Do Gmail and Outlook scan images in emails?

Large mailbox providers scan email content in multiple ways, including image and URL signals, but they do not publish every detection rule. The important point is that image scanning is one signal among authentication, reputation, engagement, and complaint history.

Do spam filters decode QR codes?

Some do. A useful QR check has to find the QR code in the image, decode it, follow the destination safely, and judge the final page. Filters that skip any step can miss a QR-based scam.

Does a BIMI checkmark mean the email is safe?

No. BIMI is tied to authenticated brand identity. It does not certify every piece of user-generated content, image content, link destination, or QR code inside the message.

Are image-only emails bad for deliverability?

They create avoidable risk. Image-only emails are harder for filters to inspect, harder for users with blocked images to read, and weaker for accessibility. Use real HTML text for the main message.

How should I investigate a suspicious QR email?

Keep the original message, inspect the headers, decode the QR code in a safe workflow, record the final URL, and check whether the sender passed SPF, DKIM, and DMARC. Do not scan the QR code with a personal phone.

Do email spam filters scan image content and QR codes?

Email thumbnail with a QR code and magnifying glass.

Yes, some email spam filters scan image content and QR codes. They do it with OCR, image fingerprinting, logo detection, attachment analysis, QR decoding, URL reputation checks, and user-report feedback. The catch is that not every filter does all of that on every message. Plain text, visible links, sender reputation, authentication results, and known campaign patterns are cheaper to inspect than a rendered image.

That explains why an image-heavy scam can still land in an inbox. If the message comes through a high-reputation sending platform, passes SPF, DKIM, and DMARC, has a BIMI indicator, and hides the risky content inside a graphic or QR code, the recipient's filter has to spend more effort to understand the actual intent. Some filters will decode the image and inspect the destination. Others will treat the browser warning, endpoint protection, or later URL reputation update as the blocking layer.

Direct answer: Image and QR scanning exists, but coverage varies by mailbox provider, gateway, policy, and message risk.
Main caveat: A DMARC pass and BIMI mark prove sender-domain match, not that the email content is safe.
Best test: Send the message to a controlled inbox and inspect authentication, URLs, image loading, and final landing pages with an email tester.

How filters inspect image content

I look at image scanning in layers. The first layer is cheap metadata: image size, MIME type, attachment name, image-to-text ratio, whether remote images load from a new domain, and whether the message has enough readable text. The second layer renders the HTML and looks at the image as a user would see it. The deeper layer runs OCR, QR decoding, brand detection, and safe browsing checks on extracted destinations.

The deeper layer is the one people usually mean when they ask whether filters scan images. It is real, but it costs compute and time. At consumer and enterprise scale, filters triage. A suspicious unauthenticated sender with a new domain and an image-only message gets more scrutiny. A known sender with strong authentication and huge legitimate volume can receive a different treatment, especially if the message body has little machine-readable text.

Cheap checks

Authentication: SPF, DKIM, DMARC domain match, and whether the sender has a stable reputation.
HTML shape: Image-to-text ratio, hidden text, tracking links, and remote image hosts.
Known patterns: Message fingerprints, user reports, and sender history across similar campaigns.
URL signals: Visible links, redirect chains, newly registered domains, and reputation updates.

Expensive checks

OCR reading: Extracting text rendered inside an image and scoring it like visible copy.
QR decoding: Finding a QR code, decoding its payload, and checking the final destination.
Brand detection: Comparing logos, layouts, colors, and payment or login language.
Sandboxing: Opening links or rendered content in a controlled environment before delivery.

QR codes add a specific problem. A QR code is often just an image until the filter recognizes the pattern, decodes the data, follows the URL, and checks the landing page. Cisco Talos reported that QR codes are disproportionately effective at bypassing anti-spam filters because many systems were not built to recognize and decode a QR code inside an image. The same Cisco Talos research said roughly 60% of email containing a QR code in its data was spam.

