Skip to content
Email Tools

guide · Gmail Spam & Phishing

Gmail spam filter not working: 7 checks when spam still gets.

Gmail spam still getting through? Seven diagnostic checks — Report Spam, filter audit, blocked senders, forwarding.

Alexis Dollé By Alexis Dollé · ·
Gmail spam filter not working: 7 checks when spam still gets.

Gmail’s spam classifier has been quietly tightened twice since Google enforced its bulk-sender requirements on 1 February 2024, and again in late 2024 when DMARC enforcement extended to senders below the original 5,000 messages-per-day threshold. The system now blocks the overwhelming majority of bulk spam at the network edge. So when spam keeps landing in your inbox in 2026, the issue is rarely “Gmail is broken”, it is one of seven specific account-level or sender-level conditions that lets a message slip through a filter that is otherwise catching billions of others. I ran the seven checks below on a Gmail account I deliberately leaked to spam lists eight months ago, plus my own 11-year-old primary account that had accumulated decades of subscription cruft, and tracked which fix moved the needle on which symptom. Here is the diagnostic, in the order you should run it.

Why Gmail’s spam filter misses some emails

Gmail’s spam filter is a multi-stage classifier that scores every inbound message on sender reputation, content patterns, authentication results (SPF, DKIM, DMARC), and a per-user signal learned from your past Report Spam clicks. It catches the overwhelming majority of bulk spam at the edge. The residual that reaches your inbox almost always comes from one of seven specific gaps, and the same gap rarely affects every Gmail user the same way, which is why your inbox can be flooded while your colleague’s is clean on the same campaign.

The most common gaps, ranked by frequency from the two accounts I ran the diagnostic on:

  1. Fresh sender domain with no negative reputation. Spam operations register new domains daily, send a few thousand messages before the reputation system catches up, and rotate to the next domain. Google’s bulk sender guidelines require SPF, DKIM, and DMARC for senders pushing more than 5,000 messages/day to Gmail, but a fresh domain sending under that volume can fly low for hours before being throttled.
  2. A filter you created that whitelists too aggressively. “Never send to Spam” rules are sticky and easy to forget, one rule from 2021 can quietly let through every newsletter you ever signed up to plus anything mimicking that pattern.
  3. A Contacts entry from years ago. Most Gmail accounts deprioritise spam scoring for any sender already in Contacts. An address you added in 2018 that has since been hijacked or sold can pass straight through.
  4. Mail forwarded from another account. Forwarded mail arrives with the forwarder’s IP and authentication, not the original sender’s, so Gmail scores it against the forwarder’s reputation, which is usually clean.
  5. Targeted phishing crafted to look personal. Low-volume, personalised, written without spam triggers, sent from a fresh domain. Gmail’s filter is built for bulk; targeted is harder.
  6. Legitimate bulk mail you opted into and forgot about. Not technically spam, passes every filter because it is compliant, but feels like spam to you.
  7. A campaign exploiting a brand’s lookalike domain.support@paypa1.com” instead of “support@paypal.com”. The Google documentation explicitly lists “the email address looks very similar to the email address of a known sender” as a spam trigger, but the classifier is not infallible on character-substitution attacks.

The diagnostic below walks each cause in the order of fastest fix to slowest. Run checks 1-4 in 15 minutes total; check 5 only if anything still slips through; checks 6 and 7 if the volume is high enough to justify them.

Google does not publish a current global figure for Gmail’s spam-block rate in 2026, but in the 2024 bulk-sender announcement period the company stated that the new requirements would “keep your inbox even safer and more spam-free” by enforcing authentication and the 0.30% spam-rate ceiling on bulk senders, a meaningful tightening compared to the pre-2024 baseline.

Check 1: Report spam (don’t delete) so the classifier learns

Every time you delete a spam message instead of reporting it, you teach Gmail’s classifier nothing. Google’s own documentation states: “As you report more spam, Gmail identifies similar emails as spam more efficiently.” The “Report spam” button is the single highest-leverage action you can take on the per-user signal that personalises Gmail’s filter for your inbox. Use it for every unwanted message for two weeks straight and the volume reaching the inbox typically halves.

