Analysis: Is Gmail Flagging Legitimate Mail?

Posted by Matt Moorehead on

Back in February, Gmail announced a new security update that has big implications for marketers, particularly those who are not authenticating their email properly.

If a Gmail user receives a message that can’t be authenticated with either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), the sender’s profile photo or avatar will be replaced with a red question mark:

2016-06-15-16_58_10-2020-Prediction_-All-Unauthenticated-Emails-Will-Be-Blocked-From-the-Inbox-Goo-300x81

The majority of people—97 percent according to Intel—cannot identify a sophisticated phishing message, no matter how “well educated” about email fraud they may be.

Why mailbox providers flag unauthenticated emails
By flagging unauthenticated emails as suspicious, Google is doing the heavy lifting for its users, removing the guesswork of identifying malicious emails and improving the user experience of their product. Other mailbox providers are following suit, including Microsoft, which inserts a red safety tip bar at the top of both known phishing messages and potentially legitimate messages that have failed authentication.

The problem? Many of the world’s top companies are not implementing adequate email authentication, putting their legitimate programs at risk of being flagged as malicious.

Are top brands actually getting flagged?
When Google made this update in February, Return Path offered to audit an exclusive group of marketing senders to understand whether or not their legitimate messages were getting flagged for Gmail users. If they were, we provided a plan on how to fix it. We audited a total of 152 domains across 80 global brands.  

Here’s what we found:

**NOTE: These are NOT weighted by volume, simply an average of all domains on equal footing

Screen-Shot-2016-07-27-at-9.48.14-AM-300x182

Some of the senders we audited were best-in-class. They are protecting their domains from phishing attacks and their legitimate emails are not getting flagged as suspicious by mailbox providers like Google.

However, the authentication averages across all of the domains we audited reveal some issues. More than 20 percent of analyzed domains are failing either SPF or DKIM, leaving companies and customers vulnerable to malicious attacks and putting legitimate mail at serious risk. And nearly 5% of legitimate email (4.7%) was flagged by Google as suspicious with a red question mark due to lack of authentication.

“More than 20 percent of analyzed domains are failing either SPF or DKIM, leaving them vulnerable to malicious attacks and putting legitimate mail at serious risk”

The consequences of lost trust

If users don’t trust your email either due to a phishing attack or a false flag by Google, they are less likely to engage with your brand. And poor engagement can destroy the ROI of your email marketing program.

As subscriber sentiment declines so will inbox placement rates, and with a reduced deliverability comes reduced revenue.

Implementing DMARC is hands down the best way to keep good email in and bad email out of your customer and employee inboxes. Ready to get started? Download our step-by-step guide.


Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Matt Moorehead

Matt Moorehead is a Strategic Project Manager for Return Path's Email Fraud Protection team. He works closely with top brands on technical and strategic initiatives to eliminate the impact of email fraud. In his spare time you can find Matt on the golf course or the ski slopes. Connect with him on LinkedIn @Matt Moorehead, IMBA, or @mattmooreheadRP on Twitter.

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.