Forum Discussion
Outgoing emails marked as SPAM and Phishing emails by O365 servers
You might want to read the following article on the "health" tab in the office portal...
The issue seems quite strange. How did you know that MS Outbound servers are marking your emails as Spam. Secondly I hope your domain is still able to send emails to other domains, if yes... could you share a message header.. so that I can analyze it.
HiRnishat0786 ,
We have edited the default Outgoing Spam rule to copy messages flagged as spam to one of our internal email addresses. I have pasted the header from one such email (apparently we receive almost every outgoing email now) as requested. As you will notice that the Spam Confidence Level is set to 5 by Microsoft and the Phishing Level to 8 for this outgoing email from Office365. We do have even have 2FA enabled for most users and never had any issue till yesterday.
Received: from AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:208:aa::49) by AM0PR0602MB3585.eurprd06.prod.outlook.com with
HTTPS via AM0PR06CA0072.EURPRD06.PROD.OUTLOOK.COM; Wed, 10 Apr 2019 17:13:40
+0000
Received: from VI1PR0601CA0005.eurprd06.prod.outlook.com
(2603:10a6:800:1e::15) by AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:209:e::26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.19; Wed, 10 Apr
2019 17:13:39 +0000
Received: from VE1EUR01FT025.eop-EUR01.prod.protection.outlook.com
(2a01:111:f400:7e01::209) by VI1PR0601CA0005.outlook.office365.com
(2603:10a6:800:1e::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1792.14 via Frontend
Transport; Wed, 10 Apr 2019 17:13:39 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (52.101.129.90)
by VE1EUR01FT025.mail.protection.outlook.com (10.152.2.232) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:13:38 +0000
Received: from DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
(10.152.4.56) by DB5EUR01TH003.eop-EUR01.prod.protection.outlook.com
(10.152.4.138) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Wed, 10 Apr
2019 17:10:53 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (52.101.131.59)
by DB5EUR01FT040.mail.protection.outlook.com (10.152.5.25) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:10:53 +0000
Authentication-Results: spf=none (sender IP is )
smtp.mailfrom=anna.mandia@gmsuae.com;
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com (52.133.46.17) by
AM0PR0602MB3523.eurprd06.prod.outlook.com (52.133.49.30) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1792.14; Wed, 10 Apr 2019 17:10:45 +0000
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944]) by AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944%6]) with mapi id 15.20.1771.014; Wed, 10 Apr 2019
17:10:44 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Anna Mandia <anna.mandia@gmsuae.com>
To: Calum Berkley <calumberkley@aol.com>, "reservations@milansuites.com.sa"
<reservations@milansuites.com.sa>, "ayman@milansuites.com.sa"
<ayman@milansuites.com.sa>, IBIS Abu Dhabi Gate FO3 <H6949-FO3@accor.com>,
NOVOTEL Abu Dhabi Gate RE1 <H6948-RE1@accor.com>
CC: Paula Cercel <paula.cercel@gmsuae.com>, William Escondo
<william.escondo@gmsuae.com>, Amit Dagar <amit.dagar@gmsuae.com>
Subject: FW: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Thread-Topic: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Thread-Index: AQHU7g3sNf9KY9rzwEKdxrIlBbZyQaYySW2+gAAUiICAAtK0IA==
Date: Wed, 10 Apr 2019 17:10:44 +0000
Message-ID: <AM0PR0602MB35543E59377335E66B1F11119D2E0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
References: <AM0PR0602MB35549FA31C962DC1097B472A9D2C0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
<AM0PR0602MB3554B2DF88EFB2AD15FCC0699D2C0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
<46AED3F05A1011E9B957005056BF25F3@focalscope.com>
In-Reply-To: <46AED3F05A1011E9B957005056BF25F3@focalscope.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: 5
X-MS-TNEF-Correlator: <AM0PR0602MB35543E59377335E66B1F11119D2E0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: AM0PR0602MB3554.eurprd06.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-Originating-IP: [217.164.74.77]
X-MS-Exchange-Organization-Network-Message-Id: 1516fec6-bb59-4dad-acf3-08d6bdd77816
X-MS-PublicTrafficType: Email
