@farismalaeb 

Thanks for the link.
How does the process for working with junk emails looks like? After the introduction of Exchange online, the number of false positives in junk emails is going up.
I can create whitelists and the email/domain bypass the span check. But I don't think this is a good idea.

@Stefan Kießig 

Creating a whitelist is not a proper solution, as later on if this mailbox is infected and starts sending you spam, these spam will go inside your org.

I would recommend reviewing your organization SCL level

use the command Get-OrganizationConfig | select *scl* what is the number, the higher number, the more possible of emails marked as SPAM, 

Did you review the Protection.microsoft.com

Review the policy Get-HostedContentFilterPolicy

Also you need to understand that no matter your configuration, you will still have a false positive, as sometime its not your problem more than its the sender problem, such as

- senders are embedding vbs in your email (they don't know)

- sender have a bad email server configuration, (No SPF ... )

- sender have IFRAM

Try the Report Message Add-in

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/enable-the-report-messag...

@farismalaeb 

These are the Powershell results.

PS C:\Users\123456> Get-HostedContentFilterPolicy

Name SpamAction HighConfidenceSpamAction IsDefault
---- ---------- ------------------------ ---------
Default MoveToJmf MoveToJmf True

PS C:\Users\123456> Get-OrganizationConfig | select *scl*

SCLJunkThreshold
----------------
4

I could learn a lot from you. Can you recommend me a good book about Exchange online?
Thanks a lot

@Stefan Kießig 

Go to Protection.microsoft.com and create a new policy that fits your organization's needs, it seems that you still using the basic one.

Also if you can dump one of the email headers from the junk here we might be able to help you in finding out why the emails are marked as junk, but usually due to an increase in SCL rate, which can be caused by the message content.

SCL level is set to 4 is the default one and seems to be fine.

for the learning, I am just like you, got a lot to struggle with and googling and reading, usually Microsoft site, even though their documentation is a bit boring, but it's fine

First I need to read to build a good/better policy.

Here is a email header

Summary

Subject: Newsletter Oktober 2020

Message Id: <5e4f2c81f89ede179062bbb51.2605fd13e6.20201004092327.22f27f5817.4259941e@mail94.suw111.mcdlv.net>

Creation time: Sun,  4 Oct 2020 09:23:33 +0000

From: Frank Geisler <FGE@sqlpass.de>

Reply to: Frank Geisler <FGE@sqlpass.de>

To: <stefan.kiessig@lll.de>

Received

Hop: 1

From: localhost (localhost [127.0.0.1])

By: mail94.suw111.mcdlv.net (Mailchimp)

With: ESMTP

Id: 4C3yvz6n3Cz1wBFnH

For: <stefan.kiessig@lll.de>

Date: 10/4/2020 11:23:43 AM

Hop: 2

From: mail94.suw111.mcdlv.net (198.2.185.94)

By: AM5EUR03FT016.mail.protection.outlook.com (10.152.16.142)

With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

Id: 15.20.3433.34

Via: Frontend Transport

Date: 10/4/2020 11:23:46 AM

Delay: 3 seconds

Percent: 50

Hop: 3

From: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:14:cafe::d5)

By: AM5PR0301CA0022.outlook.office365.com (2603:10a6:206:14::35)

With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

Id: 15.20.3433.36

Via: Frontend Transport

Date: 10/4/2020 11:23:47 AM

Delay: 1 second

Percent: 16.666666666666668

Hop: 4

From: AM5PR0301CA0022.eurprd03.prod.outlook.com (2603:10a6:206:14::35)

By: AM6PR08MB4198.eurprd08.prod.outlook.com (2603:10a6:20b:a7::32)

With: Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

Id: 15.20.3433.36

Date: 10/4/2020 11:23:47 AM

Delay: 0 seconds

Hop: 5

From: AM6PR08MB4198.eurprd08.prod.outlook.com (2603:10a6:20b:a7::32)