Signal	What the filter can see	Why misses happen
Image text	OCR output	Low priority
QR code	Decoded URL	Not decoded
Logo	Brand match	Template abuse
Sender	Reputation	Trusted route
BIMI	Brand mark	Content unchecked

Common filter views of image and QR content.

Why a QR scam can still get through

The failure is usually not one single gap. It is a set of signals that point in different directions. Authentication says the message really came through the claimed sending infrastructure. Reputation says that infrastructure sends a lot of legitimate mail. The visible body has little readable text. The harmful destination is hidden behind an image, QR code, redirect, or short-lived page.

That is why a text-only version of the same scam gets blocked more often. Text gives filters phrases, names, payment language, urgency patterns, and URLs they can score immediately. Image-only content forces the filter to render, extract, interpret, and decide. Attackers use that cost gap because it works often enough.

Flowchart showing sender checks, image rendering, QR decoding, and URL checks.

BIMI is not a content safety badge

A BIMI mark depends on domain authentication and brand validation. It does not mean the platform reviewed every user-created email, invoice, event invite, or uploaded image. If a trusted platform lets an account insert custom content into a template, a malicious or compromised account can still send a message that passes authentication.

There is also a timing problem. A QR destination can be clean when the email is scanned, then turn risky later. A landing page can serve different content to a scanner than to a real user. A mobile phone can scan the QR code over a cellular network, outside the company's normal web filtering path. That shifts the block point from email to browser, DNS, endpoint, or identity controls.

Image and QR risk bands

A practical way to judge when an email needs deeper manual or automated inspection.

Balanced copy and images

Low

Readable text, normal links, and clear sender identity.

Image-led message

Medium

Most information is in images, with little visible HTML text.

Image-only with QR

High

The main action happens through a QR code or hidden graphic.

Trusted platform abuse

Mixed

Authentication passes, but the sender account controls the content.

How to test an image-heavy email

When I test an image-heavy email, I do not stop at the spam-folder result. I check the message source, authentication, final rendered HTML, images, links, and any QR code destination. The goal is to learn whether the email was accepted because it was safe, because the filter trusted the sender, or because the risky part stayed inside an image.

A useful test uses the exact campaign build, not a simplified copy. Keep the same image hosting, link redirects, tracking domain, sender domain, and authentication setup. Changing any of those can change the result. If the campaign has an unusually high image-to-text ratio, test it before sending at scale.

Image and QR email test checklist

1. Send the exact campaign to test inboxes.
2. Confirm SPF, DKIM, and DMARC results.
3. Render the email with images enabled and disabled.
4. Extract every visible URL and redirect target.
5. Decode each QR code and inspect the final URL.
6. Check sender domain and IP reputation.
7. Compare inbox results across mailbox providers.
8. Repeat after any template, link, or image-host change.

For most teams, Suped is the best overall DMARC platform for this part of the problem because image-heavy mail often spans content, authentication, reputation, and sender history. Suped's product brings DMARC, SPF, DKIM, blocklist (blacklist) monitoring, and deliverability checks into one workflow, so the investigation does not stop at a simple pass or fail. For broad setup validation, a domain health check helps confirm the basics before digging into content behavior.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

If the test shows authentication passing but inbox placement still failing, focus on the campaign body. Reduce reliance on one large graphic, add real HTML text, keep the call to action visible as text as well as image, and avoid forcing the main action through a QR code unless the use case truly requires it.

What a good test proves

Authentication proof: The message passes SPF, DKIM, and DMARC for the domain you expected.
Content proof: The filter can inspect the important text and links without relying on OCR.
Reputation proof: Sending IPs, domains, and link hosts have no current listing or reputation issue.
QR proof: Any QR destination is decoded, checked, and consistent with the visible message.

What senders should change

For legitimate senders, the lesson is simple: do not make the filter guess what the email says. Image-only campaigns, scanned flyer emails, and QR-first designs remove helpful context. They also make the email less accessible for people using screen readers, image blocking, or low-bandwidth clients.

