Too many important messages are going into my Outlook Junk Email folder, and I can’t figure out why.
Seriously, I don’t know how to explain it. Several of my clients have mentioned that more messages lately are being incorrectly flagged as spam, and the mistakes seem obvious when I look at my own Junk Email folder. But there are only scattered complaints online when I search for trends. I don’t see any changes from Microsoft in the last year or two that would account for it.
I don’t have any answers. If you’re not checking your junk mail folder occasionally, I’d suggest you scan it every so often, just in case.
Microsoft’s definition of junk email: “Junk email is spam, which are unsolicited and universally unwanted messages (when identified correctly).”
For many years, the default Office 365 spam filter was almost completely reliable. It would capture junk but pass through virtually all legitimate messages. Sure, much of what was passed through was advertising and crud, but the important thing was, we could safely ignore the junk mail folder.
Something has gone wrong.
This is a screenshot of messages in my junk mail folder from the last week.
Those messages have one thing in common: Not one of them is junk mail. None of them are “unsolicited and universally unwanted.”
- The first one is a receipt from Apple for a monthly payment. It’s a receipt from one of the largest companies in the world. What is it doing in junk mail?
- Some of the messages are advertising from companies I’ve done business with. There’s a newsletter from Relix that I subscribed to. There’s an alert that Sonora Resort – a place we went on vacation – won’t open this season.
- On Wednesday, it’s one of my own articles sent by the company that I use for mass mailings – Mad Mimi, owned by GoDaddy. I’ve whitelisted my incoming articles dozens of times, and they still go to junk.
- There’s an alert about a client’s server from the company that handles my remote management software. Solarwinds is one of the largest companies in the world for IT monitoring and support.
- There’s a notification of a security breach at Burning Shed, a UK music vendor that I’ve done business with, notifying me that I have to go change my password.
It’s worth mentioning that I’ve never blacklisted any of these companies (marked them as junk), and no rules are sending them to junk.
Microsoft’s spam filtering service, Exchange Online Protection (EOP), has been continuously in place with constant tweaking, but no major overhauls, for fifteen years. Microsoft checks IP addresses of senders and drops messages that are unambiguously from bad guys. (An extraordinary number of malicious messages never reach you. You’d be appalled.) Phishing messages with malicious URLs are quarantined, but the bad guys change the URLs so quickly that obviously some get through.
As you’d expect, spam filtering is complex. Large enterprises can configure EOP in endless ways. Theoretically, small businesses can tweak and create whitelists and fritter away time and money working on the details, but it’s complicated – I would have a difficult time coming up to speed, and setting up a spam policy for a single company is different than doing it for each of the dozens of companies that depend on me.
And that misses the point. For many years, it just worked. Microsoft’s documentation for Office 365 says, “By default, spam filtering is tuned to protect you without needing any additional configuration.” Now I’m losing confidence in it, and that’s frustrating.
Let’s look at some details.
First, if you’re an Outlook user, there is a drop-down on the ribbon under Junk for Junk E-mail Options. It will be set to “No Automatic Filtering.” Do not change that setting!
The Options screen is a legacy from an additional level of spam screening that Microsoft abandoned four years ago. It has nothing whatsoever to do with the junk mail filtering done by Microsoft servers before the mail gets to you.
Here’s a portion of the header of the message in my junk mail folder about the Equifax class action settlement.
SPF is a DNS record set up by the senders of messages to help prevent spammers from spoofing real domains. You can see in the above header that there is a good SPF record for equifaxbreachsettlement.com.
Microsoft uses a variety of techniques to assign a Spam Confidence Level (SCL) to each message. You’ll see the SCL in the above message is 6, which is in the zone that sends it to junk mail. The assignment of an SCL is the part that is going wrong for Microsoft. There is no transparency that I’m aware of to explain why Microsoft assigns a particular SCL.
The Equifax email was almost certainly sent to a large number of people, but Microsoft handles bulk mail separately. You can see that the BCL (Bulk Complaint Level) is set to zero, which means that’s not the reason it was sent to junk.
It’s very strange. If Microsoft has some glaring defect in its spam filtering, I would expect to find discussions and complaints all over the web – but I did a lot of Google questing and I can’t find that kind of uproar. Yet I can’t overlook all the messages in Junk Email that just shouldn’t be there.
