Forum Discussion

BochulainCV's avatar
BochulainCV
Copper Contributor
Jan 18, 2024

Meaning of 365 Mail Security's "SFS" Header Field

I've seen quite a few threads in various forums with this question. I'm trying to troubleshoot a message that was quarantined. The provided information doesn't contain any justification for the spam...
Exchange Online Protection
security
BochulainCV's avatar
BochulainCV
Copper Contributor
Jan 30, 2024
I'm going to move on at this point because we disabled/bypassed the Exchange Online filter and sold the client on a better spam filtering option, but it's really suspicious that this "SFS" thing is so clandestine. I can't think of how it benefits Microsoft to hide the info, but hey guys, you do you.
logphil3's avatar
logphil3
Copper Contributor
Jan 30, 2024

BochulainCV 

 

I believe you are correct and the message was quarantined because it matched spam rules. Deep in the Exchange Online documentation, regarding https://learn.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results, the SFS field is mentioned. The SFS field is an entry from the Spam Filter Agent (S:SFA). 

SFS=[a] This denotes that spam rules were matched.
SFS=[b]

It looks like you worked around the issue and moved on. If you are curious, here is the https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide about quarantined emails, retention, policies, etc.  The Spam Confidence Level (SCL) are discussed https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-spam-confidence-level-scl-about?view=o365-worldwide  and can be adjusted to reduce false positives.

Best of luck!

Resources