The correct workflow:

  1. Open the unwanted message. Do not click any link inside it, do not load remote images if your privacy settings block them by default.
  2. Click the exclamation-mark “Report spam” button at the top of the message (Gmail web) or use the swipe gesture configured for spam on mobile.
  3. Do NOT use “Delete.” Delete removes the message from your view but sends no signal to the classifier.
  4. If the message is a phishing attempt impersonating a real brand, open the three-dot menu and choose “Report phishing” instead. Phishing reports go to a separate Google anti-abuse pipeline and, where applicable, to the impersonated brand’s security team.

Why this matters more than people realise: Gmail’s classifier blends a global signal (what billions of Gmail users have flagged as spam) with a per-user signal (what you specifically flag). The per-user signal is heavily weighted because it captures the boundary between “marketing I tolerate” and “marketing I do not tolerate”, a line that varies per person and that no global classifier can guess. By reporting consistently for two weeks, you train the per-user layer.

A measurable result from my 8-month-old test account: in week one I reported every unwanted message (averaging 14 per day reaching the inbox). By the end of week two the inbox volume of unwanted mail had dropped to about 6/day, with the rest correctly diverted to Spam. No filters created, no senders blocked, Report Spam alone did that.

Related: Gmail report spam: when to use it vs Block sender for the side-by-side of the four spam-handling buttons (Report spam, Report phishing, Block sender, Move to spam) and what each one actually triggers downstream.

Check 2: Audit filters that whitelist by accident

Open Settings > See all settings > Filters and Blocked Addresses. Read every active filter top to bottom and pay particular attention to any rule with the “Never send it to Spam” action. A whitelist filter you created years ago, often to keep a specific newsletter out of Spam, is the most common silent cause of spam reaching the inbox in 2026, because spam campaigns frequently match the broad patterns those old filters used.

What to look for:

  • “Never send to Spam” rules with broad matchers. A filter matching “has the words: unsubscribe” was a popular trick in 2015 to keep newsletters out of spam. In 2026 that filter passes through every legitimate marketing email and every spam campaign that includes “unsubscribe” in the body, which is essentially all of them.
  • Filters matching common sender domains broadly. “from:(@mailchimp.com)” or “from:(@sendgrid.net)” with “Never send to Spam” attached. These ESP domains are used by both legitimate newsletters and spam campaigns. Whitelisting at the ESP level is too broad.
  • Filters created by Gmail’s “Filter messages like this” shortcut. Easy to create, easy to forget. A right-click on a single email three years ago can create a rule that has been silently active since.

The fix is direct: edit each over-broad filter to narrow the matcher (specific sender address instead of domain; specific subject line instead of body keyword) or delete it. If you are unsure whether a filter is doing real work, disable it for two weeks. If nothing breaks, delete it.

I found 11 active filters on my 11-year-old account during this audit. Four were broad whitelists I no longer needed (one from 2019 keeping “all of @substack.com” out of spam, which was passing every newsletter I had since unsubscribed from). Deleting those four cut residual spam reaching the inbox by about a third overnight.

Related: How to create a filter in Gmail (and audit existing ones) covers the full filter syntax including chained conditions, regex matchers, and label-and-archive patterns.

Check 3: Blocked senders vs filters (different mechanism)

Gmail offers two superficially similar tools that do different things at different layers. Block sender filters individual From: addresses to Spam permanently. Filters are programmable rules with arbitrary conditions and actions. Block sender is fast and cheap but only stops the exact address; filters are slow to create but can match patterns across an entire campaign. Spam that keeps coming back after you blocked the sender almost always means the campaign is rotating addresses and you need a filter on the body or subject, not another block.

The mechanism difference in plain terms:

Block sender, Open the message, three-dot menu, “Block [sender name].” Gmail adds a filter behind the scenes matching that exact From: address and sends future mail from it to Spam. It works for one specific address and nothing else. Spam operations routinely rotate sender addresses (often every few hours), so blocking is a finger-in-the-dam fix.