Check your junk mail. And let me know if I’m missing something obvious.
EOP uses a variety of technologies to detect spam emails, including:
Bayesian filtering: EOP uses Bayesian filtering to calculate the probability that an email is spam based on the content of the email.
Wordlist filtering: EOP can refer to wordlists to identify emails that contain certain words or phrases that are typical of spam.
Reputation check: EOP checks the sender’s IP address to determine if the IP address is known for sending spam or phishing emails.
Heuristic analysis: EOP performs heuristic analysis to try to detect patterns that are typical of spam emails.
EOP uses these technologies in combination to calculate a Spam Confidence Level (SCL) rating for each incoming email. SCL is a value from 0 to 9, with a higher value indicating that an email is more likely to be spam. An SCL of 0 means that an email is considered non-spam. An SCL of 9 means that an email is considered spam. An SCL between 5 and 9 means that the email is considered spam and will be filtered. While an SCL between 4 to 1 means that the email is considered uncertain and won’t be automatically deleted, there are options to filter it manually.
Hi all
We migrated few weeks back to MS Exchange and i have to same issue.
Any news how to solve this wrong spam classification?
I’m to a point where I’m actually considering legal action as O365 is basically the only service marking our outgoing emails as spam but the majority of our customers are using the service so nearly all of legitimate emails we send out are going to spam for no good reason. We have hired several consulting firms to make sure our DKIM, SPF and all other related records and practices are perfect. Really unacceptable.
We are having the same issues – even more noticeable now that GoDaddy full server migration was done last week. Most of our emails go to JUNK FOLDER and even worse our emails to our contacts are going to their spam – many commenting – no they had not received – they check spam and there it is
– 2 days ago they shut our 2 email accounts down – had to get them unblocked by GoDaddy – THIS was their reason: “Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance.”
This is UNACCEPTABLE – needs to be a class action law suite filled – this is harming our business and interfering with commerce not to mention defamation of character.
Microsoft and GoDaddy are both well aware of this – and yet choose to do nothing to resolve it – and they could – they just don’t because clearly there is an agenda on their part.
We will migrate away from GoDaddy after 17 years – 23 years of business and 80 GB of emails to move – not a fun task – but has to be done. Will go back to POP or MAP – looking at a place called NAMECHEAP.com – PRIVATE EMAIL – their name sounds funky but thinking PRIVATE is what is need – anything is better than Microsoft and GoDaddy destroying our business.
Our contacts and clients past and new are 6-7 figure deals
* BACK THE F#!* OFF MICROSOFT. (and GoDaddy)
We will decide what is JUNK and what isn’t – thank you !!! and stop flagging our outgoing as spam.
Stop prying into our business !
We use MAC MAIL and have NO interest in Microsoft – never did – and this is why – they operate in deceptive ways – will have no part of it.
and would NEVER give Microsoft access to our actual contacts – fine with Mac installed business products.
Very p#ss*d off business owners here and partners aren’t happy either.
I’ve had similar issues with Hotmail refusing to talk to my mailserver (SPF/DKIM/DMARC all set correctly) Complaining to Hotmail first crerates a response that mitigation is denied, then an angry follow up email helps getting mitigation implemented but after a few months the same issue and the same chain of events occurs.
There has been 0 instances of spam complaints from my static IP.
I wonder if we should sue Microsoft for blocking legitimate emails and putting other emails in Junk boxes while the emails are legitimate. I can’t get past the feeling they do it on purpose to push everyone to using O365 product exclusively.
I might be able to offer some insight to at least one potential cause:
One of our mails was classified as spam for no obvious reason, even though not blacklisted, SPF/DKIM/DMARQ etc. is all configured properly.
Working with the recieving party we then found this (changed sensitive infos/IP of course):
—————————————–
(8) Test: Domain Impersonation
HEADER:
From
VALUE:
CompanyName
ANALYSIS:
– Mail From: >
– Mail Domain: senderdomain.com>
–> resolves to:
–> reverse-DNS resolves to:
(sender’s domain: senderdomain.com)
– First Hop: senderdomain.com (1.2.3.4)
–> resolves to: 1.2.3.4
–> reverse-DNS resolves to: server7.otherdomain.com
(first hop’s domain: otherdomain.com)
– WARNING! Potential Domain Impersonation!
