. However, these clicks aren't from real subscribers.

April 2021 - MailerLite
Marketer view

Marketer from Email Geeks shares that pretty much all ISPs do click links. Depending on many factors these could range from sampling a cluster of messages to clicking almost every link in every message. The hit-rate correlates with sender reputation to some extent and to not expect those clicks to originate from their networks.

March 2022 - Email Geeks
Marketer view

Email marketer from Email Marketing Forum mentions that it's common knowledge that email providers click links in emails to check for spam. This helps them to improve their spam filters and protect users from harmful content.

September 2024 - Email Marketing Forum
Marketer view

Email marketer from Gmass says that Google is constantly scanning emails in transit for spam and phishing purposes. While they haven't officially stated that they click every link, it's likely that they do some form of link analysis as part of their security measures.

July 2022 - Gmass
Marketer view

Marketer from Email Geeks shares that consumer domains do it a lot less often, if at all. Most campaigns don't seem to get significant numbers of scanning clicks from consumer domains. He recalls that he hasn't seen those clicks from Google Workspaces recently, but it's not unusual to see spam filter clicks exceed real clicks by 2-3x+ at Office 365, for example.

April 2023 - Email Geeks
Marketer view

Email marketer from Neil Patel Digital explains that email providers do scan emails for spam and malicious links. Some providers will open links to verify the destination and assess safety. This is part of their overall spam filtering process.

April 2021 - Neil Patel Digital

What the experts say
3Expert opinions

Email services, including free providers, actively analyze links in emails for spam detection. Microsoft has been clicking all links, rotating between ESPs. While providers may not always click links, they use URL reputation in their delivery decisions. Some ISPs are moving beyond simple click tracking, loading pages, executing JavaScript, and observing the results.

Key opinions

  • Microsoft's Link Clicking: Microsoft has been clicking all links for almost a year, rotating between different ESPs.
  • URL Reputation: Reputation systems use URL reputation in scoring incoming mail.
  • Advanced Tracking: Some ISPs are loading pages and executing JavaScript, going beyond simple click tracking.

Key considerations

  • URL Analysis: Even if links aren't clicked, their reputation is considered in delivery decisions.
  • Dynamic Analysis: ISPs may execute JavaScript to further analyze the linked content.
Expert view

Expert from Spamresource.com explains that reputation systems at large providers absolutely use URL reputation in scoring incoming mail. So they may not 'click' but they will absolutely analyze them as part of the delivery decision.

April 2021 - Spamresource.com
Expert view

Expert from Word to the Wise shares that they have seen many ISPs are now doing more than just simple click tracking. They are actively loading pages, executing javascript, and seeing what happens.

May 2021 - Word to the Wise
Expert view

Expert from Email Geeks says that Microsoft has been clicking all links for almost a year now but it seems to be rotating between different ESPs.

July 2022 - Email Geeks

What the documentation says
5Technical articles

Major email providers, like Google and Microsoft, employ automated systems to scan URLs in emails for phishing and malware protection. These systems analyze links, sometimes visiting the linked pages, to assess their content and security. Microsoft's Safe Links feature rewrites URLs for real-time checks. While Spamhaus doesn't directly click links, they maintain databases of spam sources to aid email providers in blocking spam.

Key findings

  • Automated Systems: Email providers use automated systems to check links.
  • Phishing and Malware Detection: The primary purpose of link scanning is to detect phishing and malware.
  • Google's Link Following: Gmail employs sophisticated methods, including link following, for threat detection.
  • Microsoft Safe Links: Microsoft Safe Links rewrites and checks URLs against malicious site lists.
  • Reputation Database: Spamhaus maintains databases of known spam sources.
  • Cisco Scanning: Cisco email security products analyze the reputation of the website and checking for malicious content.

Key considerations

  • Preemptive Detonation: Microsoft pre-emptively 'detonates' suspect links in a sandbox environment.
  • Content Assessment: Link analysis involves visiting the linked pages to assess their content and security.
  • Indirect Link Analysis: Spamhaus provides data that facilitates link analysis by email providers without directly clicking links themselves.
Technical article

Documentation from Cisco responds that their email security products scan URLs in emails to protect users from malware and phishing attacks. This includes analyzing the reputation of the website and checking for malicious content.

January 2023 - Cisco
Technical article

Documentation from Google explains that Gmail uses sophisticated methods, including link following, to detect phishing and malware. These automated systems analyze links to identify potentially harmful websites and protect users.

September 2024 - Google
Technical article

Documentation from RFC Editor details that some email providers employ automated systems that check links in emails as part of their spam and phishing detection mechanisms. This may involve visiting the linked pages to assess their content and security.

November 2022 - RFC-Editor.org
Technical article

Documentation from Spamhaus explains that they maintain databases of known spam sources. While they don't directly click links, they gather information about malicious URLs and use this data to help email providers block spam.

January 2025 - Spamhaus
Technical article

Documentation from Microsoft responds that their Safe Links feature in Office 365 scans URLs in email messages to protect against phishing and malware. This involves rewriting URLs and checking them against a list of known malicious sites when a user clicks on them. They also pre-emptively 'detonate' suspect links in a sandbox environment.

March 2023 - Microsoft