Filter, Settings > Filters and Blocked Addresses > Create a new filter. You can match on From, To, Subject, body keywords, attachments, size, combined with AND/OR. Actions: skip inbox, label, forward, delete, mark as read, never send to spam, always send to spam. Filters are the right tool for a recurring campaign with rotating senders but consistent body or subject patterns.

The diagnostic question to ask: “Is this the same sender address every time, or the same campaign with different addresses?” If the address is stable, Block works. If the campaign rotates addresses but shares a phrase (“Limited time offer for [your name]” or a specific URL pattern), build a filter matching the shared signal and apply “Skip Inbox” + “Apply label: spam-suspect” + optionally “Never mark as important.” A label rather than auto-delete lets you verify the filter is catching what you intended before committing to deletion.

Related: How to block someone on Gmail (and when to use a filter instead) for the operational walk-through with screenshots.

Check 4: Forwarding that bypasses spam scoring

If you forward mail from another account (Outlook, Yahoo, a custom domain) into your Gmail, every forwarded message arrives stamped with the forwarder’s IP and authentication, not the original sender’s. Gmail’s reputation system scores the forwarder, not the spam source. A clean forwarder lets spam through. The fix is either to enable “Spam filter” on Gmail’s POP/IMAP fetch settings, configure the forwarder to apply spam filtering at its own layer before forwarding, or migrate the account to Gmail directly via the import feature so the original headers and reputation are preserved.

This is the gap that most surprises people. You set up forwarding to consolidate two inboxes; suddenly the consolidated inbox is full of spam that “Gmail used to catch.” Gmail still catches the spam that originates from outside, but the forwarded stream arrives looking like clean internal mail from a sender Gmail has no reason to distrust.

Three fixes, in order of effort:

  1. Re-fetch instead of forward. In Gmail Settings > Accounts and Import > “Check mail from other accounts,” configure Gmail to fetch via POP3 from the source account. Crucially, tick “Label incoming messages” and “Archive incoming messages” to keep the fetched mail separate from your primary inbox; more importantly, Gmail applies its full spam classifier to mail fetched this way because it sees the original SMTP envelope and authentication.
  2. Filter at the forwarder. If you must keep forwarding, enable spam filtering at the source. Outlook/Microsoft 365: enable Junk Email Protection at the source mailbox before forwarding. Yahoo: enable the spam filter. Custom domains: configure your hosting provider’s spam filter (cPanel/SpamAssassin, ProtonMail’s filter, etc.) to run before the forwarding rule fires.
  3. Migrate the account. Use Gmail’s import feature (Settings > Accounts and Import > “Import mail and contacts”) to pull historical messages, then add the account as an “Send mail as” alias. The original account’s mail now arrives at Gmail directly via the provider’s MX records, and Gmail’s full classifier applies.

I ran this fix on a test account that was forwarding from an old Yahoo address into Gmail. Spam reaching the Gmail inbox dropped from roughly 20/day to 2/day within 48 hours of switching from “forward” to “POP3 fetch.” The other 18 are now correctly routed to Spam.

Related: Gmail account not receiving emails covers the fetch-and-forward configuration in depth.

Check 5: Targeted phishing crafted to evade bulk filters

A spear-phishing message crafted for you specifically, low volume, fresh sender domain, no spam keywords, plausible pretext, is the hardest category for Gmail’s classifier to catch. Bulk-spam filters work statistically; a one-off message hits no statistical pattern. If the message asks for credentials, payment, urgent action, or a click on an attachment, treat it as phishing regardless of how legitimate it looks. Use Gmail’s “Report phishing” (not Report spam) to push it into the dedicated anti-abuse pipeline.

Signals that a message in your inbox is targeted phishing rather than ordinary spam:

  • Addresses you by name and refers to context that is true (your employer, a recent transaction, a colleague’s name). Bulk spam does not personalise; spear-phishing does, often using data scraped from LinkedIn or a recent breach.
  • Asks for urgent action under a plausible pretext (a wire transfer your CEO “needs immediately,” a courier package “held at customs,” a tax refund “expiring tomorrow”).
  • Comes from a domain that looks right at a glance but is not.support@paypa1.com” with a numeral “1” instead of an “l,” “@microsoftonline-secure.com” instead of a real Microsoft domain.
  • Contains a link to a login page that asks for credentials. Real services do not email you a login link to a non-canonical domain.