By: DBBPR08MB4726.eurprd08.prod.outlook.com

With: HTTPS

Date: 10/4/2020 11:23:49 AM

Delay: 2 seconds

Percent: 33.333333333333336

ForefrontAntiSpamReport

Country/Region: US

Language: de

Spam Confidence Level: 5

Spam Filtering Verdict: SPM

IP Filter Verdict: NLI

HELO/EHLO String: mail94.suw111.mcdlv.net

PTR Record: mail94.suw111.mcdlv.net

Connecting IP Address: 198.2.185.94

Protection Policy Category: SPOOF

Spam rules: (4636009)(6666004)(42882007)(7636003)(8676002)(33964004)(7596003)(16799955002)(3450700001)(356005)(5660300002)(7116003)(166002)(15974865002)(83080400001)(9686003)(336012)(76236003)(66574015)(58800400005)(6916009)(19810500001)(16670700002)(26005)(1096003)(83170400001)(7126003)(966005)(83380400001)(70420200002)

Source header: CIP:198.2.185.94;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail94.suw111.mcdlv.net;PTR:mail94.suw111.mcdlv.net;CAT:SPOOF;SFS:(4636009)(6666004)(42882007)(7636003)(8676002)(33964004)(7596003)(16799955002)(3450700001)(356005)(5660300002)(7116003)(166002)(15974865002)(83080400001)(9686003)(336012)(76236003)(66574015)(58800400005)(6916009)(19810500001)(16670700002)(26005)(1096003)(83170400001)(7126003)(966005)(83380400001)(70420200002);DIR:INB;

Unknown fields: DIR:INB;

AntiSpamReport

Bulk Complaint Level: 0

Source header: BCL:0;

Other

Authentication-Results: spf=pass (sender IP is 198.2.185.94) smtp.mailfrom=mail94.suw111.mcdlv.net; lll.de; dkim=pass (signature was verified) header.d=mailchimpapp.net;lll.de; dmarc=none action=none header.from=sqlpass.de;compauth=fail reason=001

Received-SPF: Pass (protection.outlook.com: domain of mail94.suw111.mcdlv.net designates 198.2.185.94 as permitted sender) receiver=protection.outlook.com; client-ip=198.2.185.94; helo=mail94.suw111.mcdlv.net;

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net; s=k2; t=1601803423; i=fge=3Dsqlpass.de@mailchimpapp.net; bh=VKtPPqjYq1qddhiT8Pi1rKG2XPmSvzjO2t68d6jJYJw=; h=Subject:From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe: Content-Type:MIME-Version; b=HCm7cw3/meDiLrkthtktvYduDaDbjClPRW2+d/eNaFdjDCqdi1gDkjSymab7xZLp+ QDQENWgA/aCsONFYmOPM+9Wx9O33ZZwY2rlZGjvmVYZUzXOy53o1Kiw32jfNHOMT1e x3sZyQx/grV9olj0EoHBBZKcjR8vJKYdvrCBqF8jN2WyK1OFzH+4XrqmTxCyOS3eAT juoY8SItrg7Y3bxjRTX12R/36u5vmmC51ggssrLQYYoidGAnZW7HCI24weCYm8SCkV uN8tNoeG1u5iUbECoqY0sEi1sesWx+s03DkQhIymUUvKRwoy96vYkya8B3Anf7X/u3 qhtODQuszpOnQ==

X-Mailer: MailChimp Mailer - **CID22f27f58172605fd13e6**

X-Campaign: mailchimp5e4f2c81f89ede179062bbb51.22f27f5817

X-campaignid: mailchimp5e4f2c81f89ede179062bbb51.22f27f5817

X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u=5e4f2c81f89ede179062bbb51&id=22f27f5817&e=2605fd13e6

X-MC-User: 5e4f2c81f89ede179062bbb51

Feedback-ID: 41713949:41713949.2063253:us10:mc

List-ID: 5e4f2c81f89ede179062bbb51mc list <5e4f2c81f89ede179062bbb51.309913.list-id.mcsv.net>

