Avast locked this about 30 seconds before the notification about the email's arrival. I inspected the email, and most of the links were from email2.gog.com. All the links were unique, so it's not desperate to get me to use one particular link, but it's still… 'phishy' enough to get caught on Avast's line.

But it's about email2.gog.com not 2mail@gog.com. First is a website, which doesn't have any of your company logotypes and looks generally very dodgy, the second one is an email address.

Definitely dodgy looking.

email2.gog.com is a site with a very naff looking login screen using generic business style stock imagery.

They have picked up on the current sale and nicked some styling and words.

Recommended for you
Discover the games that should fit your tastes perfectly

Explore GOG's Bestsellers
Check out what the fellow gamers have picked
BESTSELLERS

And that BESTSELLERS is what takes you to the dodgy login site.

Update: I think its a broken link in this one email. The sender address is valid and the email2.gog.com address is used in several other legit emails recently received from GOG about the sale.

Please look two posts above yours.


Edit: as for that "dodgy looking" website, it's just a login page for the marketing platform they're apparently using for the newsletter - https://app.getresponse.com/login

email2 is a subdomain of gog.com

The way domain hierarchy works is that the subdomain is listed (email2) first followed by a dot, then the main domain (gog.com) The wikipedia article on subdomains explains this further if you're interested. https://en.wikipedia.org/wiki/Subdomain

(Also for another example using that URL that I just linked there, en is a subdomain for the English language version of wikipedia.)

This means that in order for email2 to be dodgy, gog.com needs to be dodgy. This would be different if GOG was a web hosting service where customers got subdomains off the host's domain, but they're not.

Yeah, I think if it ends in gog.com, it's legit. Now, if it were email2.goq.com, you might have some problems.

Important distinction: not just "ends in gog.com ", but it's only reliable if it ends in " .gog.com " (dot gog dot com ) That dot over there makes a world of difference.

I just want to cover the case where a crook creates "weirdaddressgog.com" . This address is in no way affiliated with Gog. If however Gog were to create "weirdaddress.gog.com" (again, notice the dot) you can be sure that site is being hosted in Gog's servers, therefore it's legit. It is basically what Catventurer explained above.

While looking at the domain helps with websites, it is not that useful with e-mails. It is trivial to put whatever you want in the "From" field of an e-mail, no check of any kind is done on this front.

Ohh that's right, I forgot that the sender of an email can be forged very easily. My advice is only fully correct for whatever LINKS are present in the message.