All my businesses emails with links are going to recipient's spam! Help!
May 10, 2023 9:04 PM Subscribe
All of the sudden, a huge amount emails sent from all users at my small business are going to spam and not seen by our recipients, and it's absolutely crazy-making, as it means our proposals and invoices are not being seen. I've spent weeks on this with our IT consultants and have gotten nowhere so it's time to consult the green. Please help!
So just some background info here... I've had this domain and business for nearly 17 years. Nothing major has changed recently. All DKIM/SPF/DMARC stuff has always been set up and worked flawlessly. All of this is managed through Google Apps for Business. (or whatever it's called now).
We have a custom built quoting and invoicing system, and this generates websites for all our paperwork which gets sent as a link in an email.
Around four weeks ago all of my staff members reported that their clients were not receiving any of their paperwork and invoices were going unpaid and it was causing all sorts of chaos.
We immediately flagged this with our IT company and Google Reseller, and we started troubleshooting and we went pretty deep. All DNS stuff has been double-checked, all links and images are stripped out of signatures. I even went so far as to apply for a trademark on our logo so we can get a BIMI DNS record which is still processing. I got email headers and .eml files from our clients who found our notes in spam and sent it all off to be examined. The only thing they found was this coming up in in a few emails:
Our team discussed this issue together and we discovered that when we sent similar emails through one of your workspace accounts, business accounts flagged them as spam and sent them to the Junk Email folder. By analyzing the email header, we observed that one of the spam filtering sections was as follows:
X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506478)(944626604)(920097)(930097)(3100021);RF:JunkEmail;
In this specific line, various abbreviations and codes indicate the email's filtering status:
ucf, jmr, and auth: These abbreviations represent different filtering mechanisms, with "0" indicating that the filter did not classify the email as spam for each respective mechanism.
dest:J: This indicates that the destination folder for this email is "Junk" (J), meaning the email has been classified as junk or spam.
OFR:SpamFilterAuthJ: This indicates the email was processed by the "SpamFilterAuthJ" filtering mechanism.
ENG: This is a list of filtering engine versions used to process the email.
RF:JunkEmail: This indicates that the email was classified as "Junk Email" based on the filtering rules applied.
Since the initial abbreviations were 0, it means the email was not classified as spam for any of the 3 filters. But for the spam filtering engine, it seems to be processing the mail to junk. To go through more, we tried to look into more details but microsoft doesn't provide a lot of info and a lot of other users are facing the problem since a long time:
(followed by a screenshot in 2020 of someone who had a similar issue).
We've sort of hit a dead and it's still happening and driving me absolutely crazy as this is mission critical stuff we're sending out and I have staff now resorting to using their personal email accounts.
While we haven't identified an obvious pattern yet, it does look like emails that contain links to our quoting system (or to anything, even things like calendly) seem to be tripping the Spam alarm.
Where do I go from here? Are there any specialists in this area I can engage? Has anyone else had this happen? How can I troubleshoot and get to the bottom of it so we can get our emails working as normal? Even willing to move away from Google if that's needed (though not sure how I would live without Superhuman...) Just feeling a bit desperate!
Thank you!
So just some background info here... I've had this domain and business for nearly 17 years. Nothing major has changed recently. All DKIM/SPF/DMARC stuff has always been set up and worked flawlessly. All of this is managed through Google Apps for Business. (or whatever it's called now).
We have a custom built quoting and invoicing system, and this generates websites for all our paperwork which gets sent as a link in an email.
Around four weeks ago all of my staff members reported that their clients were not receiving any of their paperwork and invoices were going unpaid and it was causing all sorts of chaos.
We immediately flagged this with our IT company and Google Reseller, and we started troubleshooting and we went pretty deep. All DNS stuff has been double-checked, all links and images are stripped out of signatures. I even went so far as to apply for a trademark on our logo so we can get a BIMI DNS record which is still processing. I got email headers and .eml files from our clients who found our notes in spam and sent it all off to be examined. The only thing they found was this coming up in in a few emails:
Our team discussed this issue together and we discovered that when we sent similar emails through one of your workspace accounts, business accounts flagged them as spam and sent them to the Junk Email folder. By analyzing the email header, we observed that one of the spam filtering sections was as follows:
X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506478)(944626604)(920097)(930097)(3100021);RF:JunkEmail;
In this specific line, various abbreviations and codes indicate the email's filtering status:
ucf, jmr, and auth: These abbreviations represent different filtering mechanisms, with "0" indicating that the filter did not classify the email as spam for each respective mechanism.
dest:J: This indicates that the destination folder for this email is "Junk" (J), meaning the email has been classified as junk or spam.
OFR:SpamFilterAuthJ: This indicates the email was processed by the "SpamFilterAuthJ" filtering mechanism.
ENG: This is a list of filtering engine versions used to process the email.
