Aspects of the disclosure relate to identifying and processing suspicious emails. In some embodiments, a computing device may receive an email associated with an email domain. Subsequently, the computing device may determine a registration date of the email domain. The computing device may then compare the determined registration date to a first threshold date. Thereafter, responsive to determining that the determined registration date is before the first threshold date, the computing device may transmit the email to a recipient address identified in the email. Responsive to determining that the determined registration date is at or after the first threshold date, the computing device may execute a security risk assessment model. The computing device may then determine, based on the security risk assessment model, a security risk level of the email domain. The computing device may filter, based on the security risk level of the email domain, the email.