Summary: Learn how to use the antispam stamps that are applied to messages in Exchange 2016 to investigate suspected spam messages.
Antispam stamps in Exchange Server 2016 apply diagnostic metadata, or stamps, such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the antispam features that filter inbound messages from the Internet. You can use antispam stamps to see the results of antispam filtering on a message, and to diagnose spam-related problems. The antispam features and stamps are basically unchanged from Exchange Server 2010. There are four major Exchange antispam stamps:
The phishing confidence level (PCL) stamp
The Sender ID stamp
The spam confidence level (SCL) stamp
The antispam report stamp
The antispam stamps are added to messages as X-header fields in the message header. You can view antispam stamps on a message by using Outlook. For more information, see View antispam stamps in Outlook.
The phishing confidence level stamp
The PCL stamp indicates the likelihood that a message is a phishing message based on its content. The PCL stamp is applied when the message is processed by the Content Filter agent. For more information about content filtering, see Content filtering.
The PCL values are described in the following table.
|1 through 3
||The message content isn't likely to be phishing.
|4 through 8
||The message content is likely to be phishing.
The PCL value appears in the X-MS-Exchange-Organization-PCL: X-header, and the PCL verdict appears in the antispam report stamp as
PCL:PhishingLevel <Verdict>. Outlook uses the PCL stamp to block the content of suspicious messages.
The Sender ID stamp
The Sender ID stamp is based on the sender policy framework (SPF) that authorizes the use of domains in email. The Sender ID agent determines the Sender ID status for the message. These status values are described in the following table.
||Both the IP address and Purported Responsible Address (PRA) passed the Sender ID verification check.
||Published Sender ID data is explicitly inconclusive.
||The IP address for the PRA may be in the not permitted set.
||The IP Address is not permitted. No PRA is found in the incoming mail or the sending domain does not exist.
||No published SPF data exists in the sender's DNS.
||A temporary DNS failure occurred, such as an unavailable DNS server.
||The DNS record is invalid, such as an error in the record format.
The Sender ID stamp is displayed in the X-MS-Exchange-Organization-SenderIdResult: X-header, and also in the antispam report stamp as
SenderIDStatus <Status>. The SPF result is displayed in the Received-SPF header.
For more information, see the following topics:
The spam confidence level stamp
On November 1, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam definitions will be left in place, but their effectiveness will likely degrade over time. For more information, see Deprecating support for SmartScreen in Outlook and Exchange.
The SCL stamp displays the rating of the message based on its content. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message, and to assign an SCL rating to each message. The SCL values are described in the following table.
|0 through 9
||0 indicates an extremely low probability that the message is spam.
9 indicates an extremely high probability that the message is spam.
||The message bypassed antispam scanning (for example, the message was from an internal sender).
The SCL value appears in the X-MS-Exchange-Organization-SCL: X-header.
The actions that Exchange and Outlook take based on the SCL value depend on your SCL threshold settings. For more information, see Exchange spam confidence level (SCL) thresholds.
The antispam report stamp
The antispam report stamp is a summary of the antispam filter results that have been applied to the message. The Content Filter agent applies this stamp to the message in the X-MS-Exchange-Organization-Antispam-Report: X-header. The anti spam report uses the following syntax:
X-MS-Exchange-Organization-Antispam-Report: DV:<DATVersion>;CW:CustomList;PCL:PhishingVerdict <verdict>;P100:PhishingBlock;PP:Presolve;SID:SenderIDStatus <status>;TIME:<SendReceiveDelta>;MIME:MimeCompliance;OrigIP:<SourceIPAddress>
The antispam filter information that can appear in the antispam report stamp is described in the following table. Note that the antispam report stamp only contains results and conclusions from antispam filters that were applied to the message. so the antispam report stamp usually doesn't contain all of the possible stamps and values.
||The DAT version (DV) stamp indicates the version of the spam definition file that was used when scanning the message.
||The signature action (SA) stamp indicates that the message was either recovered or deleted because of a signature that was found in the message.
||The signature DAT version (SV) stamp indicates the version of the signature file that was used when scanning the message.
||The custom weight (CW) stamp indicates that the message contains an unapproved word or phrase and that the SCL value, or weight, of that unapproved word or phrase was applied to the final SCL score:
• Unapproved phrases, or Block phrases, have maximum weight and change the SCL score to 9.
• Approved words or phrases, or Allow phrases, have minimum weight and change the SCL score to 0.
For more information about how to add approved and unapproved words or phrases to the Content Filtering agent, see Content filtering procedures.
||The presolved puzzle (PP) stamp indicates that if a sender's message contains a valid, solved computational postmark (based on Outlook E-mail Postmark validation functionality), it's unlikely that the sender is a malicious sender. In this case, the Content Filter agent would reduce the SCL rating.
The Content Filter agent doesn't change the SCL rating if the E-mail Postmark validation feature is enabled and either of the following conditions is true:
• An inbound message doesn't contain a computational postmark header.
• The computational postmark header isn't valid.
For more information about the postmark validation feature, see Content filtering.
||Indicates that there was a significant time delay between the time that the message was sent and the time that the message was received. The TIME stamp is used to determine the final SCL rating for the message.
||Indicates the IP address of the source messaging server.
||Indicates that the email message isn't MIME compliant.
||Indicates that the message contains a URL that's present in a phishing definition file.
||Indicates that the sender's IP address is on the IP Allow list. For more information about the IP Allow list, see IP Allow list.
||Indicates that the message wasn't filtered for content and that the sender has been granted permission to bypass the antispam filters.
||Indicates that the Content Filter agent doesn't process any content filtering for messages that are received from this sender. For more information, see Content filtering procedures.
||Indicates that one of the following conditions was met for all recipients listed in the message:
• The AntispamBypassedEnabled parameter on the recipient's mailbox is set to
• The message sender is in the recipient's Safe Senders List. For more information about the Safe Senders List, see Use the Exchange Management Shell to configure the safelist collection on a mailbox.
• The Content Filter agent doesn't process any content filtering for messages that are sent to this recipient. For more information about recipient exceptions, see Use the Exchange Management Shell to configure recipient and sender exceptions for content filtering.