How to prevent real email from being marked as spam in Office 365
Is your real email getting marked as spam in Office 365? Do this.
Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect your organization against spam and malware. If you have mailboxes in Office 365, they are automatically protected by EOP since it is part of the service.
EOP attempts to filter out spam, keeping your Inbox clear of content that users don't want to see. But sometimes, EOP filters out things that you do want to see. When a message is incorrectly marked as spam by the spam filter, it's called a false positive.
If you get a false positive, you should report the message to Microsoft by using the Use the Report Message add-in. Additionally, you can forward the message as an attachment to email@example.com.
**Important** If you do not forward the messages as attachments, then the headers will be missing and we will be unable to improve the junk mail filtering in Office 365.
Determine the reason why the message was marked as spam
Many issues with spam in Office 365 can be resolved by View e-mail message headers and determining what went wrong. You will need to look for a header named X-Forefront-Antispam-Report. You can learn more about anti-spam message headers.
In the header, look for the following headings and values.
SFV:SPM Indicates that the message was marked as spam because of the EOP spam filters.
SFV:BLK Indicates that the message was marked as spam because the sending address is on the recipient's Blocked Senders List.
SFV:SKS Indicates that the message was marked as spam prior to the content filter. This could include a transport rule marking the message as spam. Run a message trace to see if a transport rule triggered which may have set a high spam confidence level (SCL).
SFV:SKB Indicates that the message was marked as spam because it matched a block list in the spam filter policy.
SFV:BULK Indicates that the Bulk Complaint Level (BCL) value located in the x-microsoft-antispam header is above the Bulk threshold that has been set for the content filter. Bulk email is email which users may have signed up for, but may still be undesirable. In the message header find the BCL (Bulk Confidence Level) property in the X-Microsoft-Antispam header. If the BCL value is less than the threshold set in the Spam Filter, you may want to adjust the threshold to instead mark these types of bulk messages as spam. Different users have different tolerances and preferences for how bulk email is handled. You can create different policies or rules for different user preferences.
CAT:SPOOF or CAT:PHISH Indicates that the message appears to be spoofed, meaning that the message source cannot be validated and could be suspicious. If valid, the sender will need to make sure that they have proper SPF and DKIM configuration. Check the Authentication-Results header for more information. Although it may be difficult to get all senders to use proper email authentication methods, bypassing these checks can be extremely dangerous and is the top cause of compromises.
- The presence of this header indicates that the message was marked as spam because one of the advanced spam options is enabled in your spam filter. Unless you need these features, we recommend that you use the default settings.
Solutions to additional causes of too much spam
In order to work effectively, Exchange Online Protection (EOP) requires that administrators complete a few tasks. If you are not the administrator for your Office 365 tenant and you are getting too much spam, then you may want to work with your administrator on these tasks. Otherwise, you can skip to the user section.
Point your DNS records to Office 365 In order for EOP to provide protection, your mail exchanger (MX) DNS record(s) for all domains must be pointed to Office 365 -- and only to Office 365. If your MX does not point to Office 365, then EOP will not provide spam filtering for your users. In the situation where you wish to use another service or appliance to provide spam filtering for your domain, you should consider disabling the spam protection in EOP. You can do this by creating a transport rule that sets the SCL value to -1. If you later decide to use EOP, make sure to remove this transport rule.
Turn on the report message add-in for users We strongly recommend that you enable the report message add-in for your users. As an administrator, you may also be able to view the feedback your users are sending and use any patterns to adjust any settings that may be causing problems.
- Create a safe sender list Users can add addresses from senders that they trust to their safe sender list in Outlook or Outlook on the Web. To get started in Outlook on the Web, choose Settings > Options > Block or allow. The following diagram shows an example of adding something to a safe sender list.
EOP will honor your users' Safe Senders and Recipients, but not Safe Domains. This is true regardless of whether the domain is added through the Outlook on the Web, or added in Outlook and synchronized using Directory Sync.
- Disable SmartScreen filtering in Outlook If you are using an older Outlook desktop client, you should disable the SmartScreen filtering functionality, which has been discontinued. If enabled, it can cause false positives. This should not be required if running an updated desktop Outlook client.
Troubleshooting: A message ends up in the Junk folder even though EOP marked the message as non-spam
If your users have the option in Outlook enabled for "Safe Lists Only: Only mail from people or domains on your Safe Senders list or Safe Recipients List will be delivered to your Inbox", then all email will go to the junk folder for a sender unless the sender is on the recipient's Safe Sender list. This will happen regardless of whether EOP marks a message as non-spam, or if you have set up a rule in EOP to mark a message as non-spam.
You can disable the Safe Lists Only option for your Outlook users by following the instructions in Outlook: Policy setting to disable the Junk E-mail UI and filtering mechanism.
If you view the message in Outlook on the Web, there will be a yellow safety tip that indicates that the message is in the Junk folder because the sender is not on the recipient's Safe Senders list.
If you look at the header of a message, it may include the stamp SFV:SKN (IP Allow or ETR Allow) or SFV:NSPM (non-spam), but the message is still placed in the user's junk folder. There is nothing in the message header that indicates that the user has "Safe Lists Only" enabled. This happens because the "Safe Lists Only" option set by users in Outlook overrides the EOP setting.
To verify why a message from a safe sender is marked as non-spam in the message header, but still ends up in the user's Junk folder
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Run the following command to view the user's junk email configuration settings:
Get-MailboxJunkEmailConfiguration firstname.lastname@example.org | fl TrustedListsOnly,ContactsTrusted,TrustedSendersAndDomains
- If TrustedListsOnly is set to True, it means that this setting is enabled
- If ContactsTrusted is set to True, it means that the user trusts both Contacts and Safe Senders
- The TrustedSendersAndDomains lists the contents of the user's Safe Senders list
EOP-only customers: use directory synchronization
If you're an EOP-only customer, that is, you subscribe to the EOP service for use with your on-premises (Exchange) email server, you should sync user settings with the service by using directory synchronization. Doing this ensures that your safe senders lists are respected by EOP. For more information, see "Use directory synchronization to manage mail users" in Manage Mail Users in EOP.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.