For as long as most of us can remember, spam emails have been easy to spot. Mangled grammar. Broken layouts. Images that refused to load. A general aesthetic that screamed "do not trust me" from every pixel. You did not need a cybersecurity degree. You just needed eyes.

That era is ending.

Ernie Smith, who writes the excellent newsletter Tedium, recently documented something I have been noticing myself: spam emails are getting a design upgrade. The layouts are cleaner. The colours are consistent. The typography is intentional. And crucially, these emails now hold together even when images are turned off, which is exactly what happens in your spam folder.

The reason is straightforward, and if you have been following the AI space, you have probably already guessed it. Scammers are vibe coding their spam.

The Bar Has Never Been Lower

Vibe coding, the practice of describing what you want in plain language and letting AI build it for you, has been one of the most exciting developments in the AI adoption story. I have written about it in the context of Markdown and structured workflows. The potential for founders, operators, and non-technical builders is enormous.

But the same capability that lets a startup founder prototype an app in an afternoon also lets a scammer produce a polished phishing email in minutes. No HTML knowledge required. No design skills. Just a prompt.

This is not theoretical. Guardio Labs published research last year on what they call "VibeScamming," demonstrating how platforms designed for rapid app development can be manipulated to generate complete phishing campaigns, from convincing login pages to credential harvesting infrastructure, with almost no technical skill required. Their benchmark tested several AI platforms and found that some offered virtually no resistance to being used this way.

Side-by-side comparison of a traditional ugly spam email and a modern, professionally designed AI-generated spam email
The difference between old-school spam and its AI-assisted successor. The new versions use clean gradients, consistent spacing, and professional typography that make them far harder to dismiss at a glance.

Anthropic, the company behind Claude, published its own threat intelligence report in August 2025 documenting cases where individuals with no meaningful coding ability were building and selling commercial-grade ransomware for up to $1,200 per package. The report made clear that these actors were entirely dependent on AI to produce functional malware, something that would have been impossible for them without it.

The uncomfortable truth for those of us who advocate for AI adoption is that the same democratisation we celebrate is also democratising fraud.

Why the Old Rules No Longer Work

For two decades, we trained ourselves to spot spam using visual cues. Poor formatting. Mismatched fonts. Broken image placeholders. Random capitalisation. These were reliable signals.

AI-generated emails eliminate nearly all of them. The layouts are responsive. The copy is grammatically correct. The design language follows modern conventions: clean gradients, rounded cards, generous white space, and the occasional emoji used as a section divider. Smith describes this as a "Claudecore" aesthetic, and once you know what to look for, you start seeing it everywhere.

This matters because the visual literacy we developed over years of dodging spam is now working against us. When a scam email looks as polished as a legitimate SaaS onboarding sequence, our instinct to trust professional presentation becomes a vulnerability.

So we need new rules.

How to Actually Spot AI-Generated Spam

The good news is that while the surface layer has improved, the underlying infrastructure of spam remains sloppy. Scammers may have upgraded their design tools, but they are still cutting corners on the technical fundamentals. Here is where to look.

Check the sender's domain, not the display name

This is the most basic step, and most people still do not do it. A display name can say anything. "Microsoft Security Team." "Apple Support." "Your Bank." The actual sending address is what matters. Expand the "From" field in your email client and look at the full address.

What you are looking for: domains that do not match the organisation claiming to send the email. Bare hosting subdomains like Firebase, Netlify, Vercel, or random alphanumeric strings are a significant red flag. Smith noted in his article that a batch of spam he received was trivially easy to filter because it all came from a bare Firebase domain.

An annotated screenshot of an email header showing the difference between the display name and the actual sender address
The display name says one thing. The actual sending address tells the real story. Always expand the "From" field before trusting an email.

Look up the MX records

This is more technical, but it is one of the most powerful tools available to anyone with an internet connection. MX records, short for Mail Exchange records, are DNS entries that specify which servers are authorised to send email for a particular domain. They are publicly accessible, and you can check them for free using tools like MXToolbox.

Here is how to use this in practice. If you receive an email claiming to be from your bank, copy the sender's domain and look up its MX records. A legitimate financial institution will have MX records pointing to established enterprise email infrastructure. If the records point to a bulk email service, a freshly registered domain, or something you have never heard of, that discrepancy tells you everything you need to know.

Inspect SPF, DKIM, and DMARC results

These three acronyms represent the authentication protocols that verify whether an email sender is actually authorised to send on behalf of a given domain. They work together as a chain of verification.

