Office 365 junk mail filtering - finding too many diamonds in the rough

Too many important messages are going into my Outlook Junk Email folder, and I can’t figure out why.

Seriously, I don’t know how to explain it. Several of my clients have mentioned that more messages lately are being incorrectly flagged as spam, and the mistakes seem obvious when I look at my own Junk Email folder. But there are only scattered complaints online when I search for trends. I don’t see any changes from Microsoft in the last year or two that would account for it.

I don’t have any answers. If you’re not checking your junk mail folder occasionally, I’d suggest you scan it every so often, just in case.

Microsoft definition of junk mail - universally unwanted messages (when identified correctly)

Microsoft’s definition of junk email: “Junk email is spam, which are unsolicited and universally unwanted messages (when identified correctly).”

For many years, the default Office 365 spam filter was almost completely reliable. It would capture junk but pass through virtually all legitimate messages. Sure, much of what was passed through was advertising and crud, but the important thing was, we could safely ignore the junk mail folder.

Something has gone wrong.

This is a screenshot of messages in my junk mail folder from the last week.

Those messages have one thing in common: Not one of them is junk mail. None of them are “unsolicited and universally unwanted.”

  • The first one is a receipt from Apple for a monthly payment. It’s a receipt from one of the largest companies in the world. What is it doing in junk mail?
  • Some of the messages are advertising from companies I’ve done business with. There’s a newsletter from Relix that I subscribed to. There’s an alert that Sonora Resort – a place we went on vacation – won’t open this season.
  • On Wednesday, it’s one of my own articles sent by the company that I use for mass mailings – Mad Mimi, owned by GoDaddy. I’ve whitelisted my incoming articles dozens of times, and they still go to junk.
  • There’s an alert about a client’s server from the company that handles my remote management software. Solarwinds is one of the largest companies in the world for IT monitoring and support.
  • There’s a notification of a security breach at Burning Shed, a UK music vendor that I’ve done business with, notifying me that I have to go change my password.

It’s worth mentioning that I’ve never blacklisted any of these companies (marked them as junk), and no rules are sending them to junk.

Microsoft’s spam filtering service, Exchange Online Protection (EOP), has been continuously in place with constant tweaking, but no major overhauls, for fifteen years. Microsoft checks IP addresses of senders and drops messages that are unambiguously from bad guys. (An extraordinary number of malicious messages never reach you. You’d be appalled.) Phishing messages with malicious URLs are quarantined, but the bad guys change the URLs so quickly that obviously some get through.

As you’d expect, spam filtering is complex. Large enterprises can configure EOP in endless ways. Theoretically, small businesses can tweak and create whitelists and fritter away time and money working on the details, but it’s complicated – I would have a difficult time coming up to speed, and setting up a spam policy for a single company is different than doing it for each of the dozens of companies that depend on me.

And that misses the point. For many years, it just worked. Microsoft’s documentation for Office 365 says, “By default, spam filtering is tuned to protect you without needing any additional configuration.” Now I’m losing confidence in it, and that’s frustrating.

Let’s look at some details.

Outlook junk e-mail options - do not change this setting!

First, if you’re an Outlook user, there is a drop-down on the ribbon under Junk for Junk E-mail Options. It will be set to “No Automatic Filtering.” Do not change that setting!

Outlook junk e-mail options - do not change this setting!

The Options screen is a legacy from an additional level of spam screening that Microsoft abandoned four years ago. It has nothing whatsoever to do with the junk mail filtering done by Microsoft servers before the mail gets to you.

Here’s a portion of the header of the message in my junk mail folder about the Equifax class action settlement.

Internet header for message sent to Office 365 junk mail folder

SPF is a DNS record set up by the senders of messages to help prevent spammers from spoofing real domains. You can see in the above header that there is a good SPF record for equifaxbreachsettlement.com.

Microsoft uses a variety of techniques to assign a Spam Confidence Level (SCL) to each message. You’ll see the SCL in the above message is 6, which is in the zone that sends it to junk mail. The assignment of an SCL is the part that is going wrong for Microsoft. There is no transparency that I’m aware of to explain why Microsoft assigns a particular SCL.

The Equifax email was almost certainly sent to a large number of people, but Microsoft handles bulk mail separately. You can see that the BCL (Bulk Complaint Level) is set to zero, which means that’s not the reason it was sent to junk.

It’s very strange. If Microsoft has some glaring defect in its spam filtering, I would expect to find discussions and complaints all over the web – but I did a lot of Google questing and I can’t find that kind of uproar. Yet I can’t overlook all the messages in Junk Email that just shouldn’t be there.

Check your junk mail. And let me know if I’m missing something obvious.

Share This