Why is Mimecast blocking emails containing Calendly links and other URLs?

Key findings

• URL reputation: Calendly links can be blocked due to a negative URL reputation, which stems from their extensive use in unsolicited cold outreach. This is similar to how other commonly abused URL shorteners or linking services might get blocklisted.
• Aggressive filtering: Mimecast employs aggressive spam and security filters, sometimes integrating with services like SpamCop, which can lead to legitimate emails being flagged if they contain elements associated with known spam patterns. This is part of their broader approach to email filtering based on URL reputation.
• Content analysis: Beyond the Calendly link itself, Mimecast's systems (and other security gateways) analyze the entire message for spam signatures, which could include suspicious HTML structures, tracking pixels, or other third-party hosted content. For example, some reports indicate that legitimate tools' domains, like urlquery.net, are used for suspicious elements.
• Bounce message context: A generic bounce message like 554 Email rejected due to security policies indicates a broader content-based or policy-based rejection, not necessarily specific to the URL. It suggests an anti-virus or spam score threshold was exceeded, as detailed in Mimecast's official SMTP error codes documentation.
• Hidden tracking: The use of burner URLs (e.g., Herokuapp.com redirects) or specific tracking pixels (like aptracking1.com) can be perceived as deceptive behavior by Mimecast, leading to blocking. This is because these elements are often associated with spamware or cold outreach platforms, as highlighted by reports on hackers bypassing security controls with trusted domains.

Key considerations

• Link wrapping: Using an email service provider's (ESP) click-tracking link or a custom redirect can often mitigate blocking issues, as it masks the direct Calendly URL. This is a common strategy to avoid issues where click tracking links from your ESP are blocked.
• HTML structure: Examine the email's HTML structure for anomalies, such as excessive blank spaces or invalid tags, which can trigger spam filters. Poorly constructed HTML can negatively impact deliverability.
• Identify all links: Thoroughly review all URLs within the email, including those for images (e.g., logos in signatures), tracking pixels, and social media links. Some of these may be hosted on domains (like googleusercontent.com) that, if compromised or abused, could lead to content flagging.
• Sender behavior: Consider if the sender's email behavior (e.g., using Apollo for cold outreach) might be contributing to a poor sender reputation, irrespective of Calendly. Mimecast can block based on overall sender reputation and observed spam patterns.

Key opinions

• Calendly's spam reputation: Many marketers are aware that Calendly has faced issues with being associated with spam, particularly in cold email campaigns.
• Custom redirects as a workaround: A common strategy is to use a custom redirect domain or a personal URL shortener (a mini bitly) to wrap Calendly links, which helps in bypassing some filters.
• ESP tracking links: Using an Email Service Provider's (ESP) built-in click-tracking links (which often use the ESP's domain) can also help to mask the original Calendly URL, improving delivery to some extent. However, third-party links can still face rejection if the ESP's tracking domain itself has a poor reputation.
• B2B deliverability concerns: Marketers in the B2B space are particularly concerned about Mimecast, as it's a prevalent security gateway in corporate environments. Their aggressive filtering directly impacts B2B email campaigns.

Key considerations

• Calendly's domain limitations: While Calendly offers custom domains, it's typically part of their higher-tier enterprise plans, making it inaccessible for many smaller businesses or individual marketers.
• Mimecast's responsiveness: Some marketers find Mimecast unresponsive or unwilling to adjust their aggressive filtering even when legitimate emails are blocked. Their primary focus remains on security, even if it means over-filtering.
• Testing strategies: When facing blocks, marketers should test email deliverability by sending messages with and without Calendly links, and with or without third-party tracking software, to isolate the true cause. Understanding how to run an email deliverability test is crucial.
• Contextual blocking: The issue is often not Calendly alone, but its combination with other elements, such as specific spamware or content that triggers Mimecast's heuristic filters. This is part of a broader challenge, where routine emails with third-party content get spam blocked.

