Which email security solutions commonly follow links?

Many leading corporate email security solutions proactively follow links, including Barracuda , Microsoft Safe Links (Microsoft 365 Defender), Proofpoint , and Mimecast . Some older systems like Symantec and Cisco Secure Email Gateway also have this capability.

Why do corporate email filters click links?

They do this to enhance security by detecting malicious content, such as phishing sites or malware, before the email reaches the recipient. By visiting the links in a sandboxed environment, they can analyze the true nature of the URL and prevent users from accidentally clicking harmful links.

How can I tell if a filter is clicking my links?

One common sign is inflated click-through rates in your email analytics, especially if these clicks occur almost immediately after sending or from unusual geographic locations. Many filters also rewrite URLs, so if your links are changed to include the filter's domain, that indicates scanning.

Does link following affect my email deliverability metrics?

Yes, it can. While it doesn't always prevent delivery, automated clicks can skew your engagement metrics, making it harder to assess true human interaction. If a link is deemed malicious, even by mistake, it could lead to your email being quarantined or your domain being added to a blacklist (or blocklist).

What can I do to minimize the impact of filters clicking links?

To minimize impact, ensure strong email authentication (SPF, DKIM, DMARC), maintain a clean email list, and monitor your email deliverability beyond just opens and clicks. Focus on metrics like conversions and replies for a clearer picture of engagement.

Which corporate filter appliances or software follow links in emails? - Technical - Email deliverability - Knowledge base

Email is the lifeblood of modern business, but it's also a primary vector for cyber threats. To combat sophisticated phishing attacks, malware, and spam, corporate email security solutions have evolved significantly. One key, often surprising, aspect of these advanced filters is their practice of proactively following (or clicking) links embedded within emails before they ever reach an employee’s inbox. This behavior is a crucial defense mechanism, but it also carries implications for email senders and their deliverability metrics.

Understanding which corporate filter appliances and software perform this link-following and why is essential for anyone involved in email marketing, sales, or IT security. It helps us navigate the complexities of email deliverability and understand why our analytics might sometimes show inflated click-through rates.

Major corporate email filters that follow links

Many leading corporate email security solutions incorporate advanced link analysis capabilities into their filtering processes. This means that when an email arrives, its links aren't just scanned for suspicious domains or keywords; they are actually accessed by the filter's automated systems in a controlled environment to observe their behavior.

Among the most common solutions known for this proactive link following is Barracuda. It is often cited as one of the more aggressive email security gateways in its approach. Additionally, Microsoft's email security offerings, particularly Safe Links within Microsoft 365 Defender, frequently engage in this behavior, often rewriting URLs to protect users upon clicking.

Other major players include Mimecast and Proofpoint, both of which are prominent in the corporate space and routinely rewrite and scan URLs. Even legacy solutions like Symantec and Cisco Secure Email Gateway can be configured to perform this level of link inspection.

Filter Provider	Known Link Following Capabilities	URL Rewriting
Barracuda	Highly aggressive, scans all links in a sandbox environment.	Yes, often rewrites URLs for real-time analysis upon user click.
Microsoft (Safe Links)	Proactively scans links in emails and Office documents based on admin settings.	Yes, wraps original URLs with Safe Links for verification.
Proofpoint	Advanced URL defense, sandboxing links to detect threats.	Yes, often modifies URLs to route through their protection service.
Mimecast	Performs URL protection and real-time link analysis.	Yes, rewrites URLs to ensure they pass through security checks.
Cisco (Secure Email Gateway)	Capable of link inspection, often based on threat intelligence and policy.	Can be configured for URL rewriting and reputation checks.

Why email security filters proactively click links

The primary reason these corporate email filters proactively click links is to enhance security. This method is a crucial defense against phishing, malware, and other email-borne threats. By visiting links in a controlled, isolated environment (often called a sandbox), the security solution can analyze the link’s true destination and behavior without exposing the end-user to potential harm.

For instance, a phishing email might contain a seemingly legitimate link that, when clicked, redirects to a malicious site or triggers a malware download. By pre-scanning, the filter can identify these malicious redirects or downloads and block the email or rewrite the link to a safe warning page before it ever reaches an employee. This proactive approach aims to catch threats that might evade simpler keyword or reputation-based scanning.

While effective, this process is resource-intensive. Therefore, many filters employ thresholds, only performing deep link inspection on emails that are already considered suspicious, based on factors like sender reputation, content analysis, or authentication results. This explains why not every link in every email might be clicked, but potentially dangerous ones are. For more information, you can read about how email security software clicks hyperlinks.