– Mail’s domain should resolve to: senderdomain.com
– But instead first hop resolved to: otherdomain.com
This is the SpamAssassin report, which is fine:
—————————————–
(9) Test: SpamAssassin Spam Status
HEADER:
X-Spam-Status
VALUE:
No, score=-2.1 required=7.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham
autolearn_force=no
version=3.4.2
ANALYSIS:
– SpamAssassin spam report
– _result: Whether the message is Spam
– NO
– score: Total score for the message (negative if whitelisted)
– -2.1
– required: The score that would be required to be classed as spam
– 7.0
So it seems Microsoft / Office 365 classifies a message as “Spam” because of “Domain Impersonation!” if you are sending mails from a vHost on a server who has a different domain as rDNS.
I have no idea who comes up with this ….
I don’t understand this area deeply but it looks like you’ve described a method that the bad guys could use to forge the sender’s email address on malicious spam. Most of them are lazy and don’t take the trouble, so the email address displayed in a mail client doesn’t match the message. It is far more convincing when they use a technique like you describe for a message like this:
Subject: Confirmation of purchase
Sender: Norton Security (security@norton.com)
With a link to click on or an 800 number to call, of course.
It’s the same thing that causes newsletters handled by a mailing service to be classified as spam. My newsletters display a sender of bruceb@bruceb.com, but the actual sender is Mad Mimi (GoDaddy’s mailing list service) – and they’re almost always sent to spam.
It would be nice to see Microsoft’s spam filter be able to distinguish good from bad, but as a default, this is perhaps a feature instead of a bug . . .
That’s the Envelope-From which can be defined as random string, named after the fact that the sender on the back of a (snail mail) envelope can be anything and does not necessarily corelate with the real sender of the letter.
The rDNS/reverse DNS of an IP address just spits out a domain name associated with said IP address, like the DNS of example.com points to the webserver this domain is located on.
Thanks to vHosts/virtual Hosts a webserver can of course host multiple domains, so multiple domains can point to the same Server-IP. But the rDNS can of course only reply with a single Domain when queried (who is 1.2.3.4 ? It’s domain.com), since that’s the server name and the server would not know which domain one is looking for.
So in essence it means that a server that hosts multiple domains is automatically classified as “suspicious” because the rDNS will fail in any case, especially if you have a vHost on a server that isn’t even yours.
Our servers are named server1.domain.com, server2.domain.com etc. and the rDNS shows the server name. The domains we host do not correlate with the server name of course – so this means instant death on the O365 “Potential Domain Impersonation” … which is rediculous.
Helpful info! Thanks.
I am so pleased I found this – thanks !
Lots of valid emails, including those from within the organisation, are randomly thrown into junk.
Today one email, the second of 4 from the same person in the space of 1 hour, was junked.
So it’s a totally irrational system classically ignored by indifferent MS.
You have saved me many more hours of trying to pin down a cause – I’ll just accept the junk system is junk.
I, too, am glad to have found this message thread. While I would expect there could be a global increase in IT security due to the worldwide issues in Ukraine. I would have expected better control over the Junk settings – either as a user or as an admin.
I am an IT admin (volunteer) for a small non-profit, and our Junk folder has increased 200% over the past couple of months. I have all spam filters, SPF, etc., turned on, yet many of the emails sent to Junk are not Junk. Even a few emails sent by co-workers in the same domain are sent to the Junk folder.
While I appreciate 365 or whatever system wants to protect us…it takes tons of time keeping up on emails that belong on the naughty or nice list.
I would be appreciative if anyone here passed on any information relevant to making changes or corrections to the Junk folder.
We have been running into this problem for the last 6 Months. Microsoft appears to be working at blocking all NON Office 365 senders, probably on purpose to boost the overall market share of its use. Our fear at an IT level is we will eventually be required to subscribe to O365 or our email service will no longer work.
When we get bounces we tell Recipient to “Safe Sender” our domain and they then go through.
