Analysis: Is Gmail Flagging Legitimate Mail?

Back in February, Gmail announced a new security update that has big implications for marketers, particularly those who are not authenticating their email properly.

If a Gmail user receives a message that can’t be authenticated with either SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), the sender’s profile photo or avatar will be replaced with a red question mark:


The majority of people—97 percent according to Intel—cannot identify a sophisticated phishing message, no matter how “well educated” about email fraud they may be.

Why mailbox providers flag unauthenticated emails
By flagging unauthenticated emails as suspicious, Google is doing the heavy lifting for its users, removing the guesswork of identifying malicious emails and improving the user experience of their product. Other mailbox providers are following suit, including Microsoft, which inserts a red safety tip bar at the top of both known phishing messages and potentially legitimate messages that have failed authentication.

The problem? Many of the world’s top companies are not implementing adequate email authentication, putting their legitimate programs at risk of being flagged as malicious.

Are top brands actually getting flagged?
When Google made this update in February, Return Path offered to audit an exclusive group of marketing senders to understand whether or not their legitimate messages were getting flagged for Gmail users. If they were, we provided a plan on how to fix it. We audited a total of 152 domains across 80 global brands.  

Here’s what we found:

**NOTE: These are NOT weighted by volume, simply an average of all domains on equal footing


Some of the senders we audited were best-in-class. They are protecting their domains from phishing attacks and their legitimate emails are not getting flagged as suspicious by mailbox providers like Google.

However, the authentication averages across all of the domains we audited reveal some issues. More than 20 percent of analyzed domains are failing either SPF or DKIM, leaving companies and customers vulnerable to malicious attacks and putting legitimate mail at serious risk. And nearly 5% of legitimate email (4.7%) was flagged by Google as suspicious with a red question mark due to lack of authentication.

“More than 20 percent of analyzed domains are failing either SPF or DKIM, leaving them vulnerable to malicious attacks and putting legitimate mail at serious risk”

The consequences of lost trust

If users don’t trust your email either due to a phishing attack or a false flag by Google, they are less likely to engage with your brand. And poor engagement can destroy the ROI of your email marketing program.

As subscriber sentiment declines so will inbox placement rates, and with a reduced deliverability comes reduced revenue.

Implementing DMARC is hands down the best way to keep good email in and bad email out of your customer and employee inboxes. Ready to get started? Download our step-by-step guide.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time