The security advantage

Proactive link scanning offers a critical layer of defense, especially against polymorphic threats that change their malicious payload over time. It helps protect organizations from zero-day exploits and sophisticated phishing campaigns that might otherwise bypass initial filtering.

This approach is vital because even well-trained employees can fall victim to highly convincing phishing attempts. Automated link checks reduce the reliance on human vigilance, which is why organizations are increasingly adopting these technical measures instead of relying solely on user training. The National Cyber Security Centre (NCSC) in the UK emphasizes this shift.

How link following impacts email deliverability

While beneficial for security, the proactive clicking of links by corporate filters can significantly impact email deliverability and sender analytics. The most immediate effect is often an inflation of reported open and click-through rates. This happens because the filter’s automated system counts as a click, even if no human recipient actually interacted with the email.

Another common side effect is URL modification or rewriting. Many filters replace original links with their own tracking or proxy URLs. While this doesn't usually prevent the link from working, it can interfere with complex email tracking systems or cause issues with link shorteners and custom domains, potentially leading to deliverability problems.

Furthermore, if a link is flagged as suspicious, even erroneously, it can negatively impact your sender reputation, potentially leading to your emails being marked as spam or even triggering an email blacklist or blocklist entry.

Sender’s perspective

Skewed metrics: Automated clicks inflate open and click-through rates, making it difficult to gauge true engagement.
URL modification: Rewritten URLs can break tracking, custom domains, or lead to unexpected behavior.
False positives: Legitimate links might be flagged as suspicious, affecting sender reputation.

Recipient’s security perspective

Enhanced protection: Prevents users from accessing malicious websites or downloading malware.
Proactive defense: Identifies zero-day threats and sophisticated phishing attempts before they reach the user.
Reduced risk: Minimizes the human error factor in avoiding dangerous links.

Adapting to proactive link scanning

Given that proactive link scanning is a standard practice for many corporate email filters, it’s important to adapt your email strategy to ensure optimal deliverability and accurate performance measurement. The first step is to ensure your email authentication is impeccable. Robust SPF, DKIM, and DMARC records signal trustworthiness to filters, reducing the likelihood of deep inspection or suspicion.

Example DMARC record (monitoring policy)dns

v=DMARC1; p=none; rua=mailto:dmarc_reports@example.com; ruf=mailto:dmarc_forensics@example.com; sp=none; adkim=r; aspf=r;

Secondly, don't rely solely on open and click rates for engagement metrics, especially for B2B communications. Instead, focus on conversion rates, replies, and actual human interactions. Tools that provide deeper insights into subscriber activity, rather than just raw clicks, can offer a more accurate picture of engagement. We offer a free online email testing tool to help.

Finally, maintaining a clean and engaged email list is paramount. Regularly remove inactive subscribers and avoid sending to old or unverified addresses. A low bounce rate and high engagement from legitimate users signal good sender hygiene, which can reduce the scrutiny from aggressive spam blocklists (or blacklists) and improve your overall domain reputation.

Views from the trenches

Best practices

Implement robust email authentication protocols (SPF, DKIM, DMARC) to build sender trust.

Regularly clean your email lists to remove inactive or invalid addresses, improving list hygiene.

Focus on true engagement metrics beyond simple opens and clicks, like replies and conversions.

Common pitfalls

Relying solely on reported open and click rates, which can be inflated by automated filter activity.

Neglecting email authentication, leading to increased scrutiny and potential blocklisting.

Sending to unengaged or old lists, which can trigger spam traps and lower sender reputation.

Expert tips

Monitor DMARC reports to identify authentication issues and ensure proper alignment.

Test emails with common corporate filters to observe how they handle links and content.

Be aware that some filters, like Barracuda, can be more aggressive, especially after changes to sending infrastructure.

Marketer view

Marketer from Email Geeks says Barracuda is known for proactively clicking links, often aggressively.

December 16, 2021 - Email Geeks

Expert view

Expert from Email Geeks says Microsoft Safe Links also performs link following, depending on administrator settings.

December 16, 2021 - Email Geeks

Navigating the landscape of email security filters

The landscape of corporate email security is complex, with an increasing number of appliances and software solutions actively following links within emails. This proactive scanning, while a powerful defense against cyber threats, significantly impacts how email deliverability is perceived and measured. Understanding that services like Barracuda, Microsoft Safe Links, Proofpoint, and Mimecast engage in this behavior is key to navigating the modern email ecosystem.

For email senders, the focus must shift from simply hitting the inbox to ensuring actual engagement and maintaining robust sender reputation through proper authentication and list hygiene. By adapting your strategies to account for these sophisticated filtering practices, you can improve your email program’s effectiveness and accurately assess its true impact.