Do email spam filters scan image content and QR codes?
Matthew Whittaker
Co-founder & CTO, Suped
Published 16 Jul 2025
Updated 17 Aug 2025
7 min read
The question of whether email spam filters can scan image content and QR codes is increasingly relevant, especially with the rise of sophisticated phishing attacks. Many senders, both legitimate and malicious, embed significant portions of their email content, or even the entire message, within images, sometimes incorporating QR codes. This tactic often aims to bypass traditional text-based filtering mechanisms.
Historically, conventional email filters struggled with visual content because they were primarily designed to analyze text, links, and attachments, not to follow a QR code to its destination and scan for malicious content. This limitation has led to a surge in 'quishing' (QR code phishing) attacks, where threat actors embed malicious URLs within images to evade detection.
The challenge with image-only emails
Even without QR codes, emails composed entirely or predominantly of images pose a challenge for spam filters. Filters aim to understand the content and intent of an email, and without sufficient text, this becomes difficult. If a filter cannot read the content, it may err on the side of caution and flag the email as suspicious, especially if the sender's reputation is not pristine. A high image to text ratio can be a red flag.
Cybercriminals have long leveraged this loophole by creating image spam, where the entire malicious message, including phishing links or harmful instructions, is embedded within an image. This bypasses basic keyword and URL scanning, allowing the nefarious content to reach the inbox. It makes it harder to determine if images in emails cause them to go to spam.
While legitimate senders sometimes use image-heavy emails for aesthetic reasons, such as marketing campaigns, it introduces a risk. The lack of readable text means that if the images fail to load, or if the recipient uses a text-only email client, the message's content is entirely lost. This usability issue, combined with the spam risk, often makes image-only emails bad for deliverability.
The importance of text
While email filters are constantly evolving, many still rely heavily on text analysis to determine an email's legitimacy. Always include a sufficient amount of plain text alongside your images. This helps filters understand your message and ensures accessibility for all recipients, improving your overall email deliverability.
QR codes and the rise of 'quishing'
The rise of QR codes in phishing, often called 'quishing,' is a significant concern. Attackers embed malicious URLs within QR code images, making them difficult for traditional email filters to detect. When a recipient scans the QR code, they are redirected to a phishing site that might harvest credentials or deliver malware. This method is effective because there are often no direct links or suspicious attachments to scan.
Traditional email filters are not designed to visually interpret images. Their primary function involves parsing text, identifying suspicious keywords, and scanning URLs embedded as clickable links. A QR code, appearing as a benign image, easily bypasses these checks. This shifts the threat from the email itself to the action taken by the recipient outside the email environment, making it harder for initial security layers to intercept.
The scale of this issue is substantial. According to recent cybersecurity findings, approximately 60% of emails containing QR codes are classified as spam or malicious. This high percentage underscores the effectiveness of quishing in evading many existing spam and blocklist detection systems, posing a significant challenge for email security.
How traditional filters struggle
Text-focused: Primarily scan text content, keywords, and headers for suspicious patterns, overlooking visual data.
URL blind spots: Cannot easily extract or analyze URLs embedded within image pixels, only direct text links.
Signature-based: Rely on known malicious signatures, which QR codes often evade due to their dynamic nature.
Modern detection methods
OCR and decoding: Utilize optical character recognition and QR code decoders to read content within images.
Dynamic analysis: Employ sandboxing to safely scan QR codes in isolated environments.
Behavioral patterns: Analyze sender behavior and historical data to identify suspicious campaigns.
How modern spam filters adapt
As cyber threats evolve, so do the defenses. Modern spam filters and email security solutions are increasingly incorporating advanced capabilities to scan image content and QR codes. Technologies such as Optical Character Recognition (OCR) are being deployed to read text embedded within images, allowing filters to analyze content that was once hidden from their view. Similarly, specialized QR code decoders can extract the URLs or other data encoded within these images.
