Suped

Why are my emails triggering Gmail phishing warnings and how can I fix it?

10 Marketer opinions8 Expert opinions5 Technical articles4 Resources

Summary

Emails trigger Gmail phishing warnings due to a combination of factors including compromised accounts, poor sender reputation, lack of email authentication (SPF, DKIM, DMARC), suspicious email content and link structure, use of URL shorteners, and mismatched hostnames in links. Gmail's machine learning identifies these issues. Solutions involve securing accounts, monitoring and improving sender reputation, implementing proper authentication, creating transparent and trustworthy content, using direct URLs, avoiding deceptive coding, managing sending volume, and providing clear sender information. User engagement is crucial for inbox placement.

Key findings

  • Bad Hosts/Compromised Machines: Linking to bad hosts or compromised machines, and pages requesting PII suspiciously triggers warnings.
  • Machine Learning: Gmail uses machine learning to identify phishing emails.
  • Suspicious Content: Suspicious email content (scare tactics, urgent language), and deceptive coding contribute to phishing flags.
  • URL Shorteners: Using URL shorteners masks link destinations and raises suspicion.
  • Mismatched Hostnames: Mismatched hostnames in links (different display text and URL) are a negative signal.
  • Compromised Accounts: Compromised email accounts lead to deliverability problems and phishing warnings.
  • Sender Reputation: Poor sender reputation (domain and IP) contributes to phishing flags.
  • Email Authentication: Lack of proper email authentication (SPF, DKIM, DMARC) makes verification difficult.
  • Sending Volume: Excessive sending volume can trigger phishing detections.
  • Email Testing: Using email testing tools and seed list testing platforms can help you to test the mail and check for common spam triggers
  • Click Tracking: Disabling click tracking and open tracking will affect the likelihood of emails going into spam/phishing as URL rewriting affects the trust.
  • User engagement: User engagement with emails is critical for Gmail deliverability; testing accounts are not representative.

Key considerations

  • Secure Accounts: Identify and remediate any compromised accounts on your sending infrastructure.
  • Improve Reputation: Monitor and improve your sender reputation (domain and IP) using tools like Google Postmaster Tools.
  • Implement Authentication: Set up SPF, DKIM, and DMARC records to authenticate your emails.
  • Create Trustworthy Content: Avoid scare tactics, urgent language, deceptive coding, and suspicious PII requests.
  • Use Direct URLs: Use direct URLs instead of URL shorteners and ensure linked content is safe.
  • Match Hostnames: Ensure display text and underlying URLs of links match to avoid suspicion.
  • Manage Sending Volume: Adjust your sending volume to resemble more natural, personal email patterns.
  • Clear sender Information: Provide clear and complete sender information in all emails.
  • Test Emails: Use testing tools to check for common spam triggers before sending emails.
  • User Engagement: Prioritise user engagement by sending valuable and relevant content.
  • Disable Click Tracking: Consider disabling click tracking or open tracking to minimise trust issues associated with URL rewriting.

What email marketers say
10Marketer opinions

Emails can trigger Gmail phishing warnings due to various factors related to sender reputation, authentication, content, and link structure. Poor domain or IP reputation, lack of proper email authentication (SPF, DKIM, DMARC), deceptive content, and suspicious links are common causes. Additionally, sending volume, incomplete sender information, and incorrect DKIM setup can contribute to the issue. Maintaining a good sender reputation, ensuring proper authentication, avoiding deceptive practices, and providing clear sender information are key to resolving these warnings.

Key opinions

  • Authentication: Proper email authentication (SPF, DKIM, DMARC) is crucial to verify sender legitimacy and prevent spoofing.
  • Content: Deceptive content, scare tactics, and urgent language can trigger phishing warnings.
  • Sender Reputation: Maintaining a good sender reputation (IP and domain) is essential to avoid being blacklisted.
  • Links: Suspicious links, including shortened URLs and mismatched display text, can lead to phishing flags.
  • Sending Volume: High sending volume, especially if not resembling personal email patterns, can trigger warnings.
  • Sender Info: Providing clear and complete sender information is crucial for building trust.
  • Domain/URL reputation: Sending domain or URL in the content might be associated with bad behavior.
  • Email Testing: Email testing tools and seed list testing platforms can help you to test the mail and check for common spam triggers
  • Click Tracking: Disabling click tracking and open tracking will affect the likelihood of emails going into spam/phishing as URL rewriting affects the trust.