Keep the core message in HTML text. Use images to support the message, not to carry the whole message. If a QR code is required for an event, payment, or device-pairing flow, include a visible written explanation and a normal link that matches the QR destination. The written link lets filters and users compare intent with destination.

Use real text: Put the offer, deadline, sender identity, and call to action in HTML text.
Match destinations: Make the QR code and visible link resolve to the same expected domain.
Avoid image-only: A full-image email creates accessibility, deliverability, and trust problems.
Watch reputation: Track sender domains, link domains, and IP listings before major sends.

For domain owners, the other job is stopping abuse of your own brand. Strong DMARC monitoring shows which services send as your domain, whether they pass domain checks, and where spoofing attempts appear. Suped's automated issue detection and steps to fix help separate legitimate third-party senders from unauthorized mail, which matters when attackers use familiar brands to make image-based scams look credible.

Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action

For teams handling many domains, Suped's MSP and multi-tenancy dashboard keeps client authentication, hosted SPF, hosted DMARC, hosted MTA-STS, and reputation monitoring in one place. That does not replace recipient-side spam filtering, but it reduces the chance that your domain or a client domain becomes part of a convincing impersonation chain.

What defenders should do

For inbound defense, treat a QR code in email like a link the user cannot easily inspect. The safest control path is layered: email filtering to detect the message, browser or DNS filtering to block the landing page, endpoint controls on mobile devices, and identity controls that resist credential capture.

I would also add reporting paths that make it easy for users to send the full message to security teams. A screenshot of the QR code is less useful than the original message, headers, rendered body, and image attachments. If the recipient scanned it, capture the final landing URL, time of scan, device type, and whether credentials were entered.

What to block in email

Image-only scams: Messages where the main content cannot be read as HTML text.
QR login flows: Unexpected QR codes that claim to start payments or credential actions.
Template abuse: Trusted platforms sending user-controlled images with urgent instructions.

What to block after delivery

Bad domains: Domains that appear only after the QR code is decoded or redirected.
Credential pages: Lookalike login pages loaded from unmanaged or newly created hosts.
Mobile gaps: Scans that leave corporate email and web controls through personal devices.

Reputation still matters. If your own sending domains or IPs appear on a blocklist or blacklist, filters become less forgiving of heavy images, QR codes, redirects, and low text context. Suped's blocklist monitoring is built for that operational check, alongside authentication monitoring and alerts.

Views from the trenches

Best practices

Decode QR codes during review and compare the destination with the visible sender domain.

Keep important email content in HTML text so filters can inspect intent without OCR.

Treat trusted platform mail as user-generated content when accounts can upload images.

Common pitfalls

Assuming a BIMI mark means the user-created body of the email was fully reviewed.

Relying on browser warnings after delivery instead of improving email-side controls.

Testing a simplified copy instead of the exact image, link, and QR campaign build.

Expert tips

Track sender authentication and content signals together before judging filter quality.

Review image-only messages at higher risk when the call to action hides inside a QR code.

Capture the original message and decoded QR destination when investigating a report.

Marketer from Email Geeks says image scanning varies by provider, so a pass in one mailbox does not prove the image was fully inspected.

2024-08-26 - Email Geeks

Marketer from Email Geeks says trusted platforms can be abused when user-controlled images are inserted into otherwise legitimate templates.

2024-08-26 - Email Geeks

The practical answer

Email spam filters do scan image content and QR codes, but the result depends on risk scoring, available compute, product policy, and timing. A filter that checks one message with OCR and QR decoding will still skip deeper work on another message if the sender looks trusted or the content appears low risk.

For senders, the fix is to make legitimate email easy to inspect: real HTML text, clear visible links, matching QR destinations, strong authentication, and reputation monitoring. For defenders, treat QR codes as links hidden in images and keep controls active beyond the inbox. Suped fits the domain-owner side of that work by showing authentication, reputation, hosted SPF, hosted DMARC, hosted MTA-STS, SPF flattening, alerts, and actionable fixes in one place.

Frequently asked questions

0.0

What's your domain score?

Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.

Suped