Issue:
When sending emails to Gmail domains, customers may encounter rejection errors with the following message:
552 5.7.0 This message was blocked because its content presents a potential security issue. Please visit https://support.google.com/mail/?p=BlockedMessage to review our message content and attachment content guidelines.
Regardless of whether the emails contain attachments or not, this error is received by Twilio SendGrid from the recipient domain. It's important to understand that, from Twilio SendGrid's perspective, we serve as an SMTP relaying service, and we can only deliver the email as received. We do not add attachments to emails unless they are provided by the customer's integration. Furthermore, it is beyond Twilio SendGrid's control or knowledge how recipient domain servers handle incoming emails.
Root cause:
When a customer utilises Cloudflare to protect a server that generates the email's body, Cloudflare may insert a server '<script>' tag into the HTML as part of their JavaScript bot detection mechanism. This '<script>' tag appears to trigger Gmail's blocking of email delivery. While this script hasn't caused significant issues until recently, it's evident that the recipient domain server (Google) has recently begun blocking emails containing the '<script>' tags.
The unique aspect of this issue is related to Cloudflare's behavior. Specifically, Cloudflare does not insert the '<script>' tag when we view the email's body in a browser. This peculiarity makes troubleshooting this issue a bit more complex.
Workaround:
As of now, the responsibility for finding a permanent solution lies with Cloudflare and the recipient domain. However, Twilio SendGrid can offer a workaround: Disabling the JavaScript bot detection will remove the '<script>' tag from the email body and allows successful email delivery.
Here are Cloudflare's official documentations on bot detection and disabling JavaScript:
https://developers.cloudflare.com/bots/reference/javascript-detections/
https://community.cloudflare.com/t/why-does-cloudflare-insert-javascript-and-what-does-it-do/262478
Note - Although making this change is known to fix the issue from a deliverability stance, it is essential that you work with your respective teams to know if the recommended change has other unprecedented impact.