Checking and moving internal SPAM

[Paul Haenze]

Recently, a contractor was trying to change the "domain-level Safe Browsing flag" for a WP site associated with a Workspace domain. They misconfigured something, causing  Google to temporarily downgrade the trust score for anything coming from the domain. This resulted in internal emails being mislabeled as spam. I was able to use an "Audit and Investigation" report on Gmail to identify the affected emails and was able to come up with a way to retrieve the SPAMmed emails. I thought that I'd post this for anyone else who might run into this.

Step 1 - Run the report. Here's a screenshot of the report I ran. Note that you can use after and before dates to limit the search.

Step 2 - Find the Message ID and the user account -"To (Envelope)". I  used the user account without the domain.

Step 3 (optional) - ensure the email exists in the email account with the following (please note that commands can be found here - https://sites.google.com/view/gam--commands/services/gmail):

gam user <userid> show messages query "rfc822msgid:<messageid>" countsonly includespamtrash

Step 4 - Move the individual email from SPAM to Inbox:

gam user <userid> modify messages query "rfc822msgid:<messageid>" addlabel "Inbox" removelabel "SPAM" max_to_modify 0 doit

Step 5 - Ensure that the email is set to UNREAD to ensure visbility:

gam user <userid> modify messages query "rfc822msgid:<messageid>" addlabel unread doit

I assume that these commands can be run with the CSV option.

I have not been able to find how to remove the "Red Box" SPAM notification inserted by Google. If anyone has any ideas, I'd love to hear them.

Hope this helps someone.