Forum Discussion
Meaning of 365 Mail Security's "SFS" Header Field
I've seen quite a few threads in various forums with this question. I'm trying to troubleshoot a message that was quarantined. The provided information doesn't contain any justification for the spam...
I'm going to move on at this point because we disabled/bypassed the Exchange Online filter and sold the client on a better spam filtering option, but it's really suspicious that this "SFS" thing is so clandestine. I can't think of how it benefits Microsoft to hide the info, but hey guys, you do you.
I believe you are correct and the message was quarantined because it matched spam rules. Deep in the Exchange Online documentation, regarding message tracing, the SFS field is mentioned. The SFS field is an entry from the Spam Filter Agent (S:SFA).
SFS=[a] This denotes that spam rules were matched.
SFS=[b]
It looks like you worked around the issue and moved on. If you are curious, here is the documentation about quarantined emails, retention, policies, etc. The Spam Confidence Level (SCL) are discussed here and can be adjusted to reduce false positives.
Best of luck!