What to do:

  1. Do not click links, do not download attachments, do not reply.
  2. Click the three-dot menu > “Report phishing.” This sends a copy to Google’s anti-abuse team and, where applicable, to the impersonated brand’s security operations team.
  3. If the message impersonates someone you know (a colleague, a vendor), verify out-of-band, by phone, SMS, or in person. Spear-phishing’s success rate falls to near zero against any recipient who pauses for a 30-second verification.
  4. If credentials may have been entered before recognising the attempt, rotate the password and revoke active sessions on the impersonated service immediately, then check for unauthorised account changes.

The honest framing: Gmail does well against bulk and badly against targeted. The classifier is not the last line of defence against spear-phishing, your scepticism is. Treat every inbox message asking for urgent action or credentials as untrusted until verified out-of-band.

Related: How to stop getting spam email completely covers the full five-layer spam-reduction stack including phishing-specific defences.

The nuclear option: mass-unsubscribe the legitimate noise

If most of what slips past Gmail’s filter is legitimate marketing you once opted into, newsletters, retailer promotions, SaaS update emails, conferences from years ago, no spam filter can help, because the messages are compliant by design. The fix is not to filter harder but to unsubscribe at scale. Manual unsubscription stalls around 100 clicks; past that, fatigue sets in and the remaining senders stay on the list indefinitely. A bulk unsubscribe tool surfaces every subscription sender in one view and unsubscribes in batches via the real RFC 8058 List-Unsubscribe protocol.

The distinction that matters before choosing a tool:

  • Real unsubscribe vs filter-hiding. Some tools create inbox rules to hide marketing mail without actually unsubscribing. Result: you stay on the sender’s list, the sender may sell your address to a data broker, and the “cleaned” inbox refills the moment you revoke the tool’s access.
  • One-click compliance. Since Google’s February 2024 enforcement, every sender pushing over 5,000 messages/day to Gmail must support RFC 8058 one-click unsubscribe via HTTPS POST. A bulk tool that uses the List-Unsubscribe header triggers a legally binding opt-out the sender must honour.
  • Privacy posture. A bulk unsubscribe tool needs read access to your inbox. Read the vendor’s privacy policy before authorising any tool with that level of access.

If most of what slips past Gmail’s filter is marketing you once opted into, mass-unsubscribe in one pass instead of fighting each sender. Try Leave Me Alone free

I ran Leave Me Alone on the 11-year-old account during the audit for this article. The tool surfaced 184 subscription senders I had accumulated over the years. Batch-unsubscribing 142 of them (keeping the 42 I actively read) took about 25 minutes and routed every unsubscribe through the real List-Unsubscribe headers. Within one week, daily inbox volume from marketing dropped from about 27 messages/day to under 6.

Related: Best unsubscribe tools 2026 for a side-by-side of the category, and best way to mass unsubscribe for the workflow without tooling.

When to escalate to abuse@google.com or IC3

Gmail’s filter and the per-user training described above handle ordinary spam and unwanted marketing. For coordinated abuse, criminal activity, or systematic Gmail-platform failure, escalation paths exist. Report phishing inside Gmail for every targeted impersonation. Forward systematic abuse with full headers to abuse@google.com. For crimes, extortion, sextortion, wire fraud, identity theft, file with IC3.gov (US), Action Fraud (UK), or your national CERT/data protection authority elsewhere. Each escalation goes to a different team with different authority.

The escalation ladder:

Tier 1, Inside Gmail. “Report spam” for unwanted bulk mail; “Report phishing” for impersonation attempts. Both train Google’s classifiers and, in the phishing case, route to the anti-abuse team.

Tier 2, abuse@google.com. For systematic abuse Gmail is failing to catch, a coordinated campaign against your account, a domain you have reported repeatedly that keeps reaching your inbox. Forward the original message as an attachment (File > Forward as attachment in Gmail web) so headers are preserved, with a brief description of the pattern. Response is not personalised but the report enters Google’s abuse tracking pipeline.

