Gmail is flagging non-HTTPS links in email for spam

This bit of information is not included in Google’s mail delivery tips, but if you send any email, you should know about it: Gmail is flagging insecure links for spam.

I discovered the issue working with a client whose emails sent through G Suite (Gmail for business, which lets you use your website domain for your email address, i.e. emailme@davidgreenwald.com) were landing in spam, as were their received emails.

After going through email best practices, like setting up SPF, DKIM and DMARC records, and checking for positive domain reputation and a presence on email blacklists, I found that the problems persisted. That left the emails themselves: there had to be something in the email content that was triggering Gmail’s spam algorithms.

And there was. I did a quick A/B test by having my client’s team email me with and without their email signatures. The signature emails landed in spam—the non-signature emails went through. We went to G Suite customer support, who told my client that Google is indeed filtering for insecure links—HTTP instead of encrypted HTTPS. So if your signature is linking to http://twitter.com or http://rawkblog.com instead of their encrypted versions, https://twitter.com or https://rawkblog.com, it’s time to update your signature links.

A Google Cloud support agent confirmed to me on Wednesday that “it’s part of the Google security,” but wouldn’t comment further.

Google tends to keep their algorithm choices quiet, so this isn’t surprising. Regardless, linking directly to HTTPS sites is an important move for the modern web anyway to protect user privacy and safety. If it’s been a while since you wrote out your email signature, or any other links you send regularly, it’s time to update them to HTTPS.

It seems unlikely that little old me is the first to discover this but I haven’t seen any other write-ups: please reach out to me on Twitter if you’ve seen any further documentation.