Examine message headers and spam confidence levels
Exchange uses several anti-spam technologies to minimize incoming spam messages. Exchange scans incoming messages and stores the results in the anti-spam message headers that are part of every SMTP message. It also saves the Spam Confidence Level (SCL) in one of the message headers. The SCL indicates the likeliness the message is spam.
Anti-spam message headers
When an inbound email message is scanned, the X-Forefront-Antispam-Report header is inserted into the message. The fields in this header can help provide administrators with information about the message and about how it was processed, and it contains entries such as the SCL for the message.
The fields in the X-Microsoft-Antispam header also provide information about bulk mail. Exchange Online Protection also inserts email authentication results for each message it processes in the Authentication-results header.
You can view the headers in a message by using any text editor, such as Notepad or the Message Header Analyzer in the Microsoft Remote Connectivity Analyzer.
Note
Text editors such as Notepad only display the raw header. However, the Message Header Analyzer analyzes the raw data and displays it in a more user-friendly format.
The X-ForeFront-Antispam-Report message header can contain the following entries:
Field | Description |
---|---|
ARC |
The ARC protocol has the following fields:
|
CAT: |
The category of protection policy, applied to the message:
An inbound message may be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. |
CIP:[IP address] |
The connecting IP address. You can use this IP address in the IP allowlist or the IP blocklist. |
CTRY |
The source country/region as determined by the connecting IP address, which may not be the same as the originating sending IP address. |
H:[helostring] |
The HELO or EHLO string of the connecting email server. |
IPV:CAL |
The message skipped spam filtering because the source IP address was in the IP allowlist. |
IPV:NLI |
The IP address wasn't found on any IP reputation list. |
LANG |
The language in which the message was written, as specified by the country code (for example, ru_RU for Russian). |
PTR:[ReverseDNS] |
The PTR record (also known as the reverse DNS lookup) of the source IP address. |
SCL |
The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam. |
SFTY |
The message was identified as phishing and will also be marked with one of the following values:
|
SFV:BLK |
Filtering was skipped and the message was blocked because it was sent from an address in a user's Blocked Senders list. |
SFV:NSPM |
Spam filtering marked the message as non-spam and the message was sent to the intended recipients. |
SFV:SFE |
Filtering was skipped and the message was allowed because it was sent from an address in a user's Safe Senders list. |
SFV:SKA |
The message skipped spam filtering and was delivered to the Inbox because the sender was in the allowed senders list or allowed domains list in an anti-spam policy. |
SFV:SKB |
The message was marked as spam because it matched a sender in the blocked senders list or blocked domains list in an anti-spam policy. |
SFV:SKI |
Similar to SFV:SKN, the message skipped spam filtering for another reason (for example, an intra-organizational email within a tenant). |
SFV:SKN |
The message was marked as non-spam prior to being processed by spam filtering. For example, the message was marked as SCL -1 or Bypass spam filtering by a mail flow rule. |
SFV:SKQ |
The message was released from the quarantine and was sent to the intended recipients. |
SFV:SKS |
The message was marked as spam prior to being processed by spam filtering. For example, the message was marked as SCL 5 to 9 by a mail flow rule. |
SFV:SPM |
The message was marked as spam by spam filtering. |
SRV:BULK |
The message was identified as bulk email by spam filtering and the bulk complaint level (BCL) threshold. When the MarkAsSpamBulkMail parameter is On (it's on by default), a bulk email message is marked as spam (SCL 6). |
X-CustomSpam: [ASFOption] |
The message matched an Advanced Spam Filter (ASF) setting. |
The X-Microsoft-Antispam message header contains the following useful field:
- Bulk Complaint Level (BCL). The BCL indicates the likeliness of a message being a bulk email. A BCL of 0 indicates the message isn’t from a bulk sender, while a BCL of 9 indicates the message is from a bulk sender who has generated many complaints.
Note
The remaining fields in the X-Microsoft-Antispam message header are used exclusively by the Microsoft anti-spam team for diagnostic purposes.
Spam confidence levels (SCL)
As incoming messages go through spam filtering, they're assigned a spam score in the X-ForeFront-Antispam-Report. This score maps to an SCL, as recorded in the X-header.
SCL | Definition | Default action |
---|---|---|
-1 | The message skipped spam filtering. For example, the message is from a safe sender, was sent to a safe recipient, or is from an email source server on the IP allowlist. | Deliver the message to the recipients' inbox. |
0, 1 | Spam filtering determined the message wasn't spam. | Deliver the message to the recipients' inbox. |
5, 6 | Spam filtering marked the message as Spam | Deliver the message to the recipients' Junk Email folder. |
8, 9 | Spam filtering marked the message as High confidence spam | Deliver the message to the recipients' Junk Email folder. |
Note
SCL levels 2, 3, 4, and 7 aren't used by spam filtering.
You can use spam filtering policies to specify what happens with high confidence spam. For example, the message can be deleted rather than being sent to junk mail. You can also set SCL conditions in transport rules.
Further reading. For more information, see Anti-spam message headers and Spam confidence level (SCL) in EOP.