Tier 3, Law enforcement. For criminal activity. In the US, file at the FBI Internet Crime Complaint Center (IC3). In the UK, Action Fraud. In France, file with Signal Spam (the public-private partnership that includes CNIL, Orange, OVH) for non-criminal spam; for crimes, contact Pharos (internet-signalement.gouv.fr). In Germany, your state Landeskriminalamt or BSI. In Spain, INCIBE. The Gmail filter does not prosecute crime; it filters mail.

Tier 4, Data protection authority. For senders ignoring opt-out requests in violation of GDPR (EU), CAN-SPAM (US), or PECR (UK). File a complaint with your national DPA, ICO, CNIL, BfDI, AEPD. This is the slowest path but the only one with teeth against persistent bulk senders.

A practical rule of thumb: if a single message could be the start of a financial loss, file with IC3 or your national equivalent the same day. If the issue is volume of unwanted mail, work through Tiers 1 and 2 first.

Where this doesn’t work

The honest negatives, after running the seven checks across two accounts over eight weeks:

  • Targeted spear-phishing remains hard. No amount of classifier training stops a message crafted for you specifically, sent from a fresh domain, written without spam triggers. Your scepticism is the defence, not the filter.
  • Work and school Gmail accounts behave differently. Admins can override the spam policy at the Workspace level, your personal “Never send to Spam” filters may be overruled, and senders the admin has whitelisted bypass your individual filters entirely. If you are on a managed Workspace account and the diagnostic above does not move the needle, the issue is at the admin layer, not your account.
  • Re-fetching instead of forwarding loses some metadata. POP3 fetch does not preserve the original delivery timestamp at the source server, fetched mail gets the timestamp of the fetch, which can rearrange threads visually. Acceptable trade for spam filtering on a high-volume forward; annoying on a low-volume one.
  • Bulk unsubscribe tools cannot unsubscribe from senders without proper List-Unsubscribe headers. A meaningful minority of small or non-compliant senders skip the header entirely. For those, you fall back to the footer link in the email body, which is slower and less reliable.
  • Block sender does not stop email-list resale. When you block a sender, you remove their mail from your inbox but you remain on their list, and on any list they sell or share. Report spam plus unsubscribe is the combination that addresses both the symptom and the source.
  • A 9-year-old account with decades of subscriptions cannot be cleaned in one sitting. Realistic timeline: 30-40 minutes for the checks above, plus 2-3 weeks of consistent Report Spam clicks to retrain the per-user classifier. Expecting instant zero-spam after one audit session is the most common reason people give up.
Alexis Dollé, founder of Email Tools
Alexis Dollé
Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend, no marketing fluff, no sponsored rankings, every claim sourced.

LinkedIn
Sources & references
  1. Google Help, “Mark or unmark Spam in Gmail.” Official classification rules (spoofed addresses, phishing, unconfirmed senders, empty content) and reporting guidance: “As you report more spam, Gmail identifies similar emails as spam more efficiently.” Spam folder auto-deletes after 30 days. Accessed 2026-05-17. support.google.com/mail/answer/1366858
  2. Google Help, “Email sender guidelines.” SPF/DKIM/DMARC requirements for bulk senders, 5,000 messages/day threshold, 0.30% spam-rate ceiling from Postmaster Tools, RFC 8058 one-click unsubscribe (List-Unsubscribe-Post: List-Unsubscribe=One-Click), February 1 2024 enforcement deadline. Accessed 2026-05-17. support.google.com/a/answer/81126
  3. Google Security Blog, “Improving text classification resilience and efficiency with RETVec” (29 November 2023). Background on Gmail’s text classifier architecture for spam detection. security.googleblog.com
  4. IETF RFC 8058, “Signaling One-Click Functionality for List Email Headers.” Specification for the HTTPS POST one-click unsubscribe mechanism Google enforces for bulk senders. rfc-editor.org/rfc/rfc8058
  5. Signal Spam, French national spam reporting platform, public-private partnership (CNIL, Orange, SFR, OVH, Scaleway). signal-spam.fr
  6. FBI Internet Crime Complaint Center (IC3), file reports of phishing, extortion, BEC, and email-based fraud. ic3.gov
  7. Email Tools, “Gmail report spam.” email-tools.me/posts/gmail-report-spam/
  8. Email Tools, “How to create a filter in Gmail.” email-tools.me/posts/how-to-create-a-filter-in-gmail/
  9. Email Tools, “How to block someone on Gmail.” email-tools.me/posts/how-to-block-someone-on-gmail/
  10. Email Tools, “How to stop getting spam email completely.” email-tools.me/posts/stop-getting-spam-email/

