What is malware filtering?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Malware filtering is the process email gateways use to catch and block emails that contain harmful code. It's your inbox's malware scanner, checking attachments and links before they reach you.
How it works: when an email arrives with an attachment (Excel files, PDFs, ZIPs, executables), the gateway scans it against known malware signatures. If the file looks suspicious but doesn't match a known threat, many systems use sandboxing (also called detonation) to actually open the file in an isolated environment and watch what it does. Does it try to encrypt files like ransomware? Does it phone home to a command server? If yes, blocked.
Common file types that trigger extra scrutiny: .exe, .zip, .js, .vbs, .scr, macro-enabled Office files (.docm, .xlsm). Some gateways block these entirely. Others scan them. A few just warn the user and let them decide.
Here's what matters if you're a sender: malware filtering happens at the receiving end, not on your side. Gmail, Outlook, Yahoo, and corporate gateways like Barracuda all run their own malware filters. You don't configure this. But you do need to know it exists, because if you're sending attachments (invoices, reports, contracts) and those files get flagged, your emails won't arrive. Your recipients won't see an error. The email just disappears.
What senders should watch for: if you're attaching PDFs or Word docs and delivery suddenly tanks, check whether your files contain macros, embedded scripts, or links to sketchy domains. Even legitimate files can trip filters if they share patterns with known malware. And if your domain gets blocklisted because someone spoofed you to send malware, your authentication won't save you from being filtered.
One more thing: malware filtering is separate from authentication. SPF, DKIM, and DMARC prove you're the real sender, but they don't stop malware. A perfectly authenticated email can still carry ransomware. That's why gateways run both checks.
If you're sending attachments regularly and want to reduce the risk of getting filtered, stick to common file types (PDF without scripts, plain Word docs without macros), host files on your own domain instead of third-party file shares when possible, and avoid ZIP files unless your recipients are expecting them. And if you're worried your domain might be getting spoofed for malware campaigns, set up a strict DMARC policy to block fake emails before they even reach the malware filter.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.