Analysis: Is Gmail Flagging Legitimate Mail?

Posted by Matt Moorehead 

Back in February, Gmail announced a new security update that has big implications for marketers, particularly those who are not authenticating their email properly.

If a Gmail user receives a message that can’t be authenticated with either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), the sender’s profile photo or avatar will be replaced with a red question mark:


The majority of people—97 percent according to Intel—cannot identify a sophisticated phishing message, no matter how “well educated” about email fraud they may be.

Why mailbox providers flag unauthenticated emails
By flagging unauthenticated emails as suspicious, Google is doing the heavy lifting for its users, removing the guesswork of identifying malicious emails and improving the user experience of their product. Other mailbox providers are following suit, including Microsoft, which inserts a red safety tip bar at the top of both known phishing messages and potentially legitimate messages that have failed authentication.

The problem? Many of the world’s top companies are not implementing adequate email authentication, putting their legitimate programs at risk of being flagged as malicious.

Are top brands actually getting flagged?
When Google made this update in February, Return Path offered to audit an exclusive group of marketing senders to understand whether or not their legitimate messages were getting flagged for Gmail users. If they were, we provided a plan on how to fix it. We audited a total of 152 domains across 80 global brands.  

Here’s what we found:

**NOTE: These are NOT weighted by volume, simply an average of all domains on equal footing


Some of the senders we audited were best-in-class. They are protecting their domains from phishing attacks and their legitimate emails are not getting flagged as suspicious by mailbox providers like Google.

However, the authentication averages across all of the domains we audited reveal some issues. More than 20 percent of analyzed domains are failing either SPF or DKIM, leaving companies and customers vulnerable to malicious attacks and putting legitimate mail at serious risk. And nearly 5% of legitimate email (4.7%) was flagged by Google as suspicious with a red question mark due to lack of authentication.

“More than 20 percent of analyzed domains are failing either SPF or DKIM, leaving them vulnerable to malicious attacks and putting legitimate mail at serious risk”

The consequences of lost trust

If users don’t trust your email either due to a phishing attack or a false flag by Google, they are less likely to engage with your brand. And poor engagement can destroy the ROI of your email marketing program.

As subscriber sentiment declines so will inbox placement rates, and with a reduced deliverability comes reduced revenue.

Implementing DMARC is hands down the best way to keep good email in and bad email out of your customer and employee inboxes. Ready to get started? Download our step-by-step guide.

Author Image

About Matt Moorehead

Matt Moorehead is a Strategic Project Manager for Return Path's Email Fraud Protection team. He works closely with top brands on technical and strategic initiatives to eliminate the impact of email fraud. In his spare time you can find Matt on the golf course or the ski slopes. Connect with him on LinkedIn @Matt Moorehead, IMBA, or @mattmooreheadRP on Twitter.

Author Archive