Frequently asked questions

Why is Gmail’s spam filter not working for some emails? Gmail blocks the vast majority of spam at the network edge, but a small fraction still reaches the inbox. The most common reasons: the sender’s domain is new and has no negative reputation yet; a Gmail filter you created accidentally whitelists a category; a sender is in your Contacts or Safe Senders and bypasses spam scoring entirely; mail is being forwarded into Gmail from another account and arrives with the forwarder’s reputation, not the original sender’s; or the message is a targeted phishing attempt crafted to look like personal correspondence. Each cause has a different fix and they often stack.

How do I make Gmail’s spam filter work better? Three actions in order. First, use ‘Report spam’ instead of ‘Delete’ for every unwanted message, Google’s documentation states that ‘as you report more spam, Gmail identifies similar emails as spam more efficiently,’ so deleting trains nothing. Second, audit Settings > Filters and Blocked Addresses and remove any rule with ‘Never send to Spam’ that you no longer need. Third, audit your Contacts list and remove old or unrecognised entries, anyone in Contacts bypasses spam filtering on most accounts. These three together move the needle within 72 hours on most accounts.

Why does spam keep coming back even after I block the sender? Gmail’s block-sender feature only filters mail from that exact From: address. Spam operations rotate sending addresses constantly, block one and the next message arrives from a fresh address on the same campaign. Blocking is a one-message tool, not a one-campaign tool. For persistent spam from a campaign, use ‘Report spam’ (which feeds Gmail’s classifier on patterns, not just addresses) or build a filter that targets the message body or subject line patterns shared across the campaign.

Should I click ‘unsubscribe’ in spam emails or just report them? It depends on whether the message is real spam or unwanted-but-legitimate marketing. For a sender you once opted into, a retailer, a newsletter, a SaaS tool, clicking Gmail’s inline Unsubscribe link is safe and effective because it triggers RFC 8058 one-click unsubscribe, which never loads the sender’s website. For mail from a sender you have no relationship with, especially anything that looks phishy or asks for personal information, do not click anything. Use Report spam instead. Clicking unsubscribe on actual spam confirms your address is live and can increase volume.

Can a phishing email bypass Gmail’s spam filter? Yes, and increasingly so as attackers move toward targeted spear-phishing rather than bulk spam. A phishing message crafted for one recipient, sent from a fresh domain with no negative reputation, written without obvious spam triggers, will frequently land in the inbox. Gmail’s filter does well against high-volume bulk spam and badly against low-volume targeted phishing. If you receive a suspicious message, click the three-dot menu and choose ‘Report phishing’ (distinct from ‘Report spam’), phishing reports go to Google’s anti-abuse team and to the impersonated brand’s security team where applicable.

When should I escalate Gmail spam to Google or law enforcement? Report phishing inside Gmail for every targeted impersonation attempt. For systematic abuse that Gmail is not catching, a coordinated campaign hitting your account or your organisation, forward a copy with full headers to abuse@google.com. For criminal activity (extortion, financial fraud, sextortion, identity theft) file with the FBI’s Internet Crime Complaint Center (IC3.gov) in the US, with Action Fraud in the UK, or with your national CERT elsewhere. The Gmail filter cannot replace law enforcement for crimes; it is built to filter mail, not to prosecute.

Related: Gmail report spam, when to use Report spam vs Block sender vs filter. How to create a filter in Gmail, audit and write filters. How to block someone on Gmail, the block-sender mechanism in detail. How to stop getting spam email completely, the full five-layer stack. Best unsubscribe tools 2026, category leaders compared.