Forum Discussion

Harald Bacik's avatar
Harald Bacik
Copper Contributor
Dec 08, 2017
Solved

External software sends email and is marked as outgoing SPAM

Hey everybody!   We use an external software to send emails. All these emails get marked as outgoing SPAM. How can I avoid this? We use SMTP Sending with TLS activated. And it only happen...
office 365
EDIT Support's avatar
EDIT Support
Brass Contributor
Dec 08, 2017

It shouldn't make any difference if you have configured an application to send using SMTP client submission (recommended option here - https://support.office.com/en-gb/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4)

 

Inspect the header of an email marked as SPAM, that might give you an idea. I assume you have SPF records configured correctly.

  • Nestori Syynimaa's avatar
    Nestori Syynimaa
    MVP
    Dec 08, 2017
    I agree, when using SMTP client submission, the external software connects to Office 365 and sends email as any other user.

    However, Harald mentioned that this only happens with a shared mailbox. When you're using a shared mailbox to send email, the user who sends the email needs a mailbox (i.e. license). But this shouldn't cause that either.

    So Harald: check the headers of your email as there has to be something wrong with the content.
    • Harald Bacik's avatar
      Harald Bacik
      Copper Contributor
      Dec 08, 2017

      Okay.

      I checked the header with an analyzer tool and this is the information:

       

       1. Entry (line 5):
            Original line: from ERWINROTHER-PC (91.112.208.185) by AM0PR0602MB3427.eurprd06.prod.outlook.com (2603:10a6:208:21::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.5; Thu, 7 Dec 2017 14:24:00 +0000
            Sender:        91.112.208.185
            Sender (IP):   2603:10a6:208:21::29
            Sender (from): ERWINROTHER-PC
            Received from: AM0PR0602MB3427.eurprd06.prod.outlook.com
            Received time: 07.12.2017 14:24:00 (UTC)
            Duration:      00:00:13
            Analysis:
              The sender host name is possible forged.
                The host name in "from" (ERWINROTHER-PC) does not match the client host name (91.112.208.185).
              The domain names does not match.
                The recipient domain of this entry (outlook.com) should be
                the sender domain of the next entry (154.175).
                This is often due to an IP address change, such as network address translation (NAT) of a private IP address to a public one.

         2. Entry (line 4):
            Original line: from EUR01-DB5-obe.outbound.protection.outlook.com (213.199.154.175) by HE1EUR02FT049.mail.protection.outlook.com (10.152.11.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.282.5 via Frontend Transport; Thu, 7 Dec 2017 14:24:13 +0000
            Sender:        213.199.154.175
            Sender (IP):   10.152.11.8
            Sender (from): EUR01-DB5-obe.outbound.protection.outlook.com
            Received from: HE1EUR02FT049.mail.protection.outlook.com
            Received time: 07.12.2017 14:24:13 (UTC)
            Duration:      00:00:00
            Analysis:
              The IP address of the sender is not a public IP address.
              The sender and/or the recipient seems to be from a non-public network.
              The sender host name is possible forged.
                The host name in "from" (EUR01-DB5-obe.outbound.protection.outlook.com) does not match the client host name (213.199.154.175).
              There are no host or domain names available for a comparison.

         3. Entry (line 3):
            Original line: from HE1EUR02FT049.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::203) by DB6PR07CA0190.outlook.office365.com (2603:10a6:6:42::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.323.4 via Frontend Transport; Thu, 7 Dec 2017 14:24:13 +0000
            Sender:        2a01:111:f400:7e05::203
            Sender (IP):   2603:10a6:6:42::20
            Sender (from): HE1EUR02FT049.eop-EUR02.prod.protection.outlook.com
            Received from: DB6PR07CA0190.outlook.office365.com
            Received time: 07.12.2017 14:24:13 (UTC)
            Duration:      00:00:01
            Analysis:
              The sender host name is possible forged.
                The host name in "from" (HE1EUR02FT049.eop-EUR02.prod.protection.outlook.com) does not match the client host name (2a01:111:f400:7e05::203).
              There are no host or domain names available for a comparison.

         4. Entry (line 2):
            Original line: from DB6PR07CA0190.eurprd07.prod.outlook.com (2603:10a6:6:42::20) by AM5PR0701MB2737.eurprd07.prod.outlook.com (2603:10a6:203:76::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.3; Thu, 7 Dec 2017 14:24:14 +0000
            Sender:        2603:10a6:6:42::20
            Sender (IP):   2603:10a6:203:76::11
            Sender (from): DB6PR07CA0190.eurprd07.prod.outlook.com
            Received from: AM5PR0701MB2737.eurprd07.prod.outlook.com
            Received time: 07.12.2017 14:24:14 (UTC)
            Duration:      00:00:00
            Analysis:
              The sender host name is possible forged.
                The host name in "from" (DB6PR07CA0190.eurprd07.prod.outlook.com) does not match the client host name (2603:10a6:6:42::20).
              The domain names does not match.
                The recipient domain of this entry (outlook.com) should be
                the sender domain of the next entry (93.139).
                This is often due to an IP address change, such as network address translation (NAT) of a private IP address to a public one.

         5. Entry (line 1):
            Original line: from AM5PR0701MB2737.eurprd07.prod.outlook.com (10.173.93.139) by VI1PR0701MB2750.eurprd07.prod.outlook.com (10.173.80.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.3 via Mailbox Transport; Thu, 7 Dec 2017 14:24:14 +0000
            Sender:        10.173.93.139
            Sender (IP):   10.173.80.150
            Sender (from): AM5PR0701MB2737.eurprd07.prod.outlook.com
            Received from: VI1PR0701MB2750.eurprd07.prod.outlook.com
            Received time: 07.12.2017 14:24:14 (UTC)
            Duration:      ---
            Analysis:
              This entry was added by the recipients mail server.
              The IP address of the sender is not a public IP address.
              The sender and/or the recipient seems to be from a non-public network.
              The sender host name is possible forged.
                The host name in "from" (AM5PR0701MB2737.eurprd07.prod.outlook.com) does not match the client host name (10.173.93.139).

       

  • Harald Bacik's avatar
    Harald Bacik
    Copper Contributor
    Dec 08, 2017

    SPF is set correct

     

    "v=spf1 include:spf.protection.outlook.com -all"

     

    As I can see ;)

    • Crimson Castellon's avatar
      Crimson Castellon
      Copper Contributor
      Dec 08, 2017
      Are you using SMTP client submission or SMTP Relay with IP-based connector? If it's the latter, may need to update your SPF with your 3rd party's public IP address.