I could write an entire Article based upon Microsoft using Cyber Insurance as another Arrow in their quiver to dominate the email market. If you have not purchased Cyber Insurance you will see that the applications were written by Microsoft! You almost need MFA and Office 365 mail to purchase a policy nowadays!
It’s happening to my users too. Our whitelist of domains keeps growing, a practice that is discouraged by MS. I’ve also had newsletters delivered normally to some users, and sent to Junk Email for others. I’ve done what Adam has done: added the Junk Email folder to my Favorites so I can monitor it.
So it’s not just me! I have Outlook365 on the desktop for half a dozen IMAP email addresses and one 365 Exchange account. All put whitelisted email into SPAM at least once a week, but one address is noticeably worse and puts an average of 60 legitimate emails a week into junk despite nearly all either having the email addresses or domains whitelisted.
Even emails from contacts go into spam.
It’s so bad I’ve had to add that spam folder to my Favourites so I can see it filling up.
A microsoft verification of my account was identified as junk by microsoft.
The snake is eating it’s own tail.
Very funny in a darkly comedic way.
(laughing) I’ve had that happen too!
Have a look at these tools:
https://www.ivasoft.com/runjunkrules.shtml
and
https://www.ivasoft.com/fromjunktoinboxflow.shtml
O365 sucks more that anything has ever sucked before. Our clients (only the ones using O365) don’t get our invoices and blame us for that, but our IP is clean, we pass SPF, DKIM, DMARC, everything, and all our non-O365 clients get our emails without issues.
All I can do is advise people not to use O365. Problem solved.
I live in Portugal. I just applied for a certificate of Covid vaccination. Microsoft put the message with the Certificate attached in Junk Mail.
I have been having this precise same issue! A client of mine changed hosting, and from then on all emails sent to office 365 clients go straight to spam! Even though all checks pass! Even gmail and hotmail accept it!
I got the exact same problem. We pass every test (SPF, DKIM, etc) everybody get’s our emails but nobody with O365.
We have had a problem for a while now trying to deliver to any customer whose email service provider is Microsoft Office – i.e. *.mail.protection.outlook.com
Originally, our email was hosted with GoDaddy and so (despite having our own dedicated IP) would have to go through GDs own email relay.
Some emails were just disappearing without trace, no warnings, errors, nothing. Eventually we established that GDs relay server was sending our emails from one of two IP addresses – seemingly randomly switching between the two. One ending in .202 and one in .196
All emails that went out using the IP address ending in .202 were fine. If it used .196 then emails to Microsoft addresses would vanish but the emails to, e.g. Gmail, would get through perfectly fine.
Microsoft support insisted that there was nothing wrong with the .196 IP address from their point of view and GD just ghosted us in the end.
So, in the complete absence of any support, we switched our mail hosting to Hostinger and have a fixed IP with them. SPF, DKIM, DMARC etc. are all set up and working properly. Our IP address is not on any blacklists and we are monitoring that through MX Toolbox.
And now everything is working fine…. except when sending to any customer whose email service provider is Microsoft Office – i.e. *.mail.protection.outlook.com
Those emails are now going into their Junk folder every time. Even for customers who have been with us for years and sent and received emails with no problems. Them marking our emails as not junk doesn’t stop the next one from us going into the junk folder.
Even when we are replying to an email they have sent to us…. straight into junk.
Microsoft support just says that there appears to be nothing wrong with our IP address from their point of view and recommends we sign up with their Smart Network Data Services (SNDS) and also the Junk Email Reporting Program (JMRP).
The trouble is, that we are already signed up to the SNDS and it lists our IP address as ‘normal’ but does not show us any data – apparently we would need to send around 100 emails a day to Microsoft addresses to have any data to view.
The JMRP reports zero instances of our emails being marked as spam by Microsoft users.
So we are no further down the line. My bosses are… concerned. And I’ve spent far too much time trying to figure out what the hell is going on.
Sorry I don’t offer any answers – will update if I get any further.
Wow. Just . . . wow. I can only imagine how much work it has been to get to this point – and how frustrating. You’re a long way down the rabbit hole. Good luck!
Thanks Bruce! The only upside has been that I have learnt a lot about SPF, DKIM etc. over the last few months..!
