What are “safe link” rewriting systems (Microsoft ATP, Gmail Safe Browsing)?

Safe link systems protect email users by scanning URLs at the time of click rather than (or in addition to) at delivery time.

• Microsoft Defender for Office 365 (ATP Safe Links):
• Rewrites URLs in incoming email to route through Microsoft's scanning infrastructure
• When users click, Microsoft scans the destination in real-time
• Blocks access to malicious sites discovered after email delivery
• Links appear as long Microsoft URLs when hovered
• Gmail Safe Browsing:
• Checks URLs against Google's Safe Browsing database
• Warns users before clicking suspicious links
• Less aggressive rewriting than Microsoft but provides warnings
• Impact on senders:
• Your tracking URLs get wrapped again, creating double-redirect chains
• Click tracking may see Microsoft or Google IPs instead of user IPs
• Link scanning can trigger multiple server-side "clicks" as systems prefetch URLs
• Delivery delays possible if scanning takes time
• Adaptation:
• Expect some click inflation from automated scanning
• Don't worry about the rewrites; they protect your recipients
• Ensure your landing pages work well when crawled
• Keep your destinations clean so they pass scanning

These are additional harbor inspections. Your cargo passes through more checkpoints, but legitimate shipments clear without issue.