Key considerations

  • Implement Authentication: Set up SPF, DKIM, and DMARC records to authenticate your sending domain and verify your emails.
  • Review Content: Avoid using scare tactics, urgent language, or deceptive coding in your email content.
  • Monitor Reputation: Regularly monitor your sender reputation using tools like Google Postmaster Tools and address any issues promptly.
  • Use Direct URLs: Use full, direct URLs instead of URL shorteners and ensure the linked content is trustworthy.
  • Adjust Sending Volume: Gradually increase your sending volume and avoid sending too many emails at once, especially when starting with a new IP or domain.
  • Provide Clear Information: Ensure your "From" name and email address are easily recognizable, and include a physical address in your email footer.
  • Test Your Emails: Use email testing tools and seed list testing platforms to test the mail and check for common spam triggers.
  • Disable Click Tracking: Consider disabling click tracking or open tracking to minimise trust issues associated with URL rewriting.
Marketer view

Email marketer from Reddit explains that one reason for phishing flags could be the use of URL shorteners. These can mask the true destination of a link, which raises suspicion. Using the full, direct URL is better, and ensuring the linked content is trustworthy is essential.

December 2024 - Reddit
Marketer view

Email marketer from Stack Overflow advises checking that your DKIM (DomainKeys Identified Mail) setup is correct. Incorrect DKIM records can cause authentication failures, leading to phishing flags. Use online DKIM validators to verify your record.

December 2021 - Stack Overflow
Marketer view

Email marketer from Gmass responds that even with perfect authentication, sending too many emails at once can trigger warnings. Gmail is more forgiving to emails that are sent more like personal emails rather than bulk emails. Ensure your sending volume is reasonable and gradually increase it.

August 2022 - Gmass
Marketer view

Email marketer from Email Geeks suspects that a sending domain or URL in the content might be associated with bad behavior. He also notes that deceptive coding, such as hiding content using HTML and CSS, can trigger phishing warnings.

January 2024 - Email Geeks
Marketer view

Email marketer from Litmus explains that maintaining a good sender reputation is crucial. This includes ensuring your IP address and domain are not blacklisted. Monitor your sender reputation using tools like Google Postmaster Tools and promptly address any issues you find.

June 2024 - Litmus
Marketer view

Email marketer from SuperOffice shares that providing clear and complete sender information is essential. Ensure your "From" name and email address are easily recognizable, and include a physical address in your email footer to comply with CAN-SPAM regulations.

April 2024 - SuperOffice
Marketer view

Email marketer from Email Marketing Forum explains that using reputable email testing tools and seed list testing platforms can help you to test the mail and check for common spam triggers before sending to the entire email list.

March 2024 - Email Marketing Forum
Marketer view

Email marketer from Email on Acid shares that the content of your email can trigger phishing warnings. Avoid using scare tactics, urgent language, or anything that pressures the recipient into immediate action. Make sure your email is clear, concise, and professional.

August 2024 - Email on Acid
Marketer view

Email marketer from Sendgrid shares that disabling click tracking and open tracking will affect the likelihood of emails going into spam/phishing as URL rewriting affects the trust.

May 2022 - Sendgrid
Marketer view

Email marketer from Mailjet shares that proper email authentication (SPF, DKIM, DMARC) is crucial. Phishing emails often lack these authentications, so implementing them can significantly reduce the likelihood of your emails being flagged. They advise verifying your sending domain and setting up these protocols correctly.

June 2024 - Mailjet

What the experts say
8Expert opinions

Emails trigger Gmail phishing warnings due to factors like linking to bad hosts or compromised machines, suspicious requests for personal information, content and link structure issues, using bare hostnames in links, compromised accounts, and poor domain/IP reputation. Proper authentication (SPF, DKIM, DMARC) and user engagement are critical for deliverability. Fixing compromised accounts and improving domain reputation are also essential.

