How do unencoded URLs impact email deliverability and spam filtering?

Key findings

• Strict parsing: Unlike browsers, mailbox providers and spam filters may not automatically 'fix' unencoded URLs, treating them as malformed or suspicious.
• Spamware indicator: Historically, poorly constructed URLs were a common sign of spam or malicious content, leading filters to be more sensitive to them.
• SQL injection risk: Unencoded characters, especially keywords like 'update', 'delete', or 'select' in query parameters, can be misinterpreted as attempts at SQL injection or other nefarious activities, triggering security filters.
• Desktop client issues: Some older or stricter desktop email clients (like Outlook) are particularly sensitive to malformed URLs and may flag them as scams or spam, even if MBPs do not.
• Redirect and tracking impact: Even if the initial tracking URL is valid, if the final redirect URL is not properly encoded, it can lead to landing page errors, diminishing the user experience and potentially impacting engagement metrics.

Key considerations

• URL encoding: Always ensure all components of a URL, especially query parameters containing special characters (like spaces or parentheses), are properly URL encoded. This includes data passed through ESP tracking links.
• Naming conventions: Adopt naming schemes for UTM parameters or internal campaign identifiers that avoid spaces and special characters. Using hyphens or underscores can prevent encoding issues. For more on how links affect deliverability, consider our guide on HTTP tracking links.
• ESP responsibility: Work with your Email Service Provider (ESP) to ensure their click-tracking and redirect mechanisms properly encode any dynamic parameters they append to your URLs. This is crucial for maintaining proper deliverability, especially when considering tracking URL subdomain alignment.
• Testing: Thoroughly test email links across various email clients and devices to catch any encoding or rendering issues before sending to your entire list. For broader insights, see Do Links Hurt Email Deliverability?.

Key opinions

• Browser forgiveness: Browsers are generally good at correcting malformed URLs, which can mask underlying encoding problems until a spam filter or specific email client encounters them.
• ESP parameter issues: Many marketers find their email service provider's (ESP) click-tracking or redirect URLs are not properly encoding appended UTM or campaign parameters, especially those with spaces or parentheses.
• Landing page errors: The primary indicator of a problem often surfaces as a landing page error, where the recipient's website doesn't correctly process the unencoded parameters.
• Perceived security risk: Unencoded URLs, particularly those containing common database commands, can mistakenly be perceived by web application firewalls or other security measures as SQL injection attempts.
• Information leakage: Marketers are concerned that unencoded campaign or segment names in URLs could expose internal marketing information to subscribers.

Key considerations

• Proactive testing: Routinely check email links to ensure they render and redirect correctly across various email clients and web browsers before deployment. This is part of a broader email deliverability testing strategy.
• Naming consistency: Implement strict internal guidelines for naming email campaigns and UTM parameters to avoid problematic characters. This can also prevent specific spam words from appearing unencoded.
• ESP liaison: Communicate encoding requirements with your ESP to ensure their system handles all appended parameters correctly, reducing the risk of email deliverability issues and being flagged by a blacklist.
• URL shorteners: While useful, be aware that URL shorteners can introduce their own deliverability considerations, as some can be associated with malicious activity. For further insights, Klaviyo offers advice on Email deliverability best practices related to email design.

Key opinions

• Spamware heuristics: Poorly formatted URLs were a classic sign of spamware, leading many spam filters to still use such characteristics as a strong indicator for blocking.
• Strict parsing by MBPs: Mailbox providers are much less forgiving than browsers. If a link won't load correctly because the URL is bad and their checking code doesn't fix it, it could be seen as an intentional attempt to bypass filters or lead to a non-existent page.
• SQL injection similarity: Unencoded characters or phrases that resemble SQL statements (e.g., 'update', 'delete') within URL parameters can trigger security rules designed to prevent SQL injection attacks.
• User click safety: There is a significant concern about what malicious actors can do once they convince a user to click a URL they control, or inject data into a legitimate service's URL, making strict URL validation crucial.
• Desktop client quirks: Certain desktop email clients, notoriously Outlook, are known for their unusual handling of URLs, often quick to flag unencoded or strange links as scam or spam.

Key considerations

• Strict adherence to RFCs: For optimal deliverability, URLs must strictly adhere to RFC specifications regarding encoding. Any deviation increases the risk of filtering. See our article on what RFC 5322 says vs. what actually works.
• Preventing security flags: Proactive URL encoding helps prevent emails from being flagged for potential SQL injection or other web-based vulnerabilities, which can severely impact sender reputation and lead to blacklisting (or blocklisting).
• Consistent URL structure: Standardize URL structures and parameter naming to avoid characters that require encoding. This simplifies parsing for email systems and reduces the chance of misinterpretation.
• Impact on engagement: Even if an email lands in the inbox, a broken or suspicious-looking link will deter clicks and harm overall engagement. Monitoring engagement is key to understanding how links affect deliverability.

Key findings

• RFC compliance: RFC 3986, the Uniform Resource Identifier (URI) Generic Syntax, specifies that certain characters (like spaces) must be percent-encoded when used in URIs to avoid ambiguity.
• Security vulnerability: Unencoded characters, especially those used in scripting or SQL, can be interpreted as code injection attempts by web application firewalls and email security gateways.
• Interoperability issues: Disregarding URL encoding standards can lead to links breaking or behaving inconsistently across different email clients, operating systems, and network configurations.
• Spam score contribution: Many spam filtering engines (e.g., SpamAssassin) assign penalty scores for non-standard URL formatting, including the presence of unencoded spaces or problematic characters.
• Malicious content association: Unusual or malformed URLs are a common characteristic of phishing attempts and malware distribution, leading security systems to treat them with high suspicion.

Key considerations

• Automated encoding: Ensure your email sending platform or custom application automatically applies proper URL encoding to all dynamic parameters and entire URLs. This is a critical technical solution for boosting email deliverability rates.
• URL canonicalization: Maintain consistent and canonical forms of your URLs in emails. Avoid variations that could be subject to misinterpretation or incomplete encoding.
• Compliance with major providers: Review guidelines from major mailbox providers (Google, Yahoo, Microsoft) regarding link formatting. Many have specific recommendations to prevent filtering. You can find out more about Outlook's new sender requirements.
• Use of HTTPS/SSL: While not directly related to encoding, always using HTTPS for links ensures secure data transmission and builds trust, indirectly reinforcing positive sender reputation and potentially assisting with how links are viewed by filters. Consult our resource on using HTTPS/SSL for email links.