To prevent phishing messages from reaching your mailbox, Outlook.com and Outlook on the web verify that the sender is who they say they are and mark suspicious messages as junk email.
When a message is marked as a phishing scam, Outlook.com and Outlook on the web display a warning at the top of the page, but any links in the message can still be opened.
How can I identify a suspicious message in my inbox?
Outlook.com and Outlook on the web show indicators when the sender of a message either can't be identified or their identity is different from what you see in the From address.
How to manage which messages receive the unverified sender treatment
If you are an Office 365 customer you can manage this feature through the Security & Compliance Center.
In the Office 365 Security & Compliance Center, tenant admins can turn the feature on, or off, through the Anti-spoofing protection under the Anti-Phish policy. Additionally, it can be managed through the ‘Set-AntiPhishPolicy’ cmdlet. For more details, see Anti-phishing protection in Office 365 and Set-AntiPhishPolicy.
If an admin has identified a false positive, and a sender should not be receiving the unverified sender treatment they can take one of the following actions to add the sender to the Spoof Intelligence spoof allow list:
Add the domain pair through the Spoof Intelligence Insight. For more details, see Walkthrough: spoof intelligence insight
Add the domain pair through the PhishFilterPolicy cmdlet. For more details, see Set-PhishFilterPolicy and Anti-spoofing protection in Office 365
Additionally, we do not apply the unverified sender treatment if it was delivered to the inbox via an admin allow list, including Email Transport Rules (ETRs), Safe Domain List (Anti-Spam Policy), Safe Sender List or a user has set this user as a “Safe Sender” in their inbox.
You see a '?' in the sender image
When Outlook.com and Outlook on the web can't verify the identity of the sender using email authentication techniques, they display a '?' in the sender photo.
Not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don't authenticate if you don't recognize the sender. Or, if you recognize a sender that normally doesn't have a '?' in the sender image, but you suddenly start seeing it, that could be a sign the sender is being spoofed.
Frequently asked questions
What criteria does Outlook.com and Outlook on the web use to add the '?' and the 'via' properties?
For the '?' in the sender image: Outlook.com requires that the message pass either SPF or DKIM authentication. For more details, see Set up SPF in Office 365 to help prevent spoofing and Use DKIM to validate outbound email sent from your custom domain in Office 365.
For the via tag: If the domain in the From address is different from the domain in the DKIM signature or the SMTP MAIL FROM, Outlook.com displays the domain in one of those two fields (preferring the DKIM signature).
How do I remove the '?'
For the '?' in the sender image: As a sender, you should authenticate your message with either SPF or DKIM.
For the via tag: As a sender, you should ensure that either the domain in the DKIM signature or the SMTP MAIL FROM is the same as, or is a subdomain of, the domain in the From address.
Does Outlook.com and Outlook on the web show this for every message that doesn’t pass authentication?
Not necessarily. Outlook.com and Outlook on the web may have other properties within the message to authenticate the sender.
Send feedback about: