[Email DLP] Best Practices When Emails Are Marked as Spam or Quarantined by the Recipient Mail Server

Question

I am using Email DLP, but sometimes emails are marked as spam or quarantined by the recipient mail server. Is there a way to avoid this?

Answer

It is difficult to completely avoid the security policies and individual judgment logic of the recipient side.
When sending via Email DLP, there is a tendency to be more affected by changes in the relay route and filtering.

However, by optimizing sender domain authentication and ensuring you are recognized as a "trusted sender," you can minimize the rate of being flagged.

Specific countermeasures are as follows.
Be sure to read the following Notes before implementing these measures.

• Full implementation of sender domain authentication (Required)
• Domain reputation management
• Content optimization
• Maintaining a healthy distribution list (list cleaning)

Notes

Technical measures on the sender side are only the minimum requirements to gain trust, and whether the recipient can receive the email depends on the recipient's local rules.
Sender-side measures can minimize the probability of being marked as spam, but due to the following reasons, there is no setting that guarantees 100% inbox delivery.
For important communications, consider confirming via alternative routes or asking the recipient to add you to their "allowed senders list" as part of your operations.

1. Recipient-specific whitelists / blacklists: Even if sender domain authentication is properly configured, if the recipient has previously reported your emails as spam or has individually blocked your address, the email will not be delivered.
2. Organization-specific security strength: Government agencies, financial institutions, and large enterprises may have much stricter filtering than typical mail servers.
   Example: Quarantining emails just because they contain external URLs, or blocking all domains except specific ones.
3. Dynamic judgment by AI and machine learning: Modern filters (such as Microsoft 365 Defender and Google Workspace) change their criteria in real time based on past receiving patterns.
   Phenomena such as "it was delivered yesterday but not today" may be due to these real-time policy changes.
4. Quarantine operations: Whether emails judged as "suspected spam" by the server are sent to a quarantine folder instead of being rejected is determined by the recipient system administrator's policy.

Full implementation of sender domain authentication (Required)

In modern email delivery, these are not just "best practices" but "mandatory requirements."
Especially since sender guidelines for Google and Yahoo! have become stricter, HENNGE strongly recommends configuring sender domain authentication.

Email DLP provides a feature to check the status of sender domain authentication, so please make use of it.
[Email DLP] Checking and correcting DMARC application status

For instructions on configuring each sender domain authentication in Email DLP, please refer to the following Help Center articles.

• SPF (Sender Policy Framework): Register the IP address of the sending server in DNS to declare, "Emails from this server are legitimate."
  • [Email DLP] How to add an SPF record
• DKIM (DomainKeys Identified Mail): Adds a digital signature to the email to prove that its contents have not been tampered with in transit.
  • [Email DLP] General Settings - DKIM configuration
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Specifies how to handle emails (quarantine or reject) if SPF/DKIM fails.
  • [Email DLP] Publishing a DMARC record
  • Strengthening DMARC policy

Domain reputation management

If your domain has a poor "reputation," emails sent from that domain may be automatically blocked.

• Reverse DNS (PTR record) configuration: Set up so that the domain name can be correctly resolved from the IP address.
• Blacklist checks: Regularly check that your IP is not listed on major blacklists.
• Utilize tools such as Google Postmaster Tools: Google Postmaster Tools allows you to visualize how emails to Google are evaluated and the spam rate.
  • Reference: https://support.google.com/a/topic/6259779?hl=en-us&ref_topic=7279058&sjid=4264608159939963139-NC (external link)

Content optimization

Filters detect "suspicious behavior" using machine learning.
Therefore, by avoiding the following types of content, it is assumed that your emails will be less likely to be marked as spam.

• Shortened URLs: Since spammers often use shortened URLs to hide the destination, they may be flagged as suspicious.
• Multipart HTML and text structure: HTML emails without a plain text version are more likely to be marked as spam.
• Inappropriate keywords: Avoid using extreme promotional phrases such as "100% guaranteed" or "earn money now," and excessive symbols (!!!).
• Image-only emails: If text is embedded as an image, filters cannot read the content and may consider it a risk.

Maintaining a healthy distribution list (list cleaning)

If you continue to send to non-existent addresses, you are more likely to be regarded as a "poorly managed sender."
When using mass distribution such as direct mail, regularly review the addresses listed in your recipient list.

• Immediately remove bounced (undeliverable) emails: Never send to addresses that have resulted in errors.
• Strict opt-in: Only send emails to recipients who have given prior consent.
  Sending to recipients without permission may result in "spam reports" and critically damage your domain's reputation.