RF:JunkEmail: This indicates that the email was classified as "Junk Email" based on the filtering rules applied.
Since the initial abbreviations were 0, it means the email was not classified as spam for any of the 3 filters. But for the spam filtering engine, it seems to be processing the mail to junk. To go through more, we tried to look into more details but microsoft doesn't provide a lot of info and a lot of other users are facing the problem since a long time:
(followed by a screenshot in 2020 of someone who had a similar issue).
We've sort of hit a dead and it's still happening and driving me absolutely crazy as this is mission critical stuff we're sending out and I have staff now resorting to using their personal email accounts.
While we haven't identified an obvious pattern yet, it does look like emails that contain links to our quoting system (or to anything, even things like calendly) seem to be tripping the Spam alarm.
Where do I go from here? Are there any specialists in this area I can engage? Has anyone else had this happen? How can I troubleshoot and get to the bottom of it so we can get our emails working as normal? Even willing to move away from Google if that's needed (though not sure how I would live without Superhuman...) Just feeling a bit desperate!
Thank you!
I don't know enough about the current email filtration systems, and I've not been an IT professional for way too many years to be current on the latest methods. But I know this kind of issue has been around for more than 20 years (i.e. yahoo used to be terrible for it). I know the larger players are pushing more and more independent email hosts to move to their paid platform (so you don't get your emails blocked by their servers as often). However, as you say you're already sending your emails via the Google mail servers (with the paid addition to use your own domain), so that shouldn't apply.
Based on your description, if your auto-created website link that's included in your emails has a long alpha-numeric string after your domain name (to link to the custom invoice, etc.), then that's perhaps similar to one of the semi-common methods used by spammers in plain text emails, to confirm an email address is active (as each link is unique to that email address), so they can spam it more as soon as the link is loaded.
So maybe, in terms of content pattern matching junk mail for real business email, that may be what's flagging it?
Similarly, if you're sending out lots of very similar but only subtly different messages each day to the same main servers, that could be getting flagged by the pattern matching of spam too.
I think you indicate that if you don't include the web link (but all other details remain the same), it doesn't get filtered? And if the same email content (with all the links) is sent from a personal and non-your-business-domain-email, that also gets through the junk filters?
Could the content of your unique weblink, be converted to a .pdf attachment instead? Would that flag up less? (I appreciate your custom finance software however is unlikely to be cheap or easy to recode).
Further, is there perhaps now also an out of date link on your website to another website, of which that other site has now been blacklisted by web-crawlers (because spammers have taken over that other domain).. so now your own domain URL is getting down-rated, which has perhaps triggered the extra filtering on your web-links a month ago if your main URL doesn't have the same high standing it used to?
posted by many-things at 12:10 AM on May 11, 2023
Based on your description, if your auto-created website link that's included in your emails has a long alpha-numeric string after your domain name (to link to the custom invoice, etc.), then that's perhaps similar to one of the semi-common methods used by spammers in plain text emails, to confirm an email address is active (as each link is unique to that email address), so they can spam it more as soon as the link is loaded.
So maybe, in terms of content pattern matching junk mail for real business email, that may be what's flagging it?
Similarly, if you're sending out lots of very similar but only subtly different messages each day to the same main servers, that could be getting flagged by the pattern matching of spam too.
I think you indicate that if you don't include the web link (but all other details remain the same), it doesn't get filtered? And if the same email content (with all the links) is sent from a personal and non-your-business-domain-email, that also gets through the junk filters?
Could the content of your unique weblink, be converted to a .pdf attachment instead? Would that flag up less? (I appreciate your custom finance software however is unlikely to be cheap or easy to recode).
Further, is there perhaps now also an out of date link on your website to another website, of which that other site has now been blacklisted by web-crawlers (because spammers have taken over that other domain).. so now your own domain URL is getting down-rated, which has perhaps triggered the extra filtering on your web-links a month ago if your main URL doesn't have the same high standing it used to?
posted by many-things at 12:10 AM on May 11, 2023
We have a custom built quoting and invoicing system, and this generates websites for all our paperwork which gets sent as a link in an email.
Do you have a trusted client or two for whom you could test providing a link to the paperwork in a Google drive folder ? I.e. remove all links to your generated sites from the otherwise unchanged mails and see if they get through.
This might flag up the problem as originating from some change in classification of the paperwork sites, rather than the email setup itself. Have those sites been audited for security, domain reputation etc etc ?
posted by protorp at 2:46 AM on May 11, 2023
Do you have a trusted client or two for whom you could test providing a link to the paperwork in a Google drive folder ? I.e. remove all links to your generated sites from the otherwise unchanged mails and see if they get through.
