Google’s Gmail Upgrade—Why You Need A New Email Address In 2025

Republished on December 24 as the threats to Google’s other key messaging platform—RCS— are highlighted with the same challenges as Gmail, opening the market for Elon Musk’s Xmail or something just as disruptive.

Your inbox is under attack. The FBI has issued yet another warning ahead of the holidays, highlighting an alarming surge in email and website threats, just as multiple cyber reports claim this is the most dangerous holiday season yet. Even though Google “blocks more than 99.9% of spam, phishing and malware in Gmail,” it’s not enough. But now change is on the way. And for Gmail’s 2.5 billion users, 2025 looks like being the year your email address should finally change.

“With more than 2.5 billion users,” Gmail, the world’s largest email provider, is now deploying “ground-breaking AI models [to] significantly strengthen Gmail cyber-defenses, including a new LLM trained on phishing, malware and spam.” But as McAfee has just warned, that AI revolution works both ways. “As AI continues to mature and become increasingly accessible, cybercriminals are using it to create scams that are more convincing, personalized, and harder to detect.”

ForbesNew iPhone, Android Warning—Do Not Install These AppsBy Zak Doffman

Email remains an appallingly basic technology. Despite all its advances, the core architecture remains the same. Anyone can access anyone else’s inbox with just an email address. Those addresses are basically given away for free—harvested, leaked, stored, searchable. This month, Mailmodo says, “spam messages [will] account for more than 46.8% of email traffic.”This is why enterprises are looking for new solutions—Teams, Slack, even instant messaging platforms. because even with all the advances and the “outside sender” and “untrusted sender” warnings, too many emails get through.

The answer is to restore some semblance of address security and not give away real email addresses like confetti—a situation made worse given email address are often a primary user credential alongside passwords to log into sites and services. Apple has tried to address this with Hide My Email, “to keep your personal email address private… you can generate unique, random email addresses that forward to your personal email account, so you don’t have to share your real email address when filling out forms or signing up for newsletters on the web, or when sending email.”

And as I reported in November, Google is developing something similar for Gmail. Discovered by Android Authority in an Android APK teardown, “Shielded Email consists of a system to create single-use or limited-use email aliases that will forward messages along to your primary account.”

This is a major step forwards and you should make use of this when it arrives—as should Apple users now. Just look at one warning issued to marketeers when Hide My Email was released: “Now users can create a limitless number of fake addresses they don’t even check, dramatically reducing engagement. And, worse still, they can easily deactivate them without affecting their primary email, meaning marketing databases could be full of ‘dead’ addresses. This is important because a low deliverability rate can affect sender reputation, meaning your carefully crafted campaign ends up in spam.”

While Google assures that “by spotting patterns and responding rapidly, [its Gmail] LLM alone blocks 20% more spam than before and reviews 1,000 times more user-reported spam daily,” the threat will get worse again in 2025. McAfee says that “AI is giving cybercriminals the ability to easily create more personalized and convincing emails and messages that look like they’re from trusted sources, such as banks, employers, or even family members. They can craft these scams quickly and with precision, making them more difficult to detect and increasing their success rate. As AI tools become more accessible, these types of attacks are expected to grow in sophistication and frequency.”

Email must change—and not just by improving central screening technologies. We need a radically different approach to include the following:

1. On-device AI to flag spam and malicious email that has made it through central screening to inboxes. Too many emails still make it though, even though the actual email address and the presentational “sender” address don’t match, with the latter a clear impersonation. How is it possible in 2024 that my inbox contains emails from ‘Apple Support’ or ‘X verification,’ when the senders have random email addresses such as ‘sayio[at]hosai.co.jp’.
2. A better opt-in, known sender solution—mimicking secure messaging. Even the differentiation of trusted and unknown senders is too basic. There needs to be better deployment of AI or an easy-button for user to opt into a trusted discussion and advocate for a sender.
3. Rather than upping the ante centrally, email security needs to do a better front-end (device-side) job. This is where safe browsing and malware defenses are now heading, making use of new device AI processing. Email needs a complete rethink to do the same.

