[See below in the “What we did” section for the latest updates.]
Over the last week, starting on July 28, 2021, we noticed an increase in the number of users reporting that their emails were going to the Spam folder. Many were users that were sending organic non-commercial email that was used to landing in the Inbox. On August 3, 2021, we discovered that our default system tracking domain, which is based on a domain from Amazon Web Services, had been compromised and its reputation lowered, which was causing the Spam issue.
On August 3, we sent this notice to all affected users, and we replaced the default system tracking domain with a different one.
However, we discovered on August 4, that the new system tracking domain we started using on August 3, had now been flagged by Google as a phishing domain.
As a result, if you sent with GMass, starting around 10 PM GMT on August 4, and you had either open tracking, click tracking, or an unsubscribe link present, you would might have gotten bouncebacks indicating a block that looked like this:
Your sending limits might be lower than normal
You might also notice that your sending limits have been throttled. If you’re used to sending more emails without an issue, and now you’re getting “You have reached a limit” bouncebacks. that is also a consequence of this issue. Google keeps track of messages sent on a rolling 24-hour basis, so the limit issue should go away in about 24 hours.
What we did
Once we noticed this, we again swapped out our system tracking domain for a different one and this went further and segregated the assignment of our system domains based on user profiles. Meaning free accounts are on one tracking domain while paid accounts are on another. There’s further segmentation between these two groups as well. That has fixed the issue for now.
Update on 8/5/21 17:15 GMT:
We are now checking all user URLs in campaigns against the Google Safe Browsing list via their API and disabling redirects for any matching URLs. We’ve always checked against the Spamhaus DBL and SUBRL lists but now we’re adding the Safe Browsing list as well.
Update on 8/11/21 05:36 GMT:
We’ve combed through gigabytes of data and found several malicious actors using GMass to send Google-login phishing emails. Those accounts have been terminated, the click-tracked redirects have been disabled, and we’ve notified Google through the Google Search Console. As of now, all of our shared tracking domains are clean and not causing any deliverability issues. It’s still a best practice to set up your own tracking domain though, just in case this happens in the future.
Update on 8/11/21 06:08 GMT:
Hitting Limits: If you’re still hitting Gmail’s limits earlier than you’re used to, you may need to wait about 24 hours since the last 69585 bounce before that issues goes away.
Non-commercial users: If you’re not sending commercial email, meaning you’re sending out things like event announcements, notifications to a membership group, or similar non-commercial content, we can put you on a separate tracking domain dedicated for users just like you. Ask our support team to do this for you.
For a frank explanation of what happened and why, see my tweet on the matter.
What you can do
Here is how you can take control of the matter and avoid this issue going forward.
- The simplest long term solution is to set up your own tracking domain. This will isolate you from our nearly 1-million other users. That means that if 1 of our 1 million users does something bad, it won’t affect you.
- If you don’t know HOW to set up your own tracking domain, but you have a domain and know how to access its settings, we can do the setup for you. Just fill out this form.
- Another solution, which will avoid this problem entirely, is to turn OFF open and click tracking, and don’t include an unsubscribe link. Each of these 3 features (open tracking, click tracking, unsubscribe link) forces the tracking domain to appear in your email, which is what can cause the above issues. If you don’t use any of these 3 features, then you’ll never have this kind of issue because the tracking domain won’t appear in your emails.
Frequently Asked Questions
Q: Ugh, why is this happening?
A: It’s an unfortunate consequence of being a popular email platform. We used a default domain to include in our users’ emails so that open tracking, click tracking, and the unsubscribe link work “out of the box” without any user setup required. The downside of that is that 1 bad actor can ruin it for everyone else. That’s likely what’s happening here.
Q: So why don’t you catch the bad actor?
A: We’re trying, but with the amount of email flow that goes through our system, it’s a difficult task. This has happened before though and we’ve always managed to nail down the cause, so I’m confident we will this time as well.
Q: I tested sending an email just with the regular Gmail Send button, and not using GMass, and I didn’t have this problem. So GMass is the problem?
A: Sort of. When you send with GMass, and you use any of the open tracking, click tracking, or unsubscribe features, we have to insert a domain into your emails to make those features work. It’s that domain that is getting flagged and causing these spam and blocking issues.
Q: I tested sending the same email with a different platform, a competitor of GMass’s, and the email went through fine. Why aren’t they having the same problem?
A: Out of all the tools that allow people to send campaigns directly through their Gmail/Google Workspace accounts, GMass is one of the top 3 highest volume tools. The higher volume email a tool sends, and the more people that use the tool, the more likely it is to run into a problem like this. Most Gmail-based sending tools don’t push nearly the volume of email we do. It’s a catch-22. Become a popular email platform and suffer this problem, or don’t become popular and never have this problem.
Q: So what can I do right now if I’m having this spam/blocking problem?
A: You can either a) turn off open/click tracking and don’t include an unsubscribe link, or b) set up your own tracking domain.
Q: I already filled out the form to have you set up my tracking domain for me but haven’t heard back. What’s the deal?
A: We’re working our way through all the setups. It takes about 15 minutes to set up each one, and when we offered to do this for our users a few days ago, we had hundreds of submissions. We’ll get to you soon!
Resources and more reading
Fill out the form to have us assist with tracking domain setup
A more detailed explanation of why tracking domains cause issues