I am sooooo glad I stumbled upon this thread! I was beginning to think I did something to cause this. So first, a collectiveTHANK YOU.
Now to the issue at hand. As a general comment, I, like most of the rest of you, have been experiencing this problem for the past several weeks:
1. I first contacted MS mobile Outlook support group about this issue. They had me check my email on Outlook.com to see if the issue is duplicated there. It is. They then washed their hands of it, telling me the problem is therefore related to my account(!), and the Outlook.com support group would have to deal with it. I then went to the Office.com support site, where I repeated what my problem was, and that it was imperative they get me the solution immediately. I still have not received a response.
2. But the declaration by the mobile Outlook group led me to check to see whether my using outlook.com, mobile Outlook, or Outlook (365) Windows 10 desktop made any difference. It did not.
3. But at least we now know there appears to be consistency across these platforms. From a troubleshooting point of view, that’s big. E.g.,it at least tells us sync is working OK.
4. NOTHING is accomplished by selecting emails in the Junk folder and choosing the Not Junk option. By that, I mean I can assign any email Not Junk status, and it’s as if I didn’t do anything, as email from these same email addresses may well end up in the Junk folder again, regardless what devise (and consequently, what flavor of Outlook) I use.
5. One person in this thread mentioned using a trial version of McAfee, and wondering if it could be having an impact. This set off alarms in my head. Could an app be causing this?! Especially one (like McAfee) that can be set up to check email for viruses, etc? I too have McAfee on board, and I’m wondering if perhaps some update to that app could have triggered this problem on Outlook?? (or any other app in the same field – Avast, AVG, Norton, et al). I don’t have an answer to this question, as that kind of digging is way over my pay grade. But the possibility sure is intriguing to me.
Finally, thanks to everyone who is actively trying to solve this mystery.
And a closing word for Microsoft, if you’re listening: What kind of bullshit is this?!? We pay a pretty high premium that partly goes to your Outlook.com support group fo resolve problems JUST LIKE THIS. So “ENCOURAGE” THEM TO DO THEIR JOBS!! NO ONE in this thread or the billion others I’ve read related to this problem should have to be spending one minute trying to resolve this. People can lose their their jobs over stuff like this, Microsoft!RESOLVE THIS NOW!!
I’ve had less of a problem with this in the last few months. But FWIW some Office 365 users ran into a bug a few days ago that had perfectly good inbox mail diverted to Junk Mail. I didn’t run into it with my clients so I don’t know how many people or how long it lasted. Just another day with MS. Microsoft Office 365 issue routes inbound email directly to junk
I am having this problem now in 2021. The only solution I found was to turn off the spam/junk filter and just send all mail to my inbox. The strange thing is, I do not receive spam and 365 marked important mail as spam.
Hi …I’m also having a junk mail problem, I have always had 30/40 junk emails a day most of them were junk however some important emails for example from my employer always end up in my junk mail folder ..now I’m getting the opposite .. maybe 2or3 a day is all I’m getting sounds good but I’m worried that I’m losing important emails
I am having same issue for last month or 2. Not sure of the problem or solution, but emails from my contacts for many years are going into “junk mail” ?????
I have the same problem since month now and i’m in contact with the absolute useless Microsoft support.
We have an internal Postfix which is sending to our big customers which are using Exchange Online. Our emails goes directly to SPAM. I have make a lot of tests.
Every Spam check with SPF and so on is pass and correct. The Spam header for
X-MS-Exchange-Organization-PCL: 2
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-Organization-SCL: 0
are ok. No one on the Microsoft site can tell me whats the problem. That a big problem when you send offers to your customers which go to SPAM.
So at the moment it’s absolute bullshit. I have made some tests. When i remove our domain from the mail content in some cases the email goes to inbox. When someone has some good ideas i’m open for some input.
Converting my first O365 tenancy so I’m doing a lot of reading. I came across your post.
I’ve also read a lot of tech documents. I wondered if you checked the MarkAsSpamBulkMail flag on your policies. This is a powershell-only flag.
If the BCL is > threshold, the BCL is converted into an SCL of 6 which is what you are seeing. This is the default behaviour.
If you turn it off, the message is stamped with the BCL and no action is taken.