X-Accounttype: pd

List-Unsubscribe: <https://sqlpass.us10.list-manage.com/unsubscribe?u=5e4f2c81f89ede179062bbb51&id=9c25e1e776&e=2605fd1...>, <mailto:unsubscribe-mc.us10_5e4f2c81f89ede179062bbb51.22f27f5817-2605fd13e6@mailin.mcsv.net?subject=unsubscribe>

List-Unsubscribe-Post: List-Unsubscribe=One-Click

Content-Type: multipart/alternative; boundary="_----------=_MCPart_876561490"

MIME-Version: 1.0

Return-Path: bounce-mc.us10_41713949.2063253-2605fd13e6@mail94.suw111.mcdlv.net

X-MS-Exchange-Organization-ExpirationStartTime: 04 Oct 2020 09:23:46.9199 (UTC)

X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit

X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit

X-MS-Exchange-Organization-Network-Message-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: d1794c7e-c5bd-4cb5-97d8-a24c2d32e2e2:0

X-MS-Exchange-Organization-MessageDirectionality: Incoming

X-Matching-Connectors: 132462770269308931;(c6818461-f3df-4f51-3041-08d5a06fda1b);()

X-MS-PublicTrafficType: Email

X-MS-Exchange-Organization-AuthSource: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Office365-Filtering-Correlation-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253

X-MS-TrafficTypeDiagnostic: AM6PR08MB4198:

X-MS-Exchange-AtpMessageProperties: SA

X-MS-Oob-TLC-OOBClassifiers: OLM:327;

X-MS-Exchange-Organization-SCL: 5

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2020 09:23:46.6903 (UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: 5fe4b9d7-915b-4a26-1b30-08d868473253

X-MS-Exchange-CrossTenant-Id: d1794c7e-c5bd-4cb5-97d8-a24c2d32e2e2

X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4198

X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.3220394

X-MS-Exchange-Processed-By-BccFoldering: 15.20.3433.042

X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:1;auth:0;dest:J;ENG:(20160513016)(750128)(520011016)(944506458)(944626604);

