What file types are risky to send as attachments?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: you send a perfectly crafted email with a .zip attachment, and it never arrives. No bounce, no error. It just quietly disappears into a security filter. That's what happens when you attach the wrong file type.

Security gateways and spam filters scan every attachment before it reaches an inbox. Anything that looks like it could execute code or hide malware gets blocked, often silently. Here's what triggers that reaction.

Executables and scripts get blocked outright. Files like .exe, .com, .bat, .cmd, and .msi are Windows executables. Filters won't let them through, full stop. The same goes for .app and .dmg on macOS, and .sh or .bin on Linux. Script files (.js, .vbs, .ps1, .py) land in the same bucket because they're common vectors for phishing attacks.

Office files with macros are a red flag too. Standard .docx, .xlsx, and .pptx files are generally fine. The macro-enabled versions (.docm, .xlsm, .pptm) are not. Macros can run code when someone opens the file, which is exactly what security filters are trained to distrust.

Archives are trickier than most people expect. A plain .zip file might pass through, but a .zip containing an .exe won't. Password-protected archives (.zip, .rar, .7z) are especially suspicious because the scanner can't look inside them. Nested archives (an archive inside an archive) raise the same alarm.

A few others worth knowing about: .iso and .img (disk images) are increasingly blocked because they became a popular way to smuggle executables past filters. .hta (HTML applications) and .scr (screensavers) are almost universally blocked.

So if If you need to share any of these file types, the right move is to host them in cloud storage (Google Drive, Dropbox, or similar) and link to the hosted file in your email. Your recipient clicks through and downloads intentionally. That's safer for them and far less likely to get flagged for you.

File types that travel well: PDFs, standard Office docs without macros (.docx, .xlsx, .pptx), images (.jpg, .png, .gif), and plain text files (.txt, .csv). Even these should be used sparingly in marketing email, since large or unexpected attachments can still trigger spam filters regardless of file type.

Not sure why your emails are getting filtered? Our Email Header Analyzer can help you spot what's going wrong.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my file sharing approach

I need to share files with my email subscribers or customers. Based on my situation below, tell me which file types are safe to attach, which I should host and link to instead, and whether my current approach is likely to get blocked by security filters.

Edit the yellow boxes, then send to the AI of your choice.