Outlook on the web: Received two identical mail messages - one classified as spam, the other not

fommio 21 Reputation points
2020-08-22T21:12:02.53+00:00

Hey Community!

Today I have sent myself two mail messages with the same content from my personal mail account (ProtonMail with a custom domain and activated functions SPF, DKIM & DMARC) to my outlook.de address. The configuration of SPF & DMARC looks like this:

Spf:
v=spf1 include:_spf.protonmail.ch mx

DMARC:
v=DMARC1; p=quarantine; rua=mailto:xxx@X .xxx; pct=100; aspf=s; adkim=s

The first one landed in the junk folder. The second (around 4 minutes later) in the inbox. I'm now trying to find out why this is so but have some difficulty in correctly interpreting some of the header data. At least I have noticed some things that are likely to be relevant information. I used the comparison feature of Notepad++ for this:

1. All mail authentication techniques (SPF, DKIM & DMARC) were transmitted and correctly recognized.
2. The mail message classified as junk by Outlook on the web is missing the entries "X-MS-Exchange-ATPSafeLinks-Stat" and "X-MS-Exchange-ATPSafeLinks-BitVector".
3. Right after the entry "X-Microsoft antispam mailbox delivery" the expression "OFR:SpamFilterAuthJ" exists in the junk mail header but missing in the other mail.
4. Both messages were sent as "text only" mails - however, the entries in the header are different.

Left: Header data of the non-filtered mail / Right: Header data of the mail classified as junk

1.
19577-4.png

2.
19578-1.png

3.
19695-2.png

4.
19675-3.png

My first impression: Especially the first two points looking suspicious. Why were the entries "X-MS-Exchange-ATPSafeLinks-Stat" and "X-MS-Exchange-ATPSafeLinks-BitVector" deleted or not transferred? Are these missing entries the reason why the first mail was marked as junk?

I am thankful for every feedback.

fommio

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,038 questions
0 comments
Accepted answer
  1. Andy David - MVP 144.2K Reputation points MVP
    2020-08-22T22:17:22.443+00:00

    Yes, they look good. The PCL means its not likely phishing.
    Here's the thing. Unless the message is on a block list or failed in some other obvious check, you wont know all the time why a message was marked as SPAM.
    It could be a simple as it was the first time a message was sent to your mailbox from that address and Microsoft marked it as SPAM until it learned it wasn't.

    My guess? The first message was a false positive and then it learned it was ok. I always recommend adding the specific sender to the safe sender list in your Outlook client.
    That is the sure way to ensure its not treated as SPAM.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 144.2K Reputation points MVP
    2020-08-22T21:24:57.06+00:00

    Hi @fommio !

    I think what you are seeing is actually pretty normal.

    Its either one of two things:

    1. A mistake by Office365/Outlook.com in marking the first email as junk ( false positive)
      or
    2. It learned that it wasn't junk and the made sure after that to deliver it. ( since you sent it twice)

    is the address you sent from added to your safe sender list? that would be the important thing to do.
    You could also report the first message as not junk.

    I see this happen all the time however. I think its just part of the never-ending anti-spam experience :)

    1 person found this answer helpful.
  2. Andy David - MVP 144.2K Reputation points MVP
    2020-08-22T22:36:10.697+00:00

    If you add to your safe sender list, it will only to your mailbox, yes.
    However, it will also train the Machine AI and help fine tune anti-spam analysis for everyone - at least that's the hope :)

    1 person found this answer helpful.
    0 comments
  3. JeffYang-MSFT 6,241 Reputation points Microsoft Vendor
    2020-08-24T10:06:45.637+00:00

    Agree with what Andy said above, from the perspective of Outlook, add senders to your safe sender list could help could help avoid some unnecessary troubles.

    1 person found this answer helpful.
    0 comments