What is malware filtering?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Malware filtering is the process email gateways use to catch and block emails that contain harmful code. It's your inbox's malware scanner, checking attachments and links before they reach you.

How it works: when an email arrives with an attachment (Excel files, PDFs, ZIPs, executables), the gateway scans it against known malware signatures. If the file looks suspicious but doesn't match a known threat, many systems use sandboxing (also called detonation) to actually open the file in an isolated environment and watch what it does. Does it try to encrypt files like ransomware? Does it phone home to a command server? If yes, blocked.

Common file types that trigger extra scrutiny: .exe, .zip, .js, .vbs, .scr, macro-enabled Office files (.docm, .xlsm). Some gateways block these entirely. Others scan them. A few just warn the user and let them decide.

Here's what matters if you're a sender: malware filtering happens at the receiving end, not on your side. Gmail, Outlook, Yahoo, and corporate gateways like Barracuda all run their own malware filters. You don't configure this. But you do need to know it exists, because if you're sending attachments (invoices, reports, contracts) and those files get flagged, your emails won't arrive. Your recipients won't see an error. The email just disappears.

What senders should watch for: if you're attaching PDFs or Word docs and delivery suddenly tanks, check whether your files contain macros, embedded scripts, or links to sketchy domains. Even legitimate files can trip filters if they share patterns with known malware. And if your domain gets blocklisted because someone spoofed you to send malware, your authentication won't save you from being filtered.

One more thing: malware filtering is separate from authentication. SPF, DKIM, and DMARC prove you're the real sender, but they don't stop malware. A perfectly authenticated email can still carry ransomware. That's why gateways run both checks.

If you're sending attachments regularly and want to reduce the risk of getting filtered, stick to common file types (PDF without scripts, plain Word docs without macros), host files on your own domain instead of third-party file shares when possible, and avoid ZIP files unless your recipients are expecting them. And if you're worried your domain might be getting spoofed for malware campaigns, set up a strict DMARC policy to block fake emails before they even reach the malware filter.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get specific advice for your setup

I read this on the Email Almanac about "How email malware filtering works": "Malware filtering is the process email gateways use to catch and block emails that contain harmful code. When an email arrives with an attachment, the gateway scans it against known malware signatures. If the file looks suspicious but doesn't match a known threat, many systems use sandboxing (also called detonation) to actually open the file in an isolated environment and watch what it does." Help me understand how this applies to MY specific situation. I need: 1. Whether my file attachments might trigger malware filters 2. What file types are safest to send 3. How to check if my domain is being spoofed for malware campaigns 4. Whether authentication alone protects me from malware filtering issues --- My details (fill in what applies): - Email platform/ESP: e.g. Mailchimp, SendGrid, Gmail, Outlook - Types of attachments I send: e.g. PDFs, Excel files, Word docs, ZIPs - How often I send attachments: daily, weekly, rarely - Recent issues: describe any sudden delivery drops or blocks - Authentication setup: SPF/DKIM/DMARC status if known

Edit the yellow boxes, then send to the AI of your choice.