How to investigate "spam" messages delivered to Junk Mail

Expand All

  1. View a message in the Junk Mail folder using Outlook and check the message info in the header area.

“This message was marked as spam using the Outlook Junk E-mail filter” indicates that Outlook identified the message as spam. Check your settings under Home > Delete > Junk > Junk E-mail options…

“This message was marked as spam using a junk filter other than the Outlook Junk E-mail filter” or no spam marking information indicates that something other than Outlook identified the message as spam. The most common causes here are:

  1. The server-based junk mail filter “Exchange Online Protection” (EOP) 
  2. An Outlook rule that moved the message to Junk Mail after it had been delivered
  1. Cut-and-paste the message headers into the Message Header Analyzer
  2. Examine the X-Forefront-Antispam-Report header:
    Parameter Meaning
    SCL Records the final decision on whether something was spam or not
    SFV Records the decision based on message content filters
    CAT Records the categorisation decision, which can identify other types of undesirable message
    IPV Not useful as filtering based on external sender address is done elsewhere in our system
  3. Examine the X-Microsoft-Antispam-Mailbox-Delivery header:
    Parameter Meaning
    dest:J Server-side decision to deliver to Junk Mail
    dest:I Server-side decision to deliver to INBOX
    dest:C Server-side decision to deliver to user-specified (custom) folder
    OFR:CustomRules Outlook rule determined delivery of this message
    OFR:SpamFilterAuthJ Exchange determined delivery of this message, possibly using mailbox spam rules

Notes

Ignore IP filtering results or SPF failures in the Authentication-Results and related headers. Sender-IP filtering is done elsewhere in our system, and the headers you see are not based on the actual sender.

For Outlook rules check Home > Move > Rules > Message rules in Outlook. You will need to check message rules in Outlook desktop and Outlook web as some rules are only displayed / effective in one or the other.

Details of the MS headers are available at Anti-spam message headers - Office 365 | Microsoft Docs

When checking any message delivery it is important to note the different sender addresses used. These are recorded in message headers, are all optional and include:

Header Usage
From Displayed from address, normally included in DKIM message verification
Sender Address of the message sender, differs from From if someone is sending on behalf of someone else using delegated access
Envelope-sender Information supplied by the transmitting server when a message is passed from one server to another for delivery and is used for SPF checks. The final MTA often adds this to the Return-path header indicating where any delivery failure should be sent to

Differences in the sender address domains can adversely affect message reputation. Links in the message body to other domains (not in the sender addresses) can have the same effect. This makes it more likely that a message will be classified as spam/junk.

X-NTG-DKIM-verify and X-TM-Authentication-Results indicate the outcome of SPF and DKIM verification on the message by TrendMicro HES. A failure here indicates that the sender address could not be validated or failed validation, providing an indication that the message is not bona fide or that the sender’s mail configuration is incomplete or incorrect.

Get support


Local IT support provides your first line of on-the-spot help

FIND MY LOCAL IT TEAM

 

Common requests and fault reports can be logged using self-service

   USE IT SELF SERVICE      

   LOG A SUPPORT CALL     

VIEW MY SUPPORT CALLS  

 

The Central IT Service Desk is available 24x7 on +44 1865 6 12345

If you do not have access to your Single Sign-On, you can use this form to contact the Service Desk