Forum Discussion

greenwood-IT's avatar
greenwood-IT
Copper Contributor
Dec 06, 2021

Investigating "false positives" with inbound email being marked as spam (SFS codes)

Hi folks,

 

I have a 3rd party email server on a clean IP address that's having problems sending emails into large organisations run by the UK government - ie, the National Health Service (@nhs.net) and local schools (@xyz.hants.sch.uk). Emails to smaller public businesses using 365 seem to be arriving clean, while the government ones end up in spam.

 

The outbound server has a valid SPF, DKIM and DMARC policy. 365 Tech Support have found nothing wrong with the inbound emails, but they are unable to investigate the government email accounts 😞 Unfortunately trying to escalate via the government or accenture (their sub-contractor) has proven impossible as nobody knows the name of anyone or how to contact them!

 

The email headers of the spammed emails shows good SPF and DKIM, but goes on to state that Forefront-Antispam has marked it as SCL:5 with SFS codes; (6666004)(7636003)(83380400001)(6266002)(7596003)(2616005)(26005)(7116003)(336012)(86362001)(8676002)(6916009)(1096003)(356005)(1420700001)(5660300002)(15974865002)(53546011)(44736005)(36756003)(956004)(9326002)(166002) - clearly understanding these codes is key, but nobody knowns what they mean.

 

Has anyone got any suggestions? Email contents are relating to children's health and care, so important and clearly not spam.

 

Chat soon.

 

X-Forefront-Antispam-Report:
CIP:216.172.106.35;CTRY:US;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail605a.mxthunder.net;PTR:mail605a.mxthunder.net;CAT:SPM;SFS:(6666004)(7636003)(83380400001)(6266002)(7596003)(2616005)(26005)(7116003)(336012)(86362001)(8676002)(6916009)(1096003)(356005)(1420700001)(5660300002)(15974865002)(53546011)(44736005)(36756003)(956004)(9326002)(166002);DIR:INB;
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506458)(944626604)(920097)(930097)(3100021);RF:JunkEmail;

 

  • ExpertInstitute's avatar
    ExpertInstitute
    Copper Contributor
    Our organization is also experiencing the same exact issues with legitimate / wanted emails that our clients are expecting. These emails are being quarantined / sent to spam, or even rejected in some cases, specifically by Microsoft 365 / Outlook receiving servers.

    We've been thoroughly testing and it appears to be specific to our domain and not related to our email sending platforms or IPs. This issue has been persisting across our entire organization for the last 6 weeks. Our DKIM / SPF records are all setup correctly. We're using Dmarcian, HetrixTools to monitor / confirm our DNS settings. And we've also had two email deliverability consultants check our domain settings and confirm that they believe this is an internal false flag on Microsoft's side.

    After speaking with numerous Microsoft support staff, we've finally made contact with an escalation team and have provided them with email samples of quarantined / rejected emails, which are all wanted by our clients. This issue is severely impacting our business, as our clients are unable to receive emails / work product for which they have already paid.

    I'm hoping that someone from Microsoft's Team can kindly escalate this issue and advise us on next steps to delist our domain from their internal blacklists.

Resources