What are “safe link” rewriting systems (Microsoft ATP, Gmail Safe Browsing)?

Safe link systems protect email users by scanning URLs at the time of click rather than (or in addition to) at delivery time.

Microsoft Defender for Office 365 (ATP Safe Links):

Rewrites URLs in incoming email to route through Microsoft's scanning infrastructure

When users click, Microsoft scans the destination in real-time

Blocks access to malicious sites discovered after email delivery

Links appear as long Microsoft URLs when hovered

Gmail Safe Browsing:

Checks URLs against Google's Safe Browsing database

Warns users before clicking suspicious links

Less aggressive rewriting than Microsoft but provides warnings

Impact on senders:

Your tracking URLs get wrapped again, creating double-redirect chains

Click tracking may see Microsoft or Google IPs instead of user IPs

Link scanning can trigger multiple server-side "clicks" as systems prefetch URLs

Delivery delays possible if scanning takes time

Adaptation:

Expect some click inflation from automated scanning

Don't worry about the rewrites; they protect your recipients

Ensure your landing pages work well when crawled

Keep your destinations clean so they pass scanning

These are additional harbor inspections. Your cargo passes through more checkpoints, but legitimate shipments clear without issue.