How to investigate "spam" messages delivered to Junk Mail

Expand All

  1. View a message in the Junk Mail folder using Outlook and check the message info in the header area.

“This message was marked as spam using the Outlook Junk E-mail filter” indicates that Outlook identified the message as spam. Check your settings under Home > Delete > Junk > Junk E-mail options…

“This message was marked as spam using a junk filter other than the Outlook Junk E-mail filter” or no spam marking information indicates that something other than Outlook identified the message as spam. The most common causes here are:

  1. The server-based junk mail filter “Exchange Online Protection” (EOP) 
  2. An Outlook rule that moved the message to Junk Mail after it had been delivered
  1. Cut-and-paste the message headers into the Message Header Analyzer
  2. Examine the X-Forefront-Antispam-Report header:
    Parameter Meaning
    SCL Records the final decision on whether something was spam or not
    SFV Records the decision based on message content filters
    CAT Records the categorisation decision, which can identify other types of undesirable message
    IPV Not useful as filtering based on external sender address is done elsewhere in our system
  3. Examine the X-Microsoft-Antispam-Mailbox-Delivery header:
    Parameter Meaning
    dest:J Server-side decision to deliver to Junk Mail
    dest:I Server-side decision to deliver to INBOX
    dest:C Server-side decision to deliver to user-specified (custom) folder
    OFR:CustomRules Outlook rule determined delivery of this message
    OFR:SpamFilterAuthJ Exchange determined delivery of this message, possibly using mailbox spam rules

Notes

Ignore IP filtering results or SPF failures in the Authentication-Results and related headers. Sender-IP filtering is done elsewhere in our system, and the headers you see are not based on the actual sender.

In Outlook, check Home > Rules > Manage rules. Check message rules in both the Outlook desktop application and Outlook on the Web to ensure you have checked all rules.

Details of the MS headers are available at Anti-spam message headers - Office 365 | Microsoft Docs

When checking any message delivery it is important to note the different sender addresses used. These are recorded in message headers, are all optional and include:

Header Usage
From Displayed from address, normally included in DKIM message verification
Sender Address of the message sender, differs from From if someone is sending on behalf of someone else using delegated access
Envelope-sender Information supplied by the transmitting server when a message is passed from one server to another for delivery and is used for SPF checks. The final MTA often adds this to the Return-path header indicating where any delivery failure should be sent to

Differences in the sender address domains can adversely affect message reputation. Links in the message body to other domains (not in the sender addresses) can have the same effect. This makes it more likely that a message will be classified as spam/junk.

X-NTG-DKIM-verify and X-TM-Authentication-Results indicate the outcome of SPF and DKIM verification on the message by TrendMicro EMS. A failure here indicates that the sender address could not be validated or failed validation, providing an indication that the message was not really sent by the stated sender or that the sender’s mail configuration is incomplete or incorrect.

Get support


If you cannot find the solution you need here then we have other ways to get IT support

Get IT support