ChatGPT, Claude and Copilot Emails Going to Spam? The Permanent Fix for Outlook and Gmail

You request a password reset for ChatGPT. Nothing arrives. You wait, refresh, request another one. Still nothing. You assume the service is down — until you check your spam folder and find three reset codes, all expired. AI tool emails get aggressively filtered because they look like the phishing emails that pretend to be them. Allowlisting at the right layer fixes it permanently. Here's how to do it for Outlook, Gmail, and the tenant-wide setup if you're an IT admin.

Why AI tool emails end up in spam more than most

Three things conspire to flag legitimate AI service mail:

• The phishing wave. Fake "ChatGPT account expired" and "Claude billing problem" emails are some of the most common phishing campaigns running. Mail filters learn from the bad ones and get over-aggressive on the real ones.
• Sender domain churn. AI providers send transactional mail from a rotating set of subdomains (noreply.openai.com, account@openai.com, sometimes via SendGrid or Mailgun). New subdomains have no reputation history, so they start in the suspicious bucket.
• The "verification code" trigger. Phrases like "Your verification code is" or "Confirm your subscription" match heuristics for phishing — even when the email is genuine.

The fix is to give your mailbox a stable rule that says "always trust these senders," and apply it at the layer that the filter respects.

The official sender domains worth allowlisting

As of 2026, the senders to trust for the major AI tools:

• OpenAI / ChatGPT: openai.com, auth0.openai.com, tm.openai.com, account.openai.com.
• Anthropic / Claude: anthropic.com, mail.anthropic.com, occasionally relayed through postmarkapp.com.
• Microsoft Copilot: microsoft.com, account.microsoft.com, email.microsoftemail.com (transactional), billing.microsoft.com.
• Google Gemini: google.com, accounts.google.com, payments.google.com.
• Perplexity: perplexity.ai.

Allowlist the second-level domain (openai.com) rather than the full subdomain when possible — this catches the providers' routine sender rotation.

Fix 1: Outlook on the web (Outlook.com / Microsoft 365)

The most reliable layer is the Safe senders list in mailbox settings:

1. Open outlook.live.com (or outlook.office.com for work mailboxes).
2. Click the gear icon → View all Outlook settings.
3. Go to Mail → Junk email.
4. Under Safe senders and domains, click Add.
5. Type openai.com and press Enter. Repeat for anthropic.com, microsoft.com, etc.
6. Click Save.

Mail from those domains will skip the Junk folder for that mailbox.

Fix 2: Outlook desktop (Windows)

The desktop client has its own list, separate from the server-side one:

1. Open Outlook.
2. Click Home → Junk → Junk E-mail Options.
3. Switch to the Safe Senders tab.
4. Click Add, enter the AI provider domains one per line.
5. Check Also trust e-mail from my Contacts if you haven't already.
6. Click OK.

If you're on a Microsoft 365 mailbox, also set up the server-side list (Fix 1) — the desktop client only checks its own list for some scenarios.

Fix 3: Gmail

Gmail doesn't have a "safe senders" list per se. The equivalent is a filter that forces the message to skip the spam folder:

1. Open Gmail in a browser.
2. Click the gear icon → See all settings → Filters and Blocked Addresses.
3. Click Create a new filter.
4. In the From field, type *@openai.com or just openai.com. (For multiple, use OR: openai.com OR anthropic.com OR microsoft.com.)
5. Click Create filter.
6. Tick Never send it to Spam. Optionally also tick Always mark it as important.
7. Click Create filter.

This survives Gmail's machine learning re-flagging, which a simple "Not spam" button click does not.

Fix 4: Apple Mail / iCloud Mail

On iCloud:

1. Open icloud.com → Mail.
2. Click the gear icon → Rules.
3. Add a rule: if "From contains openai.com," move to Inbox (or "Then mark as: not junk").
4. Save.

On the Mail app itself, marking a sender's previous message as "Not Junk" trains the filter — but Apple's filter is more lenient than Outlook's, so this is usually enough.

Fix 5: The tenant-wide allowlist (for IT admins)

If you're an IT admin and dozens of users in your tenant are missing AI provider emails, fix it once at the Defender for Office 365 layer:

1. Sign in to security.microsoft.com.
2. Navigate to Email & collaboration → Policies & rules → Threat policies → Anti-spam policies.
3. Either edit the default policy or create a new one targeting specific users.
4. Under Allow & block list, add the AI provider domains as Allowed senders by domain.
5. Save and let the policy propagate (about 15 minutes).

The better and more robust approach: use the Tenant Allow/Block List directly (Policies & rules → Tenant Allow/Block Lists → Domains & addresses). Add each AI provider domain with a 90-day allow window. This is what Microsoft recommends over per-policy lists.

Do not use mail-flow rules ("transport rules") to bypass spam scanning for these domains — that breaks the safety stack and is a common audit finding. The Tenant Allow list is the supported way.

Fix 6: The AI tool is sending to the wrong address

Sometimes "I'm not getting the email" isn't a spam problem — the AI tool is sending to a different mailbox than you remember signing up with. Check this before you spend an hour configuring filters:

• On the AI provider's sign-in page, click Forgot password and look at the wording. Some providers say "we sent a reset link to j***@gmail.com" — that masked email tells you which inbox to actually check.
• Check all of your inboxes, including ones you haven't used in months.
• If the masked email doesn't look right, the account was registered to a different address than the one you're trying.

What to do with email you find that is phishing

Once you've allowlisted the real senders, you'll see more genuine email — but you'll still get phishing attempts that mimic them. Quick tells:

• The sender's display name says "ChatGPT" but the actual From address is something like support@chatgpt-billing-help.com. Hover over the sender name to see the real address.
• Urgent payment language ("Your account will be suspended in 24 hours").
• Links that don't go to openai.com / claude.ai / microsoft.com on hover.

Report these as phishing through your mail client's Report → Phishing button. That trains the filter without affecting your allowlist of the real domains.

Quick reference

• Outlook (web) — Settings → Junk email → Safe senders → add domain.
• Outlook (desktop) — Junk → Junk E-mail Options → Safe Senders.
• Gmail — Settings → Filters → new filter → "Never send to Spam."
• iCloud — Rules → new rule → if from contains domain → Inbox.
• Microsoft 365 tenant — Tenant Allow/Block List → Domains → add.

The right fix at the right layer takes 90 seconds and lasts indefinitely. The wrong fix — repeatedly clicking "Not spam" on each delivery — works for a week and then resets. Spend the 90 seconds now and stop missing verification codes for good.