Gmail flagging Auth0 Password Reset as suspicious

Hi.
I have tried two different SMTP services, including Google Workspace SMTP, and the results are the same. The test email runs fine. The password reset however always goes to spam and is marked dangerous.
I have set a custom domain, and it reflects the same domain as where the email is sent from and the link back to the password reset. My spf and Cname settings are all fine. Im at a loss as to how to progress from here?

2 Likes

Hi @mike30,

Welcome to the Auth0 Community!

Have you looked through this FAQ?

Try using MX toolbox to see if your domain is on a blacklist.

Thanks Dan.

The fix was to customise the Auth0 password reset template email. For more information read on

Yes I had read all of the FAQs I could find both here and on googles own help forums.
I did solve the problem, and post the solution here.

Of note is that most solutions I found centred around having your SPF, DKIM and DMARC correct. So I kept looking for problems in this area and while I got a passmark of 95.5 % for my email using https://www.mail-tester.com/ I was still being sent to SPAM as dangerous.

While making sure your header info is is a must to avoid the Gmail SPAM trigger there are other more subtle triggers. Google wont advise where your email is triggering (as it would give genuine hackers insights on how to beat their algorithms) So by a painstaking process of trial and error I finally figured it out.

Being in a semi test state preparing to go live, meant that we were doing just enough to get the system working and prove the process. So detail around “pretty” formatting of emails etc was taking a backseat…

Google suggests making sure your emails are clear of unnecessary CSS, reduce hidden fields etc etc. My thoughts as I was working through the process was that “its an Auth0 template, so it must be OK” and so we had left the password reset template alone.
After exhausting all other possibilities, I was led to the email itself, and that’s when I had my “uh-ha!” moment.

The password reset form has links etc, and looking at the raw template, The LOGO was pointing to Auth0…not the domain that the email was coming from and the LOGO alt text was still set at “put your logo here”. So I guessed that Googles Algorithm was seeing those things as being the “suspicious”. I fixed those and then for good measure, also gave the option to copy and paste the link into the browser, rather than just clicking “blindly” on the reset link. And viola, the Reset email arrived in the in box, devoid of all suspicious markings etc.

Hope this helps other newbies.

3 Likes

Hey Mike, thank so much for posting a thorough update. I wouldn’t have suspected the content to be the culprit, but it makes a lot of sense.

Thanks for posting a solution for our future users. Cheers.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.