More info here.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide
Hmm. That’s interesting. I’ll check it out. Thanks!
Having the same problem here since roundabout a year. Before, everything just worked fine. Nowadays mails from customers, mails from collegues, invoices, simply everything is randomly shuffled into the junk mail folders of my users. This is extremely frustrating.
I was starting to suffer from imposter syndrome until I read this.
We are even seeing mail from Office 365 (specifically Office365Reports@microsoft.com) going into Junk Mail.
Yes I run a mailserver for a school and all sorts of e-mails are going into spam. A lot of internal mails from our young users are going there for apparently no reason; no spammy words at all.
Shouldn’t it auto whitelist senders that users have e-mailed? ASSP (an open source spam filter I used to use) had an option for this and I thought it worked great for reducing user complaints?
My articles are emailed by Mad Mimi, a mass mailing company owned by GoDaddy – one of the big ones, like Vertical Response and MailChimp.
I just sent tonight’s article to myself – “Rules for Computer and Online Safety.” The sender is brucebnews@bruceb.com – an alias for my mailbox, plus whatever is appended because it’s being sent by a subsidiary of GoDaddy, one of Microsoft’s primary Office 365 partners.
It didn’t even arrive in Junk Mail. It was quarantined. I had to go digging in the admin controls to release it. Are my Office 365 subscribers not going to get instructions about being safe because Microsoft disappears my article?
WTF, Microsoft? This is absurd!
I have a relatively new computer which came with a trial period of McAfee protection. I checked with a computer consultant to see if was necessary to continue the subscription when it ran out. it was his opinion that the computer had built in protection. I’m thinking that this problem of all emails going to spam might connected to the protection service.
Exchange 2019 Mac PBP latest OS 2020, Outlook latest using 365 subscription.
Junk mail no longer working automatically. Says not available for this account. OWA not helpful. Has anything happened at MS? I use Exchange filters for regular incoming like my family and local filters for shorter term incoming like our current construction sites.
For Office/Microsoft 365 accounts, the core decisions are all made on the Exchange Server. To change those, have the Microsoft 365 administrator go to https://protection.office.com/antispam and create a different filter or modify the default policy (or do it via Exchange Powershell for more advanced changes).
I think the simplest and most bang for the buck is to simply change the action for spam and bulk mail to either “Prepend subject line with text” (and then add something like “** Possible spam **”) or “Add X-header,” which allows them to be delivered with no real effort to build a new filter. This leaves “High confidence spam” and all phishing mail headed to the Junk Mail Folder.
Our Office filter is marking as junk, emails from our own domain. This is ridiculous.
i dont know what’s happining either
I straight up disabled it via PowerShell on my account. Fortunately, I’m a go I am a global admin for our tenant. Not everyone would have this option.
We did the same thing with several mailboxes for our users because this was getting out of hand. Even email addresses and domains that were explicitly whitelisted were sometimes marked as junk. We were constantly having to monitor the junk folder anyway, so it didn’t really make sense to keep it turned on. Now those messages end up in clutter, which makes more sense.
Very much with you on this. Something is very wrong with Microsoft spam filters. It’s as if they’ve given up and mark just about everything as spam, instead relying on you to decide what’s not by whitelisting.
Whitelisting emails or domains has become a must-do over the past 2 years, otherwise the majority of legitimate mail goes to junk. Trouble is, when a new client on-boards with 365, they won’t have all their contacts whitelisted so begins weeks of building a whitelist.
This is not acceptable – get raising it with Microsoft!
I’m having a lot of legitimate email ending up in my junk email. Much of it is from senders I have been receiving email from for years with no problem. Now, the last few months, much of it goes to junk mail for some inexplicable reason.
Same problem here – all our emails to Hotmail/Live etc are marked as Junk – even though our SPF, DKIM etc all checks out – we have to check each clients email and send from our own Hotmail account to get any mail through – most frustrating.
SPL seems to be set at 6.
MS just respond that they are not going to change anything! Our servers are not blacklisted and are dedicated IPs.
I am with you! I am seeing a ton of quarantined emails that passed spf and dkim. I have also seen some spoofing that shouldn’t have passed get through.
I enabled End User Notifications on quarantined spam. That’s about as much as I can do.