cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Investigating "false positives" with inbound email being marked as spam (SFS codes)

greenwood-IT
Copper Contributor

‎Dec 06 2021 01:37 PM - last edited on ‎Feb 01 2023 12:02 PM by

‎Dec 06 2021 01:37 PM - last edited on ‎Feb 01 2023 12:02 PM by

Investigating "false positives" with inbound email being marked as spam (SFS codes)

Hi folks,

 

I have a 3rd party email server on a clean IP address that's having problems sending emails into large organisations run by the UK government - ie, the National Health Service (@nhs.net) and local schools (@xyz.hants.sch.uk). Emails to smaller public businesses using 365 seem to be arriving clean, while the government ones end up in spam.

 

The outbound server has a valid SPF, DKIM and DMARC policy. 365 Tech Support have found nothing wrong with the inbound emails, but they are unable to investigate the government email accounts :( Unfortunately trying to escalate via the government or accenture (their sub-contractor) has proven impossible as nobody knows the name of anyone or how to contact them!

 

The email headers of the spammed emails shows good SPF and DKIM, but goes on to state that Forefront-Antispam has marked it as SCL:5 with SFS codes; (6666004)(7636003)(83380400001)(6266002)(7596003)(2616005)(26005)(7116003)(336012)(86362001)(8676002)(6916009)(1096003)(356005)(1420700001)(5660300002)(15974865002)(53546011)(44736005)(36756003)(956004)(9326002)(166002) - clearly understanding these codes is key, but nobody knowns what they mean.

 

Has anyone got any suggestions? Email contents are relating to children's health and care, so important and clearly not spam.

 

Chat soon.

 

X-Forefront-Antispam-Report:
CIP:216.172.106.35;CTRY:US;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail605a.mxthunder.net;PTR:mail605a.mxthunder.net;CAT:SPM;SFS:(6666004)(7636003)(83380400001)(6266002)(7596003)(2616005)(26005)(7116003)(336012)(86362001)(8676002)(6916009)(1096003)(356005)(1420700001)(5660300002)(15974865002)(53546011)(44736005)(36756003)(956004)(9326002)(166002);DIR:INB;
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506458)(944626604)(920097)(930097)(3100021);RF:JunkEmail;

 

Labels:
2,175 Views
1 Like
1 Reply
Reply
1 Reply
ExpertInstitute

‎Dec 08 2021 12:22 PM

‎Dec 08 2021 12:22 PM

Re: Investigating "false positives" with inbound email being marked as spam (SFS codes)

Our organization is also experiencing the same exact issues with legitimate / wanted emails that our clients are expecting. These emails are being quarantined / sent to spam, or even rejected in some cases, specifically by Microsoft 365 / Outlook receiving servers.

We've been thoroughly testing and it appears to be specific to our domain and not related to our email sending platforms or IPs. This issue has been persisting across our entire organization for the last 6 weeks. Our DKIM / SPF records are all setup correctly. We're using Dmarcian, HetrixTools to monitor / confirm our DNS settings. And we've also had two email deliverability consultants check our domain settings and confirm that they believe this is an internal false flag on Microsoft's side.

After speaking with numerous Microsoft support staff, we've finally made contact with an escalation team and have provided them with email samples of quarantined / rejected emails, which are all wanted by our clients. This issue is severely impacting our business, as our clients are unable to receive emails / work product for which they have already paid.

I'm hoping that someone from Microsoft's Team can kindly escalate this issue and advise us on next steps to delist our domain from their internal blacklists.
0 Likes
Reply