X-Microsoft-Antispam-Message-Info: KXhyTJSHBABVJ1XDyhfaJEb30NtICLiTdLrSsQEH0vnenUa9bHQxUHHEjCQNNdTmYqoMP4qX1V2jH6ssm2NckuLlkGWySIUnHxXXTB0U3UkDulWGhvip9wOofUklpD/7JfJYUGaiALOaQPBdfhDRO2Bufj4pxjpQmA4Kbe+Qbuka5jT9ofoGyNL0q2C2UgRYFbx/HEeD2TiEnl8olLntpfa9Ihc5HAujlofhr+KQiw/Xcqi+eJXqpT4pJwL1+ouaqLQUvBALuONHaLIa+LrW0NG65VRqs+/7uIrjxTevH36ubh2Wx5ZL2T8z1PQx4F/T2Y+1J5k9DcNhWrd0tMXl3K1rr3mSEbAZY1YMRQHICEgt8lrz8+z3EC+G5PpLUyZKCptzbT1hJPBQ3m7gsjucLXJiOLaH40uYZPUPAxwfLR/GM87OKhdkNyU2i/422g8iAt93pUn9EYOGX2Bsmh41QoJCayCjMR8Vb/ljHZye5t4JwIyaIp7pK0qHpeQ8evYyQEizSJv4n9sF9KIzj154N5y8rqrM1422W3iJTQea5InfXukjVHDX9rmHnJ2ukbevrg9H/1I+nnL64p079zjldRdUwpPnIEcq2znQEIWHBU3Zx8Fmvwny/8zmsDm3tADH3Stp70U1ClNNY/ddMqRN7rSqtxQgeivjvacfZTiB3PcD9Oaugev2Qs9LOJ7hNNSIg9+YEOAQiA6117bY/Z8NrWeu19S0d1Vn7kS7MDsG45SyIORUTftTh1XC8KfWbSnzzi/bTlKNzL5v9+DGNM+ZaR6hCTbPnR8sUxzNJ5HWrrGV3OlCAClEuHW0V3bnZv1ZcOlly7kFiNmcFDYOpMWBBguMTOW8RayBE5f+jJfF4wij3Ha+uS+iloZGyvYBO2F7FcsrIHxwaNxgCQXdKI8zkNYcg9hsT5bGca0T0g/kLAxO+eBs5PmRg9K7W8ot9koM/547XFu2eN/uVWJT7lDQhtepOwCSr0g5CRnx4sQrfgm4Jn93ELPLUNLqArx2kbWSHgnVlegResxdf/Up9HrmYLbCF4QPPYdMeEg2WFytdpiDZurir2qD6s2KtKm2SvH3PRt1CC2yKACD9c26UPWiftKlPOxPb5ZQLbas+AYtuDoU/oclMGLxgm0JsfUbjjReUI/v6am9QHT99uPb1uHPHQSUX1iFhBcY6vbBMN7kwspF6vFyb4x7ydcMcaIi0D3hw3Z/EaPqPLYaidcQBNvXCm4RrcOowdr4AAIsOQYMGtwbMrFK72U5g/Fuy8Ct329ZOk28XKNaqOhUasCbDKE5fiuYMUmNeqjGQC8BgdFsiR8mjWYS1UeyfVEg8N5VfUFRIVYTxLqdzgugBbi3r9YBa22VPYM6JEHRkVhjG1ZyhHLLD2OpnAxegZyWsnbdkTe+shYeqylIJ/ciyml8vL73shXUv9UYtccYRQfBkg7zsGBjp73FdP7drsMNnUb450vYEaYsQ16tXo3kZ36e8I6u0JITJKQM/EF4bPz13RbAb2RzPSnhztFpwrEFr9zGFCzFJOqYQi6yrFmrIvXFUkHV5UXxsrBTZ97Tj1pdHOJ8l/2xmr1sVLf5GRADhEFu9Ya/c5S5snWzTmLDfdmEgrgPC/17t/fs2LtO7+VzJwRoBqLjAguQBLCdOCzSaYwqkbNXWQdTb4tDRPdwvNWswMows0pSGlcsH3dneSFNbaVSK79s3pzAn37o6W3UP/ZmMo45aVMoziwclyp3RG4pKoWJNRm9/ppw5i7EuBCM8yXX+hGx/wnGFrzmzHqJl0SAe4MXaAUcDHTzq7zn+2SnXr2PUdSi98a3Icxv/8DruhWWHTJnR7VeJDrfAXBY2M7XIIY5xw4Vhq1IWpkOIuMnJwm4foV0ljG3jqPJUMUn+NOGG/bEpjL+w1CPbwlaXVxQueyt9EMbhCaglmxgLAVMql+mQiDApef9UZub6FKlwAGnEOoljK0evERnO61bVbWhzCeYh/JRO0TM+NDNlJbBZnVgbgu66Y0thvxbpje426WAKPtNUnhYFJYq3x4HI/NkyZIL/xSQ4DXMfd/Lm3lVOKTwOU9uKJwQJ96OLvCPckI4ugY=

@farismalaeb 

How is you process? 

Die Kellegen senden Ihnen die Emails zu und sie analysieren die Header? Or is there a better way?

@Stefan Kießig 

What I see in this email header is that SCL is set to 5 in this message and your settings are set to 4 causing this message to be spam, the reason behind this is the antispam itself and how it categorizes this message, it seems that this message is a maillist and I guess the score of this email will be increased.

a useful link can be found here on how to check the report.

Check this link

https://docs.microsoft.com/en-us/exchange/monitoring/use-mail-protection-reports

I would highly recommend to go through the Security and Compliance Center and create a new policy which fit your organization need.

Hope this help

-------------------------------

If you find this answer helpful, Please don't forget to click best response and hit the like sign :)