While signing up, I noticed that the signup "GRC Public Forums - Account confirmation required" email is marked as a possible phishing attempt by ProtonMail, which links to the following page: https://protonmail.com/blog/prevent-phishing-attacks/
The structure of the email HTML seems fairly innocuous, and is fairly simple (standard email clutter of odd whitespace, table formatting, and inline CSS aside):
So I doubt the HTML itself is the issue. However, when I looked at the export from ProtonMail, I could not see a plain-text multipart section, and the HTML segment appeared to be base64 encoded entirely. If true, this could be what is tripping some filters; I have heard of spammers relying on HTML to mask the nature of their email, so I wonder if there are filters that see the use of HTML-only emails and/or base64 as attempted obfuscation. The multipart structure I see, is
Root:
A caveat: If I understand correctly, ProtonMail encrypts the contents of emails stored at-rest, so there is a chance that the lack of plain-text and base64 encoding could be the effects of ProtonMail's system, which only interoperates with its webmail, apps, and bridge program, not with email clients directly. If someone else could confirm what the raw email content looks like for them, I would be curious if you can this same multipart structure, or if you can see something else which might be
A privacy warning: If you are not sure what to look for in raw email data and share it here, please be careful about posting full email headers, these can sometimes contain your home/work IP address or your email address in multiple places; if you want to keep either of those private please look over the headers carefully.
The structure of the email HTML seems fairly innocuous, and is fairly simple (standard email clutter of odd whitespace, table formatting, and inline CSS aside):
table > table
tr > td
a - GRC Forums title
tr > td
p - in order to complete...
p - confirm button
tr > td
div - Visit GRC Public Forums
So I doubt the HTML itself is the issue. However, when I looked at the export from ProtonMail, I could not see a plain-text multipart section, and the HTML segment appeared to be base64 encoded entirely. If true, this could be what is tripping some filters; I have heard of spammers relying on HTML to mask the nature of their email, so I wonder if there are filters that see the use of HTML-only emails and/or base64 as attempted obfuscation. The multipart structure I see, is
Root:
Content-Type: multipart/mixed
Content-Type: mulipart/related
Content-Type: text/html
& Content-Transfer-Encoding: base64
A caveat: If I understand correctly, ProtonMail encrypts the contents of emails stored at-rest, so there is a chance that the lack of plain-text and base64 encoding could be the effects of ProtonMail's system, which only interoperates with its webmail, apps, and bridge program, not with email clients directly. If someone else could confirm what the raw email content looks like for them, I would be curious if you can this same multipart structure, or if you can see something else which might be
A privacy warning: If you are not sure what to look for in raw email data and share it here, please be careful about posting full email headers, these can sometimes contain your home/work IP address or your email address in multiple places; if you want to keep either of those private please look over the headers carefully.