Key opinions

  • Bad Hosts/Compromised Machines: Linking to bad hosts or compromised machines is a major cause of phishing warnings.
  • Suspicious PII Requests: Linking to pages requesting Personally Identifiable Information (PII) in a suspicious manner triggers warnings.
  • Link Structure: Poor content and link structure contribute to phishing warnings.
  • Bare Hostnames: Using bare hostnames in links (display text differing from the actual URL) is a significant negative signal.
  • User Engagement: User engagement with emails is critical for Gmail deliverability; testing accounts are not representative.
  • Compromised Accounts: Compromised accounts lead to deliverability problems and phishing warnings.
  • Domain/IP Reputation: Poor domain and IP reputation results in phishing warnings and deliverability issues.
  • Authentication: Proper authentication (SPF, DKIM, DMARC) is essential to verify sender legitimacy.

Key considerations

  • Review Linked Hosts: Ensure links point to reputable and secure hosts.
  • Avoid Suspicious Requests: Do not link to pages that suspiciously request personal information.
  • Correct Link Structure: Ensure proper content and link structure, avoiding deceptive practices.
  • Avoid Bare Hostnames: Avoid using bare hostnames in links; ensure display text matches the URL destination.
  • Focus on Engagement: Prioritize user engagement by sending valuable and relevant content.
  • Secure Accounts: Identify and remediate any compromised accounts on your sending infrastructure.
  • Monitor Reputation: Regularly monitor your domain and IP reputation using tools like Google Postmaster Tools.
  • Implement Authentication: Implement SPF, DKIM, and DMARC to authenticate your sending domain.
Expert view

Expert from Email Geeks explains that linking to bad hosts or compromised machines are major causes of phishing warnings in Gmail. Also, linking to a page requesting PII in a suspicious manner can trigger warnings.

October 2023 - Email Geeks
Expert view

Expert from Email Geeks suggests that email content and link structure, especially linking to bad hosts, are likely causes for phishing warnings. He emphasizes the importance of alt tags and the need to put them back.

December 2024 - Email Geeks
Expert view

Expert from Email Geeks emphasizes the importance of user engagement for Gmail deliverability. If subscribers actively engage with emails, they are more likely to land in the inbox. Testing accounts are not representative of a real audience.

May 2021 - Email Geeks
Expert view

Expert from Word to the Wise explains that compromised accounts are a common cause of deliverability problems and phishing warnings. She recommends identifying and remediating any compromised accounts on your sending infrastructure as a crucial step.

November 2022 - Word to the Wise
Expert view

Expert from Word to the Wise discusses the importance of proper authentication (SPF, DKIM, DMARC) to prevent phishing attacks. He mentions that without proper authentication, email providers cannot verify the sender's legitimacy, leading to phishing warnings and other security measures.

July 2021 - Word to the Wise
Expert view

Expert from Spam Resource emphasizes the importance of monitoring your domain reputation and IP reputation. They share that a poor domain or IP reputation can lead to phishing warnings and other deliverability issues. Regularly check your reputation with tools like Google Postmaster Tools and Microsoft SNDS.

March 2022 - Spam Resource
Expert view

Expert from Email Geeks elaborates on the bare hostname issue, explaining that if the visible text of a link is different from the actual URL (e.g., groups.google.com displayed but linking to ct.sendgrid.net), it's a significant negative signal and should be avoided.

April 2023 - Email Geeks
Expert view

Expert from Email Geeks states that using hostnames in the display text of a link while pointing to a different hostname in the `href` attribute will generate phishing warnings. She recommends avoiding this practice.

November 2024 - Email Geeks

What the documentation says
5Technical articles

Emails trigger Gmail phishing warnings due to various factors identified by machine learning, including suspicious links, requests for personal information, and deceptive content. Implementing proper email authentication (SPF, DKIM, DMARC) is crucial for verifying sender legitimacy and preventing spoofing. Services like Microsoft Safe Links rewrite URLs to check for malicious sites. To prevent triggering warnings, ensure clear and legitimate links, avoid asking for sensitive data, maintain transparent communication, and set up accurate SPF records and strict DMARC policies.

Key findings

  • Machine Learning: Gmail uses machine learning to identify phishing emails.
  • Suspicious Elements: Suspicious links, requests for personal information, and deceptive content trigger phishing warnings.
  • SPF Records: SPF records verify the sending mail server's authorization to send emails on behalf of your domain.
  • DMARC Policy: DMARC allows setting a policy for handling emails that fail SPF and DKIM checks.
  • DKIM: DKIM verifies the domain name identity and message integrity using cryptographic signatures.
  • Safe Links: Safe Links rewrites URLs to check for malicious sites before the user accesses them.