Key opinions

• Bitly blocking scenario: Experts view Calendly link blocking as analogous to the challenges faced by services like Bitly, where legitimate tools become associated with spam due to abuse by bad actors. This leads to blanket blacklisting of the domain, or at least a higher spam score.
• Calendly's stance on spam: Some experts have direct confirmation from Calendly that they acknowledge a significant portion of their users engage in B2B spam, and unfortunately, they support it as a use case. This severely damages their domain reputation.
• Mimecast's aggressive filters: Mimecast is known for its aggressive filtering, which often includes using public blocklists (or blacklists) like SpamCop. This means that if Calendly or associated domains are on such a list, emails will be blocked. This is a common issue faced by many senders, as Mimecast is a prominent email security gateway.
• Beyond Calendly: The problem is often not solely the Calendly link, but other suspicious elements within the email. This could include malformed HTML, hidden tracking pixels (e.g., from aptracking1.com), or the use of burner URLs (like those from herokuapp.com) designed to hide connections to spamware. These elements contribute to a high spam score or trigger anti-virus signatures.

Key considerations

• Bounce message analysis: The exact bounce message, including any codes and links, is crucial for diagnosing the issue. A generic 554 Email rejected due to security policies often points to content-based filtering (like virus scans or spam scores) rather than a direct URL block. This is different from how Mimecast handles anti-spoofing policies.
• Inbound and outbound filtering: Mimecast applies its filters to both inbound and outbound emails. Therefore, a client's own Mimecast configuration could be blocking their outgoing mail containing suspicious elements, even if the recipient's Mimecast isn't the primary blocker. This impacts an organization's domain reputation.
• Comprehensive testing: To pinpoint the exact cause, senders should conduct tests varying the elements within the email. This includes sending messages with and without Calendly links, and with or without specific spamware/tracking services (e.g., Apollo) to determine which component is triggering the Mimecast blocklist (or blacklist).
• Dynamic signatures: Mimecast's filtering relies on dynamically updated spam signatures. It's plausible that specific tracking elements (like apollo_tracker) could become recognized spam signatures or even lead to entire domains being blocklisted if they are consistently associated with unwanted mail. This highlights the ever-evolving nature of email deliverability issues, where solutions for why your emails go to spam change frequently.

Key findings

• SMTP error codes: Mimecast's official documentation for SMTP error codes (e.g., 554) indicates that rejections can be due to a 'signature,' which refers to a virus or a spam score exceeding a maximum threshold. This implies content-based analysis, not just URL reputation.
• Spam score: The spam score, though not visible in the Mimecast Administration Console, plays a critical role in determining if an email is blocked. This score is a cumulative measure of various factors, including suspicious URLs, content, and sender reputation. This highlights why a Calendly link, combined with other factors, could tip the scale.
• Customer configuration: Mimecast allows individual customers to configure their own blocking policies at both domain and mailbox levels. This means a block could be due to a specific recipient's aggressive custom rules rather than a global Mimecast policy, influencing why emails get quarantined.
• Sender feedback: Mimecast provides a Sender Feedback form for non-customers to request a review of rejected emails. This mechanism allows senders to appeal blocks, suggesting that Mimecast's system can differentiate between legitimate and spam messages over time if provided with sufficient data.
• URL reputation scanning: Security gateways actively scan URLs within emails for reputation and potential threats. If a URL, even from a legitimate service like Calendly, has a history of being used in malicious or unsolicited campaigns, it will contribute negatively to the email's overall threat score. This is similar to how Microsoft scans links at a high rate.

Key considerations

• Holistic scanning: Security solutions employ a layered approach, scanning not just URLs but also attachments, message headers, and the overall content for malicious signatures and suspicious patterns. A Calendly link might be one data point among many that contribute to a high spam score.
• Deceptive URLs: Documentation often highlights the detection of URLs designed to hide their true destination, such as those that redirect multiple times or point to domains with a poor reputation. This is a common tactic in phishing and spam, and even legitimate links can be flagged if they are part of a complex redirect chain.
• Content reputation: Beyond URL reputation, the reputation of other content elements (e.g., images hosted on free services, or specific tracking pixels) can contribute to an email's overall spam score. Malformed HTML, or elements that suggest an attempt to obscure content, can also raise red flags.
• Policy adjustments: Recipients who are Mimecast customers can often adjust their internal configurations to permit specific addresses or domains, or to relax certain security policies. This direct communication with the recipient's IT department is often the most effective way to resolve persistent blocking issues.