This might flag up the problem as originating from some change in classification of the paperwork sites, rather than the email setup itself. Have those sites been audited for security, domain reputation etc etc ?
posted by protorp at 2:46 AM on May 11, 2023
Something similar happened to me a couple of years ago. I panic-moved my email hosting to a new 3rd party provider (away from the website host) and the problem was fixed as soon as DNS finished resolving.
posted by missmobtown at 7:03 AM on May 11, 2023
posted by missmobtown at 7:03 AM on May 11, 2023
Does your domain have an SPF line in the DNS, and does it include the server that the emails are coming from? If you have a custom server sending the emails, it may be doing outgoing emails on itself rather than your normal email server.
Another thing to consider is whether you're hosting hosting a website with a "contact us" form that may be being abused by spammers, sending emails through your website? Google is one that will go "we're getting a lot of spam from your server so we're treating everything as junk" if your SMTP server is spitting out a lot of bad emails.
posted by AzraelBrown at 7:06 AM on May 11, 2023
Another thing to consider is whether you're hosting hosting a website with a "contact us" form that may be being abused by spammers, sending emails through your website? Google is one that will go "we're getting a lot of spam from your server so we're treating everything as junk" if your SMTP server is spitting out a lot of bad emails.
posted by AzraelBrown at 7:06 AM on May 11, 2023
You can turn on DMARC reports for your domain if you haven't already. This may give you some additional information that could help. (Warning: they can be spammy.)
Google Workspace's information on how to do this may be found here. Make sure the
I would also follow these instructions for DMARC troubleshooting if you haven't... I'm sure your consultants have run through similar but it's probably worth doing yourself.
posted by kdar at 8:00 AM on May 11, 2023
Google Workspace's information on how to do this may be found here. Make sure the
rua=mailto:postmaster@metafilter.com part of the DMARC record is turned on.I would also follow these instructions for DMARC troubleshooting if you haven't... I'm sure your consultants have run through similar but it's probably worth doing yourself.
posted by kdar at 8:00 AM on May 11, 2023
If you send an identical email, including link, from a work email account, with the same "From" address, does that work? i.e. is the problem with "all emails with links like this sent from our domain" or "all emails sent from our invoicing system"?
posted by fabius at 9:39 AM on May 11, 2023
posted by fabius at 9:39 AM on May 11, 2023
Are the recipients reporting the junk mail problem all work at the same company or many companies? If they are many companies, do they share the same email hosting or email security vendor (e.g. Google, Office 365, Proofpoint, etc.)?
If the problem exists with seemingly one vendor's email security software this might be a new ruleset that is uniformly impacting you across your customers. Email bad actors are always changing tactics so email security vendors are constantly changing to keep up and sometimes there is negative consequences to the changes.
Are you friendly enough with any of your recipients that you can ask them to report this to their IT i.e. "this important legitimate business email is being reported as Junk Mail. Why is that happening and what can be done to correct it?" This will probably only work if you have a customer large enough to have an email IT person sufficiently dedicated to searching admin consoles and raising tickets to their vendors. Realistically, until you find out why your recipient system is flagging the message, you can't make a judgement on if you can realistically change your behavior to mitigate the negative reaction.
posted by mmascolino at 9:54 AM on May 11, 2023 [1 favorite]
If the problem exists with seemingly one vendor's email security software this might be a new ruleset that is uniformly impacting you across your customers. Email bad actors are always changing tactics so email security vendors are constantly changing to keep up and sometimes there is negative consequences to the changes.
Are you friendly enough with any of your recipients that you can ask them to report this to their IT i.e. "this important legitimate business email is being reported as Junk Mail. Why is that happening and what can be done to correct it?" This will probably only work if you have a customer large enough to have an email IT person sufficiently dedicated to searching admin consoles and raising tickets to their vendors. Realistically, until you find out why your recipient system is flagging the message, you can't make a judgement on if you can realistically change your behavior to mitigate the negative reaction.
posted by mmascolino at 9:54 AM on May 11, 2023 [1 favorite]
A possible work-around: convert your links to plaintext and teach your clients to click-click select, right click goto link.
posted by at at 7:33 PM on May 11, 2023
posted by at at 7:33 PM on May 11, 2023
A possible work-around: convert your links to plaintext and teach your clients to click-click select, right click goto link.
All modern mail clients will turn a plaintext URL into a clickable link.
But I'd be surprised if there was a spam filter that applies rules based on links in HTML emails, but ignores URLs in plaintext-only emails.
posted by fabius at 5:25 AM on May 12, 2023
All modern mail clients will turn a plaintext URL into a clickable link.
But I'd be surprised if there was a spam filter that applies rules based on links in HTML emails, but ignores URLs in plaintext-only emails.
posted by fabius at 5:25 AM on May 12, 2023
« Older Mosquitoes in the Bedroom: Prevention and Cure | How can I make this frequency sweep sound? Newer »
This thread is closed to new comments.
Might not be able to help, but I can look. - gible
posted by gible at 11:19 PM on May 10, 2023 [2 favorites]