Key considerations

  • Ensure Clear Links: Use clear and legitimate links in your emails.
  • Avoid Sensitive Data Requests: Avoid asking for sensitive personal information in emails.
  • Maintain Transparency: Maintain transparent and clear communication in your emails.
  • Set Up SPF: Ensure your SPF record accurately lists all legitimate sending sources.
  • Implement DMARC: Implement a strict DMARC policy to prevent email spoofing.
  • Ensure DKIM: Implement DKIM
  • URL Redirects: Avoid creating URL redirects as this can also trigger warnings.
Technical article

Documentation from DMARC.org describes that DMARC (Domain-based Message Authentication, Reporting & Conformance) allows you to set a policy for how receiving mail servers should handle emails that fail SPF and DKIM checks. Implementing a strict DMARC policy (e.g., reject) helps prevent email spoofing and protects your domain's reputation.

July 2023 - DMARC.org
Technical article

Documentation from IETF describes that DKIM (DomainKeys Identified Mail) is used to verify the domain name identity of an email sender and the integrity of the message. It provides a cryptographic signature that can be validated by the recipient's mail server, helping to prevent email spoofing and phishing attacks.

December 2023 - IETF
Technical article

Documentation from Microsoft explains that Safe Links rewrites URLs in inbound email messages to point to Microsoft. When a user clicks a link in a message, the URL is rewritten and goes through Microsoft Defender for Office 365, checking against a list of malicious sites. If a link is deemed malicious, the user is warned. It also advises not creating URL redirects as this can also trigger warnings.

October 2022 - Microsoft
Technical article

Documentation from RFC Editor details that SPF (Sender Policy Framework) records help verify that the sending mail server is authorized to send emails on behalf of your domain. Ensure your SPF record accurately lists all legitimate sending sources to prevent unauthorized spoofing and reduce the chance of being flagged as phishing.

July 2022 - RFC Editor
Technical article

Documentation from Google Support explains that Gmail uses machine learning to identify phishing emails. Several factors contribute to this, including suspicious links, requests for personal information, and deceptive content. To prevent triggering these warnings, ensure your emails have clear and legitimate links, avoid asking for sensitive data, and maintain transparent communication.

April 2021 - Google Support

Related resources
4Resources

Why does viewing email trigger scripts? (espcially in spam folder ...
Why does viewing email trigger scripts? (espcially in spam folder ...

I had an email in the my spam folder.  I clicked on the spam folder to see what was in it, and eM Client highlighted the first email by default and the email then tried to call out to a url (malwarebytes blocked it).  Why is this the default behavior?  Nothing in an email should run especially if the email is in the spam folder. If anything, you should get a message saying like  ‘email is trying to do X, do you want to allow it?’  I didn’t have ‘always download pictures’ or any of that set for t...

eM Client
Troubleshooting Bandzoogle Email Triggering Spam Alerts in Gmail
Troubleshooting Bandzoogle Email Triggering Spam Alerts in Gmail

Troubleshooting Bandzoogle Email Triggering Spam Alerts in Gmail

JustAnswer
Monday email notifications. A pro or a con? - Feature requests ...
Monday email notifications. A pro or a con? - Feature requests ...

Hi Monday community, I am wondering. Does your organization use the built in email notifications or like ours, have all your users blocked or turned them off due to SPAM? We have tried to solve this by using a mail address with our own domain to get important notifications to the right people BUT for some strange reason - all emails sent using the outlook/gmail integration are posted as a status update which Clutters up the inbox, with jumbled-up styling, rendering it useless Clutters up th...

monday Community Forum
Emails get delivered in Spam even after warmup - General ...
Emails get delivered in Spam even after warmup - General ...

I have a VPS and a Shared hosting account with Hostinger. I have my SMTP configured in VPS hosting from where I SEND cold mail (after warmup) using Mautic. I RECEIVE mail on my Shared hosting webmail on hostinger itself. (I made this done through Professional service seller from Fiverr) and now everything works fine (except landing on Spam), for which I am seeking help. “My DNS records are configured and has a “MAILGENIUS SCORE OF 99” And has a “PASS” certificate of SPF; DKIM and DMARC My...

Mautic Forums

Related questions