SPF (Sender Policy Framework) checks whether the sending server's IP address is on the domain's approved list. DKIM (DomainKeys Identified Mail) uses a cryptographic signature to verify that the email has not been tampered with in transit and was authorised by the domain owner. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells the receiving server what to do if either check fails.

You can see the results of these checks in your email headers. In Gmail, click the three dots next to the reply button and select "Show original." Look for lines that say spf=pass, dkim=pass, and dmarc=pass. If any of these show fail, treat that email with extreme suspicion.

A simplified diagram showing how SPF, DKIM, and DMARC work together to authenticate an email, with arrows showing the verification flow from sender to recipient
SPF verifies the sending server. DKIM verifies the message integrity. DMARC enforces the policy when either fails. Together, they form the backbone of email authentication.

Most people have never looked at an email header in their life. But in a world where spam looks professional, this is where the real information lives.

Check how they address you

This one is simple but effective. Vibe-coded spam is generated at scale, typically from scraped or leaked email lists. These lists contain your email address but rarely your full name. So the email greets you with your email handle: "Hi john.smith85" or "Dear valued user."

Legitimate services that have your account data almost always address you by name. It is a small detail, but it is one of the most reliable tells that remains.

Hover before you click

The call-to-action button might say "Verify Your Account" or "Confirm Your Subscription." Before clicking, hover over it. On mobile, long-press the link. Look at the destination URL.

What you are checking for: shortened URLs, domains that do not match the supposed sender, random subdomains, or redirect chains. If the button in a "Microsoft" email points to anything other than a microsoft.com domain, you have your answer.

Use email aliases

This is a defensive strategy rather than a detection technique, but it is one of the most practical things you can do. Services like SimpleLogin, Firefox Relay, Apple's Hide My Email, and Proton Pass allow you to create unique email addresses for every service you sign up for.

The benefit is twofold. First, if spam hits a specific alias, you know exactly which service leaked or sold your data. Second, you can disable that alias without touching your primary inbox. It is a remarkably effective way to maintain control over your email exposure.

A flowchart showing how email aliases work: unique alias per service, spam traced to source, alias disabled without affecting primary email
Email aliases let you trace exactly where a data leak originated and shut down the compromised address without disrupting your primary inbox.

Recognise the vibe-coded aesthetic

This is the newest signal, and it requires a slight shift in thinking. AI-generated email designs tend to share a recognisable look: clean gradients, rounded card layouts, generous white space, emoji used as visual markers, and a general feel that resembles a polished startup landing page.

None of these elements are bad on their own. Plenty of legitimate companies use similar design patterns. But when an unsolicited email from an organisation you have never interacted with arrives looking like a Y Combinator demo day pitch, that mismatch between the sender's credibility and the email's production quality should give you pause.

The Bigger Picture for AI Adoption

I write about this not to sound alarmist about AI, but because I think the AI adoption community has a responsibility to be honest about the full picture. The same tools that are enabling extraordinary productivity gains are also enabling a new class of low-skill, high-volume fraud.

Anthropic's threat intelligence report documented cases that go well beyond spam. North Korean operatives using AI to fraudulently secure and maintain remote engineering positions at Fortune 500 companies. Individuals with no coding ability building and selling ransomware. A single threat actor using AI agents to orchestrate attacks across 17 organisations. These are not hypothetical scenarios. They are documented incidents.

The response to this reality is not to retreat from AI or to pretend the problem does not exist. It is to ensure that our digital literacy evolves at the same pace as the tools themselves. For years, we could rely on visual cues to separate the trustworthy from the fraudulent. Now, we need to go deeper, into email headers, DNS records, and authentication protocols.

What You Can Do Today

If you take one thing from this article, let it be this: the surface appearance of an email is no longer a reliable indicator of its legitimacy. Here is a practical checklist you can apply immediately.

Always expand the "From" field and check the actual sending domain. If the domain looks unfamiliar, look up its MX records at MXToolbox. In Gmail, check "Show original" for SPF, DKIM, and DMARC pass or fail results. Be suspicious of emails that address you by your email handle rather than your name. Hover over every link before clicking. Set up email aliases for new service sign-ups using SimpleLogin, Firefox Relay, or a similar tool. And learn to recognise the tell-tale "Claudecore" aesthetic of AI-generated email design.

The tools that make spam prettier do not make the people behind it smarter. The infrastructure is still sloppy. The from addresses are still fake. The authentication still fails. You just need to know where to look.

The best defence against AI-generated threats is not less AI. It is more literacy.

This article was inspired by Ernie Smith's excellent piece "They're Vibe-Coding Spam Now" on Tedium. If you enjoy well-written analysis of the internet's weirder corners, his newsletter is worth your time.