Once the content or URL from an image or QR code is extracted, it can be subjected to the same rigorous checks as plain text or direct links. This includes scanning for known malicious patterns, checking against blocklists, and analyzing the destination for phishing indicators. Some advanced systems even use sandboxing environments to safely scan QR codes by visiting the embedded URL in a controlled setting.
However, implementing and running these advanced scanning capabilities is resource-intensive. Processing images and decoding QR codes demands significant computational power. Therefore, while the technology exists, not all email service providers or spam filters apply these deep-scan methods to every incoming email, especially those from senders with good reputations or high volume. This can sometimes allow sophisticated image-based or QR-code-based attacks to slip through.
Conceptual QR code scanning logic
// Pseudocode for QR code scanning in an email filter
FUNCTION scanEmailForQRCodes(email):
FOR EACH attachment IN email.attachments:
IF attachment.type IS "image" OR "pdf":
EXTRACT images from attachment
FOR EACH image IN extracted_images:
IF image CONTAINS QR_CODE:
DECODE QR_CODE to get embedded_URL
ANALYZE embedded_URL for malicious content
IF embedded_URL IS malicious:
FLAG email as spam/malicious
ELSE IF attachment.type IS "html":
EXTRACT inline_images from html_body
FOR EACH image IN inline_images:
IF image CONTAINS QR_CODE:
DECODE QR_CODE to get embedded_URL
ANALYZE embedded_URL for malicious content
IF embedded_URL IS malicious:
FLAG email as spam/malicious
RETURN email_status
Best practices for senders
Even with the evolving sophistication of spam filters, legitimate senders should adopt best practices to maximize their email deliverability. Over-relying on images or QR codes, even for innocent purposes, can inadvertently trigger spam flags or blocklist entries, hindering your messages from reaching the inbox. Understanding if images in emails trigger spam filters is key.
A balanced approach is always recommended. This means including sufficient plain text alongside your images. This not only provides context for spam filters but also improves the overall accessibility of your email for recipients, regardless of their email client or image loading settings. Remember that images in emails affect deliverability.
Furthermore, ensuring robust email authentication is critical. Properly configured DMARC, SPF, and DKIM records verify your sending domain's legitimacy, building trust with receiving servers. This foundational trust can influence how rigorously your email content, including images and QR codes, is scrutinized. Review our simple guide to DMARC, SPF, and DKIM for more information. Maintaining a positive email domain reputation is also paramount, as it's a primary factor in deliverability decisions.
Views from the trenches
Best practices
Always include plain text content alongside images to improve filter processing and accessibility.
Ensure all embedded QR codes link to verified and secure destinations.
Regularly monitor your domain's sending reputation and blocklist status.
Common pitfalls
Sending image-only emails without any accompanying text.
Using QR codes that link to unknown or suspicious domains.
Relying solely on platform reputation without managing content quality.
Expert tips
Leverage OCR and image scanning solutions to preprocess outgoing emails for hidden threats.
Educate your recipients about the dangers of unsolicited QR codes in emails.
Understand that legitimate sending platforms can sometimes be exploited by phishers.
Marketer view
A marketer from Email Geeks says: I received a scam email with almost all content as an image, and it even passed BIMI, making me question how filters handled it.
2024-08-26 - Email Geeks
Expert view
An expert from Email Geeks says: Some email filters do scan images, but the extent of their scanning capabilities varies widely.
2024-08-26 - Email Geeks
Securing your email against evolving threats
While basic spam filters historically struggled with image content and QR codes, often allowing 'quishing' attacks to bypass initial checks, advanced email security systems are continually improving. Modern filters are increasingly capable of employing OCR and QR code decoding to analyze hidden malicious content within images, helping to protect recipients.
For senders, ensuring deliverability in this evolving landscape requires a layered approach. This includes mindful content creation that balances images with readable text, rigorous email authentication, and consistent monitoring of your sender reputation. By adhering to these best practices, you can enhance your email security and improve deliverability, even as threats become more sophisticated.
