Over the past several weeks, I’ve been noticing a pattern: legitimate corporate emails from well-known companies are getting blocked. Not going to spam. Blocked. The culprit in most cases? Spamhaus ZEN. And the common thread is Google.
Here’s what’s happening, why it’s getting worse, and what your organization should do about it.
The Core Problem: Shared IP Contamination
Google Workspace routes outbound mail through a pool of shared IP addresses, both IPv4 and IPv6 addresses. When even a small fraction of the millions of users on those IPs send spam or get their accounts compromised and used for spam, the IP gets flagged by Spamhaus ZEN.
Because Google’s IP ranges are enormous and heavily used, a single listing can affect completely legitimate companies that happen to be sharing that outbound IP at the time. Your authentication is clean. Your domain is clean. But the IP you’re sending from isn’t and that’s enough to get blocked.
Yes, Google Mixes Free Gmail and Paid Corporate Accounts
This is the part that surprises most people: Google does not fully segregate free Gmail from Google Workspace (paid corporate) accounts at the IP level. Both have historically shared the same or overlapping outbound IP ranges.
Google has made some effort to improve this. Workspace accounts do get routed through dedicated IP pools to some degree, and larger enterprise customers can pay for dedicated sending IPs. But the default configuration for most small and mid-size businesses on standard Workspace plans puts them in a shared pool that is not completely isolated from consumer Gmail traffic.
That means a spam campaign run from a pool of free Gmail accounts can taint IPs that your corporate Workspace users are also sending from. You have zero control over this.
Why It’s Getting Worse Right Now
Several things converged in late 2025 and into 2026:
- Google tightened authentication enforcement in November 2025, outright rejecting emails that don’t meet DMARC/SPF/DKIM standards rather than just sending them to spam. This pushed more senders to route through Google’s infrastructure in compliant ways, increasing load on the shared IP pools.
- There has been a sustained wave of Google Workspace account compromises being used for bulk spam campaigns. These taint shared IPs faster than Google can delist them.
- Spamhaus ZEN listings have real collateral damage potential. It lists IPs, not domains or accounts. Perfect SPF, DKIM, and DMARC records won’t save you if the IP itself is on any IP reputation blocklist.
What To Do About It
Authentication compliance is necessary but not sufficient. If you’re on shared Google infrastructure, your deliverability is partially dependent on the behavior of millions of other users you have no control over.
On the receiving side:
- Allowlist Google’s published IP ranges for known corporate senders as a short-term fix. (Warning: this will increase SPAM to your inboxes)
- Set up regular blocklist monitoring so you catch listings before they cause problems. (Warning: The Google IP space is too large so this will fail)
On the sending side:
- Move to a dedicated sending IP via Google Workspace (available on higher-tier plans) to fully isolate your sending reputation.
- Or route outbound email through a dedicated mail gateway (Mimecast, Proofpoint, etc.) that sits in front of Google and manages its own IP reputation independently.
- Ensure your DMARC policy is enforced (p=reject), not just monitoring. Many organizations have DMARC records in place but are still running in reporting mode.
The Bigger Picture
Organizations relying entirely on Google’s default shared sending infrastructure for business-critical email have a deliverability risk they probably don’t know about. Email security posture includes more than authentication records. It includes reputation monitoring, sender isolation, and an understanding of the infrastructure your mail is actually traversing.
Ignoring this problem and expecting the receiving side to deal with whitelisting is a whack-a-mole game. Your outbound IP addresses change constantly. Asking the recipient to poke holes in their shields just because your IT team can’t configure email properly isn’t the answer. Don’t blame the recipient domain or tell them their inbound rules are too strict. Contact your IT department and have them fix their email issues.
If your team has been seeing unexplained bounces or blocks lately, this is likely why. Happy to discuss further in the comments.
