Outlook Security Headers

%3CLINGO-SUB%20id%3D%22lingo-sub-1007297%22%20slang%3D%22en-US%22%3EOutlook%20Security%20Headers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007297%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20wondering%20how%20to%20tell%20if%20an%20IP%20address%20has%20been%20effectively%20whitelisted%20so%20it%20is%20not%20passed%20through%20any%20spam%20filtering.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEmails%20received%20via%20our%20outlook%20server%20are%20reported%20to%20have%20been%20receiving%20automated%20opens%20and%20clicks%20when%20sent%20for%20a%20specific%20IP%20(Which%20is%20also%20used%20by%20our%20company%20but%20is%20external%20marketing%20tool)%20and%20we%20are%20wondering%20if%20it%20is%20caused%20by%20a%20spam%20filter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20read%20the%20header%20definitions%20in%20this%20doc%20-%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fanti-spam-message-headers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fanti-spam-message-headers%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%20what%20is%20the%20difference%20between%20IPV%3ACAL%20vs%20SFV%3ASKN%3F%20I%20am%20getting%20the%20below%20results%3C%2FP%3E%3CP%3EIPV%3ANLI%3BCTRY%3AUS%3BEFV%3ANLI%3BSFV%3ASKN%3BSFS%3A%3BDIR%3AINB%3BSFP%3A%3BSCL%3A-1%3BSRVR%3ABY5PR19MB3587.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20IPV%3ANLI%20mean%20that%20it%20is%20still%20getting%20scanned%20at%20some%20point%20event%20though%20I%20also%20get%20SFV%3ASKN%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20help%20would%20be%20appreciated.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1007297%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1007622%22%20slang%3D%22en-US%22%3ERe%3A%20Outlook%20Security%20Headers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007622%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20refer%20to%20different%20policies%2Fdifferent%20scanning%20components.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIPV%20refers%20to%20the%20external%20IP%20reputation%20services%20(external%20spamlists)%2C%20in%20this%20case%20IPV%3ANLI%20means%20that%20the%20IP%20was%20not%20found%20in%20any%20of%20the%20external%20lists.%20IPV%3ACAL%20would%20mean%20that%20the%20address%20was%20allowed%20because%20you%20explicitly%20added%20it%20to%20a%20safe%20sender%20policy%20in%20the%20connection%20filter%2C%20regardless%20of%20the%20reputation%20from%20external%20sources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESFV%20refers%20to%20processing%20by%20the%20Content%20filters%20defined%20for%20your%20tenant.%20In%20this%20case%2C%20SFV%3ASKN%20means%20you%20have%20added%20an%20exception%20in%20your%20content%20filter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20yes%2C%20IPV%3ANLI%20means%20it%20still%20gets%20scanned%20by%20all%20other%20components.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello,

 

I am wondering how to tell if an IP address has been effectively whitelisted so it is not passed through any spam filtering.

 

Emails received via our outlook server are reported to have been receiving automated opens and clicks when sent for a specific IP (Which is also used by our company but is external marketing tool) and we are wondering if it is caused by a spam filter.

 

I have read the header definitions in this doc -
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-header....

 

My question is what is the difference between IPV:CAL vs SFV:SKN? I am getting the below results

IPV:NLI;CTRY:US;EFV:NLI;SFV:SKN;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:BY5PR19MB3587.

Does IPV:NLI mean that it is still getting scanned at some point event though I also get SFV:SKN?

Any help would be appreciated.

Thank you

1 Reply
Highlighted

Those refer to different policies/different scanning components.

 

IPV refers to the external IP reputation services (external spamlists), in this case IPV:NLI means that the IP was not found in any of the external lists. IPV:CAL would mean that the address was allowed because you explicitly added it to a safe sender policy in the connection filter, regardless of the reputation from external sources.

 

SFV refers to processing by the Content filters defined for your tenant. In this case, SFV:SKN means you have added an exception in your content filter.

 

And yes, IPV:NLI means it still gets scanned by all other components.