When Elon Musk (again) teased that he may launch an Xmail platform to take on Gmail, the blending of email and messaging featured front and center. The sweet spot is the universal compatibility of email without the mess. When one X post suggested that cutdown approach, Musk responded: “That’s exactly what we are going to do.”

But that opt-in or trusted sender filter remains critical, as it’s that which opens inboxes to the world and sets email apart from closed messaging alternatives.

Gmail isn’t the only such challenge facing Google users. The other is RCS, which has been making continual headlines this month following an FBI warning for users to stop sending insecure RCS texts between Androids and iPhones. As Android Police asked on Monday, “did RCS messaging open up the spam floodgates?”

RCS is fast becoming a marketing sensation, just as with email the value is that you can access anyone with just their phone numbers. There’s no real universal marketing filter, and because this is a standard cellular protocol, no-one is really running the show, because it’s a collective. It then falls to the RCS compliant messaging apps to apply a front-end filter—just as with email—which should work but doesn’t—yet.

“Mobile spam has evolved alongside messaging technology, and RCS may have worsened things,” Android Police says, and while “email scams were cheaper, easier, and more effective than SMS scams in the past,” RCS has changed all that now. The answer, the report says, is that “RCS spam can’t be eliminated. We can only rely on good security and spam filtering.” Unfortunately, that’s just like email.

This is interesting because it provides a timely parallel to email, pitching the standard (SMS/RCS) with its spam and security challenges with newer (albeit not new) alternatives that take control of the end-to-end experience, and provide a simpler, more secure user experience.

And the scale of the RCS spam threat is huge—the risk being that it becomes just like email, making the underlying technology almost unusable as a daily messenger. Last month, Juniper Research reported a 50% year-on-year hike. “RCS business messaging traffic will reach 50 billion messages globally in 2025; Apple’s first full year of support for the technology. This represents a single-year growth from 33 billion in 2024.”

WhatsApp and other over-the-top messengers are not immune from spam, but it’s significantly less of a problem. And the platforms can easily police what’s sent out and by who, and the controls they provide users to filter this out. Moving from SMS/RCS to an over-the-top is exactly the kind of clean start you can attempt with a clean email address. But it’s much easier.

“RCS spam can’t be eliminated, Android Police says. “We can only rely on good security and spam filtering. Recent advancements in deciphering spam through AI have led to improvements, and there is potential for significant spam reduction in the near future. Fine-tuned large language models (LLM), along with natural language processing (NLP), are positioned to surpass current spam detection systems and will make their way to RCS messaging. There’s more to RCS chat than E2EE and spam filtering, so seeing how Google and the GSMA tackle this still-growing problem will be interesting.” Again, it’s just like the tinkering approach to spam on Gmail and the other leading platforms, rather than the fundamental rethink needed.

And so, when Musk teases the idea of a new platform that zeroes out the slow evolution to the mess we have today with something that can start with privacy and usability and simplicity in mind, it’s interesting. In reality we don ‘t need something this drastic, and the transition would be woefully complex.

ForbesForget Chrome—Google Starts Tracking All Your Devices In 8 WeeksBy Zak Doffman

In the meantime, take control. Yes, you need to use Hide My Email or Gmail’s new Shielded Email as soon as it’s available to create new addresses. But if you have an email address that has been around for years, then it has become a honey trap for spam and worse. It’s time for something new, a primary email address you will better protect through multiple throw-away, masked addresses, without giving that primary address away. You can slowly migrate from one account to the other, and in the meantime use folders, rules and forwarding to capture emails to your old address.

Using new email masking technologies is undermined if the primary address they link to has already been extensively harvested, sold and leaked. With 2025 just days away and threats surging, perhaps make email housekeeping one of your New Year resolutions and think about the risks associated with the addresses you’re using now.