Return-Path: anna.mandia@gmsuae.com
X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2019 17:10:45.0518
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Office365-Filtering-Correlation-Id: 1516fec6-bb59-4dad-acf3-08d6bdd77816
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(49563074)(7193020);SRVR:AM0PR0602MB3523;BCL:0;PCL:8;RULEID:(3031054)(100001)(3032054)(3034054);SRVR:DB5EUR01TH003;
X-MS-TrafficTypeDiagnostic:
AM0PR0602MB3523:|AM0PR0602MB3523:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|AM6PR0602MB3589:
X-MS-Exchange-PUrlCount: 3
X-Microsoft-Antispam-PRVS: <AM0PR0602MB352364002DE092CC23D543D69D2E0@AM0PR0602MB3523.eurprd06.prod.outlook.com>
X-Forefront-PRVS: 00032065B2
X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(136003)(39850400004)(396003)(346002)(366004)(376002)(199004)(189003)(9686003)(3846002)(236005)(52536014)(76176011)(4326008)(606006)(66066001)(25786009)(107886003)(102836004)(53546011)(6506007)(26005)(186003)(11346002)(476003)(71190400001)(66574012)(71200400001)(6116002)(790700001)(68736007)(486006)(44832011)(33656002)(5660300002)(5024004)(446003)(14444005)(97736004)(256004)(81156014)(81166006)(2201001)(54906003)(8936002)(8676002)(508600001)(14454004)(110136005)(7696005)(53946003)(2906002)(6306002)(2473003)(413944005)(99286004)(99936001)(316002)(229853002)(74316002)(7736002)(2501003)(105586002)(6436002)(733005)(106356001)(53936002)(55016002)(86362001)(54556002)(54896002)(59010400001);DIR:OUT;SFP:1501;SCL:5;SRVR:AM0PR0602MB3523;H:AM0PR0602MB3554.eurprd06.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
Received-SPF: None (protection.outlook.com: gmsuae.com does not designate
permitted sender hosts)
X-MS-Exchange-Organization-ExpirationInterval: 0:04:00:00.7865921
X-MS-Exchange-Organization-ExpirationIntervalReason: SpamEngine
X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0602MB3523
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-Organization-ACSExecutionContext: 04/10/2019 17:10:53;04/10/2019
17:13:38;{"SubmissionInfo":{"SubmissionToken":"PFRva2VuIFRva2VuVHlwZT0iU3VibWlzc2lvblRva2VuIiBJZD0iYjAyN2FkZWYtYjM1Yi1lOTExLWIwNzYtOWNkYzcxNTBlYjYyIiBSb2xlPSJTdWJtaXR0ZXIiIEVuZHBvaW50PSJodHRwczovL0hFMVNFVTA0VFAxMDUuZW9wLXNldTA0LnByb2QucHJvdGVjdGlvbi5vdXRsb29rLmNvbS9zb25hcmFwaS8iIFNpZ25hdHVyZT0iRmg4aFlxVGszUkhDTDQ4S0NpK1haNEFWNlRBPSIgLz4","Identity":"9960c8bc-7008-4852-a218-286be1ec6672"}};SC;S;0;04/10/2019
17:13:24;0|0|0|1|;
X-EOPAttributedMessage: 0
X-OriginatorOrg: gmsuae.com
X-MS-Exchange-Organization-SafeAttachmentProcessing:
X-MS-Exchange-Transport-EndToEndLatency: 00:02:55.2749479
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1771.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750119)(520011016)(706158)(944506303)(944610083);
X-Microsoft-Antispam-Message-Info:
DAPEWkLz3LKrnttMLdcI98FZqSXR7MZz4OAxsAZSkiO6Gu6jwVcQ8UY2dnhlI4Er0hSFzRtjFw1ahUoSQuNcF8JkUWZwJKBsg22Xejcz94WydHdk/2gZ33UC9IjWff1BjQEkPJAxGAHyXXRwia3hCxqrFuM4MkRlX3wyAl+K67mNK5XXrlbmJta1I4mm2IRumAgmngf4loOkKGF7eNyYO9VBQEImTYKVEimogNG/Gb1ZyvX+/Kxix7uGzdtR/9HQvQ4cvuIkEjoVIivTdX8XgPt0TH6nwFdG/kzjpCD4ufYIAb3HxGjsgrIgX7pGgKRgzg6xVOdyFiihOo9Rr1+rxrU2/FdhsIbuKHPJM66JC02Yld6Fot5bPkNgOSDDYBicG0HxUwsbDMHbuE81ik85yTQrDCAx0lzwH4X6pWWIKzrCpVkclW79BujtKE1oPIb5WoPVj7n+WiNIWDC59kEGqYYjX3BArXj3ohDEkRI2NMmfZMt2Sy6h0i6fPpcL/YngqxwQ2+pfxDnWFJOCt4wNregwhu4gev2eR7CtduQohvInuqvP/rO62VOcX96b5HV5kmnTFZlQwr2OnnHNEKI85GXpIn9qvwxwxlS6g8TFl0EWpN4XRc0F0E8LA+k53Qmj/Zq64uvKj55GIRE9AF4YmodBgxemEV6NdlF8t3xaM2FVEVC3pXGFthJ10VjUWzi2k5oeJSFYVvmHHleLS61IiPLiwic14OtMTvh8TgKTInvvcOuhxFY6SlQLcrIMEgjsF1KaqPtTbkyrdu+yY+raGdWajsnFM6lM7GETgaX/f90=I noticed in the Message Header -
Received-SPF None (protection.outlook.com: gmsuae.com does not designate permitted sender hosts) So would suggest to check if the sender domain is added in the allowed domain settings in Security and Compliance center.
1. Sign in to O365 Admin Portal
2. Navigate to Security & Compliance center > Threat management > Policy.
3. Find Anti-spam, open it. Expend Allow lists. Add the sender’s domain to the Allow domain setting.HiRnishat0786 ,
Thanks for the suggestion. We already have the domain added in the Allow list of Anti-Spam policy.
Could it be that the domain is showing as SPF not designated because it is still an internal email within Office365 servers ?
