Summary
Email security solutions actively analyze hyperlinks in emails using a variety of techniques to protect users and gather threat intelligence. This analysis includes following links to check the destination and content, URL detonation (visiting in a sandbox), scanning against blacklists, verifying website legitimacy, and assessing URL reputation. Some systems rewrite URLs for safe link handling, and advanced solutions emulate user clicks to observe website behavior. Dynamically generated URLs and click-tracking domains may receive increased scrutiny. Top solutions like Google Safe Browsing, Microsoft Defender Safe Links, Cisco Talos, Proofpoint URL Defense, and Barracuda Email Security Service employ these methods.
Key findings
- Active Link Analysis: Email security solutions actively analyze links in emails.
- Multiple Techniques: Analysis methods include URL detonation, blacklisting, reputation scoring, and behavioral analysis.
- Safe Link Handling: Some systems rewrite URLs for safer link management.
- Traffic Sampling: Some systems sample inbound traffic, leading to seemingly random clicks.
- Threat Intelligence: Security vendors gather threat intelligence by visiting and analyzing links.
Key considerations
- Dynamic URLs: Dynamically generated or serialized URLs may trigger more scrutiny.
- Click-Tracking Domains: Click-tracking domains may increase the likelihood of analysis.
- Impact on Metrics: Security software clicks can skew email engagement metrics.
- Safe Destinations: Ensuring links point to safe and reputable destinations is crucial.
What email marketers say
13 marketer opinions
Email security software solutions actively click hyperlinks in emails for a variety of reasons, primarily to assess the safety and legitimacy of the linked content. This involves techniques like URL detonation (visiting the link in a sandbox), scanning against blacklists, analyzing for malware, verifying website legitimacy, and evaluating URL reputation. Some solutions also emulate user clicks to observe website behavior. Using click-tracking domains may trigger more scrutiny from these systems, while direct URLs may be less likely to be flagged. These actions are taken both to protect users from phishing and malware, and to gather threat intelligence.
Key opinions
- Link Following: Email security platforms regularly follow links within emails to analyze their destinations.
- URL Analysis: Techniques like URL detonation, blacklisting, malware scanning, and website legitimacy verification are employed.
- Threat Intelligence: Security vendors actively visit links to gather threat intelligence and identify emerging threats.
- Click Emulation: Some advanced systems emulate user clicks to observe the behavior of the linked website.
- Pattern Sampling: Security software might sample inbound traffic, leading to seemingly random clicks.
Key considerations
- Dynamic URLs: Dynamically generated or serialized URLs can trigger more scrutiny due to varying link patterns.
- Click-Tracking Domains: Using click-tracking domains may increase the likelihood of analysis by security systems as the destination is hidden.
- Direct URLs: Avoiding click-tracking domains and using direct URLs might reduce scrutiny from security scanners.
- Impact on Analytics: Clicks from security software can skew email engagement metrics, especially website traffic data.
Marketer view
Marketer from Email Geeks answers yes, email security platforms regularly follow links.
30 Jul 2022 - Email Geeks
Marketer view
Email marketer from PhishingProtectionBlog.com shares that anti-phishing systems often crawl links in emails to detect and block phishing attacks.
16 Jan 2023 - PhishingProtectionBlog.com
What the experts say
2 expert opinions
Email security systems, especially those employing safe link handling techniques, often rewrite URLs and actively check the destination when a user clicks. Anti-spam systems also follow links to verify the destination and check for malicious content.
Key opinions
- Safe Link Handling: Systems that rewrite URLs for safe link handling will actively check the destination upon clicking.
- Anti-Spam Link Verification: Anti-spam systems may follow links to verify their destination and assess for malicious content.
Key considerations
- Impact on Click Metrics: Link rewriting and destination checking can affect click metrics and reporting in email campaigns.
- Safe Link Destinations: Ensuring links point to safe and reputable destinations is crucial to avoid being flagged by security systems.
Expert view
Expert from Word to the Wise shares that some systems, particularly those doing safe link handling, will rewrite URLs and check the destination when a user clicks.
29 Apr 2025 - Word to the Wise
Expert view
Expert from Spamresource.com explains that anti-spam systems may follow links in emails to verify the destination and check for malicious content. However, I wasn't able to find any direct answer about this topic on the specific page. But from the general content of this site I can assume the answer will be yes.
18 Apr 2023 - Spamresource.com
What the documentation says
5 technical articles
Leading email security solutions, including Google Safe Browsing, Microsoft Defender Safe Links, Cisco Talos, Proofpoint URL Defense, and Barracuda Email Security Service, actively analyze hyperlinks in emails. These systems often rewrite URLs, crawl websites, use sandboxing, and employ reputation scoring to identify and block malicious URLs, protecting users from phishing and malware.
Key findings
- Active Link Analysis: Email security solutions actively analyze links in emails to identify potential threats.
- URL Rewriting: Many systems rewrite URLs to monitor and control access to linked content.
- Real-time Scanning: Links are often scanned in real-time when a user clicks to verify their safety.
- Threat Blocking: Malicious URLs are blocked, and users are protected from phishing and malware.
- Sandboxing & Reputation: Sandboxing and reputation scoring are used to analyze and assess the risk associated with URLs.
Key considerations
- Impact on User Experience: URL rewriting and scanning can introduce latency and may affect the user experience.
- False Positives: Legitimate links may be blocked if incorrectly identified as malicious.
- Data Privacy: Analysis of links can raise concerns about data privacy and the monitoring of user activity.
Technical article
Documentation from Google explains Google Safe Browsing crawls websites to identify unsafe sites and adds them to blacklists. This includes analyzing links found in emails to protect users from phishing and malware.
25 Oct 2023 - Google
Technical article
Documentation from Microsoft shares that Microsoft Defender's Safe Links feature rewrites URLs in incoming email messages. When a user clicks a link, Safe Links verifies the URL before it's opened. If the URL is found to be malicious, a warning page is displayed.
9 Feb 2025 - Microsoft
How can you identify spammers?
What are common deliverability issues encountered when migrating to Klaviyo?
Which corporate filter appliances or software follow links in emails?
Are spam trigger word lists still relevant for email deliverability?
Do email spam filters scan image content and QR codes?
Can images in emails cause them to go to spam?
Do spam traps ever open or click on emails?
Can link security checkers cause false no-js reports in email analytics?
How are spammers getting content for their spam emails?
Are spam trigger word lists accurate and should I be concerned about them?
How do hyperlinks in the body of an email affect deliverability?
Do free email services click links in emails to check for spam?
