Unverified Sender

Note

These updates are rolling out now, and might not be available for all users. This feature is supported for Enterprise Outlook.com and Enterprise Outlook Win32 desktop users. It is not currently available for consumer Office 365 users.

To prevent phishing messages from reaching your mailbox, Office 365 verifies that the senders are who they say they are and mark suspicious messages as junk email.

Important

When a message is marked as a phishing scam, Outlook displays a warning at the top of the page, but any links in the message can still be opened.

How can I identify a suspicious message in my inbox?

Outlook shows indicators when the sender of a message either can't be identified or their identity is different from what you see in the From address.

You see a '?' in the sender image

When Office 365 can't verify the identity of the sender using email authentication techniques, a '?' is displayed in the sender image.

Message did not pass verification

Not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don't authenticate if you don't recognize the sender. Or, if you recognize a sender that normally doesn't have a '?' in the sender image, but you suddenly start seeing it, that could be a sign the sender is being spoofed.

How to manage which messages receive the unverified sender treatment 

If you are an Office 365 customer you can manage this feature through the Office 365 Security & Compliance Center.

Additionally, we don't apply the unverified sender treatment if the message was delivered to the Inbox via mail flow rules (also known as transport rules) or the Safe Domain List (anti-spam policies).

How to manage the 'via' tag 

If you are an Office 365 customer you can manage this feature through the Office 365 Security & Compliance center, the same way that you manage the unverified sender treatment. If you add the sender to the Spoof Intelligence spoof allow list, the 'via' treatment will not be applied.

Frequently asked questions

What criteria does Outlook.com and Outlook Win32 desktop use to add the '?' and the 'via' properties?

For the '?' in the sender image: Outlook.com requires that the message pass either SPF or DKIM authentication and receive either a dmarc pass, or a composite authentication pass from Office 365 Spoof Intelligence. For details, see Set up SPF in Office 365 to help prevent spoofing and Use DKIM to validate outbound email sent from your custom domain in Office 365.

For the via tag: If the domain in the From address is different from the domain in the DKIM signature or the SMTP MAIL FROM, Outlook.com displays the domain in one of those two fields (preferring the DKIM signature).

How do I remove the '?' without utilizing the Spoof Intelligence spoof allow list?

For the '?' in the sender image: As a sender, you should authenticate your message with either SPF or DKIM.

For the via tag: As a sender, you should ensure that either the domain in the DKIM signature or the SMTP MAIL FROM is the same as, or is a subdomain of, the domain in the From address.

Do Outlook.com and Outlook Win32 desktop show this for every message that doesn't pass authentication?

Not necessarily. Office 365 may have other properties within the message to authenticate the sender.

Help protect your Outlook.com email account

Deal with phishing or spoofing in Outlook.com

Filter junk email and spam in Outlook on the web