What is phishing detection?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Phishing detection is how email providers (like Gmail, Outlook, or Yahoo) scan incoming messages for signs of fraud: fake login pages, spoofed sender addresses, malicious links, credential harvesting attempts. If a message looks like it's pretending to be your bank, your boss, or a trusted service to steal passwords or money, phishing filters try to catch it.

For legitimate senders, phishing detection matters because a false positive can land your perfectly honest email in spam. And if you get spoofed (someone forges your domain to send phishing emails), those complaints hurt your reputation even though you didn't send them.

Modern phishing filters look at several signals. URL reputation: Does the link match the sender's domain, or is it a shortened link pointing to a known phishing site? Sender authentication: Does this message pass SPF, DKIM, and DMARC, or is it forged? Content patterns: Does the email use urgent language ("Your account will be locked!"), unusual grammar, or requests for sensitive info? Behavioral anomalies: Is this sender suddenly emailing at 3 AM from a new IP address?

One common technique is time-of-click protection. When you click a link in an email, some providers route you through their own scanner first. If the destination URL turned malicious after the email was delivered (phishing sites change fast), the filter can block you from reaching it and show a warning instead.

What senders can control: Set up SPF, DKIM, and DMARC so mailbox providers know your emails are really from you. Use your own branded domain for links (not generic URL shorteners, which phishing campaigns love). Avoid phishing-style language ("Verify your account now or lose access!"). And monitor for domain spoofing so you can report impersonators fast.

If your legitimate emails are getting flagged as phishing, the most common causes are: missing or broken authentication records, links that redirect through multiple hops, sending from a shared IP with bad reputation, or content that accidentally mimics phishing patterns (urgent CTAs, login links in cold emails). Worth checking your authentication setup with our free SPF checker and making sure your DMARC policy is set to at least p=quarantine.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a phishing detection audit for your setup

I read this on the Email Almanac about phishing detection: "Phishing detection is how email providers scan incoming messages for fraud: fake login pages, spoofed senders, malicious links. For legitimate senders, it matters because a false positive can land your honest email in spam. And if you get spoofed, those complaints hurt your reputation even though you didn't send them." Help me apply this to MY specific situation. I need: 1. Phishing signals that might be triggering false positives in my emails (ranked by likelihood based on my setup) 2. Authentication gaps that could make my domain easier to spoof (specific records to check) 3. Content patterns in my emails that might look like phishing attempts (with safer alternatives) 4. Steps to monitor for domain spoofing and protect my reputation (tools and reporting process) --- My details (the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, HubSpot, custom SMTP - Sending domain(s): your domain(s) - Sending volume: e.g. 5,000/month or 500/day - Email type: newsletter, transactional, cold outreach, internal comms - Current authentication: SPF/DKIM/DMARC status if known - Links in emails: branded domain, URL shorteners, redirect through ESP - Recent issues: flagged as phishing, spoofing complaints, delivery drops

Edit the yellow boxes, then send to the AI of your choice.