What is phishing detection?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Phishing detection is how email providers (like Gmail, Outlook, or Yahoo) scan incoming messages for signs of fraud: fake login pages, spoofed sender addresses, malicious links, credential harvesting attempts. If a message looks like it's pretending to be your bank, your boss, or a trusted service to steal passwords or money, phishing filters try to catch it.
For legitimate senders, phishing detection matters because a false positive can land your perfectly honest email in spam. And if you get spoofed (someone forges your domain to send phishing emails), those complaints hurt your reputation even though you didn't send them.
Modern phishing filters look at several signals. URL reputation: Does the link match the sender's domain, or is it a shortened link pointing to a known phishing site? Sender authentication: Does this message pass SPF, DKIM, and DMARC, or is it forged? Content patterns: Does the email use urgent language ("Your account will be locked!"), unusual grammar, or requests for sensitive info? Behavioral anomalies: Is this sender suddenly emailing at 3 AM from a new IP address?
One common technique is time-of-click protection. When you click a link in an email, some providers route you through their own scanner first. If the destination URL turned malicious after the email was delivered (phishing sites change fast), the filter can block you from reaching it and show a warning instead.
What senders can control: Set up SPF, DKIM, and DMARC so mailbox providers know your emails are really from you. Use your own branded domain for links (not generic URL shorteners, which phishing campaigns love). Avoid phishing-style language ("Verify your account now or lose access!"). And monitor for domain spoofing so you can report impersonators fast.
If your legitimate emails are getting flagged as phishing, the most common causes are: missing or broken authentication records, links that redirect through multiple hops, sending from a shared IP with bad reputation, or content that accidentally mimics phishing patterns (urgent CTAs, login links in cold emails). Worth checking your authentication setup with our free SPF checker and making sure your DMARC policy is set to at least p=quarantine.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.