How do mailbox providers identify phishing patterns?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably seen the warning Gmail puts on some emails: "This message looks dangerous." That's the output of several detection systems working together, mostly in milliseconds before the message even reaches your inbox.
The starting point is machine learning. Mailbox providers train models on billions of messages. Confirmed phishing and confirmed legitimate. These models learn to recognize linguistic patterns (urgency phrases like "Your account will be closed"), structural signals (no text content, just an image), sender behavior (newly registered domains, mismatched display names), and link characteristics (URL redirects, freshly registered domains). The models don't follow rigid rules; they weight hundreds of signals simultaneously.
User feedback feeds the system continuously. When you click "Report phishing" on a message, that signal goes into training data. Across millions of users seeing similar messages at once, campaigns get flagged in near real-time. This is why phishing campaigns often lose effectiveness within hours of a large send.
Authentication is one of the clearest signals. Emails that fail SPF, DKIM, or DMARC are scrutinized much more aggressively. A message claiming to come from paypal.com that has no DMARC record? Red flag. Combine that with a link to a freshly registered lookalike domain, and multiple filters light up at once.
For legitimate senders, the practical takeaway is that proper authentication and clean sending history is your best defense against being accidentally caught in these filters.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.