Outlook on the web: Received two identical mail messages - one classified as spam, the other not

%3CLINGO-SUB%20id%3D%22lingo-sub-1605639%22%20slang%3D%22de-DE%22%3EOutlook%20on%20the%20web%3A%20Received%20two%20identical%20mail%20messages%20-%20one%20classified%20as%20spam%2C%20the%20other%20not%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605639%22%20slang%3D%22de-DE%22%3E%3CP%3EHey%20Community!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20I%20have%20sent%20myself%20two%20mail%20messages%20with%20the%20same%20content%20from%20my%20personal%20mail%20account%20(ProtonMail%20with%20a%20custom%20domain%20and%20activated%20functions%20SPF%2C%20DKIM%20%26amp%3B%20DMARC)%20to%20my%20outlook.de%20address.%20The%20configuration%20of%20SPF%20%26amp%3B%20DMARC%20looks%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESpf%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Ev%3Dspf1%20include%3A_spf.protonmail.ch%20mx%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EDMARC%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Ev%3DDMARC1%3B%20p%3Dquarantine%3B%20rua%3Dmailto%3Axxx%40xxx.xxx%3B%20pct%3D100%3B%20aspf%3Ds%3B%20adkim%3Ds%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20one%20landed%20in%20the%20junk%20folder.%20The%20second%20(around%204%20minutes%20later)%20in%20the%20inbox.%20I'm%20now%20trying%20to%20find%20out%20why%20this%20is%20so%20but%20have%20some%20difficulty%20in%20correctly%20interpreting%20some%20of%20the%20header%20data%20when%20investigating%20it.%20At%20least%20I%20have%20noticed%20some%20things%20that%20are%20likely%20to%20be%20relevant%20information.%20I%20used%20the%20comparison%20feature%20of%20Notepad%2B%2B%20for%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EAll%20mail%20authentication%20techniques%20(SPF%2C%20DKIM%20%26amp%3B%20DMARC)%20were%20transmitted%20and%20correctly%20recognized.%3C%2FLI%3E%3CLI%3EThe%20mail%20message%20classified%20as%20junk%20by%20Outlook%20on%20the%20web%20is%20missing%20the%20entries%20%22%3CSTRONG%3EX-MS-Exchange-ATPSafeLinks-Stat%3C%2FSTRONG%3E%22%20and%20%22%3CSTRONG%3EX-MS-Exchange-ATPSafeLinks-BitVector%3C%2FSTRONG%3E%22.%3C%2FLI%3E%3CLI%3ERight%20after%20the%20entry%20%22%3CSTRONG%3EX-Microsoft%20antispam%20mailbox%20delivery%3C%2FSTRONG%3E%22%20the%20expression%20%22%3CEM%3EOFR%3ASpamFilterAuthJ%3C%2FEM%3E%22%20exists%20in%20the%20junk%20mail%20header%20but%20missing%20in%20the%20other%20mail.%3C%2FLI%3E%3CLI%3EBoth%20messages%20were%20sent%20as%20%22text%20only%22%20mails%20-%20however%2C%20the%20entries%20in%20the%20header%20are%20different.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ELeft%3A%3C%2FSTRONG%3E%20Header%20data%20of%20the%20non-filtered%20mail%20%2F%20%3CSTRONG%3ERight%3A%3C%2FSTRONG%3E%20Header%20data%20of%20the%20mail%20classified%20as%20junk%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%224.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213976iF995BFCC99982B2C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%224.png%22%20alt%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213973iB1FF607B5A7763ED%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213974i3D1B61A7577D3CC2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4th.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20779px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213975iD21EDBCBF24BC84A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20first%20impression%3A%20Especially%20the%20first%20two%20points%20looking%20suspicious.%20Why%20were%20the%20entries%20%22X-MS-Exchange-ATPSafeLinks-Stat%22%20and%20%22X-MS-Exchange-ATPSafeLinks-BitVector%22%20deleted%20or%20not%20transferred%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20thankful%20for%20every%20feedback.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreetings%20from%20germany%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efommio%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hey Community!

 

Today I have sent myself two mail messages with the same content from my personal mail account (ProtonMail with a custom domain and activated functions SPF, DKIM & DMARC) to my @outlook.de address. The configuration of SPF & DMARC looks like this:

 

SPF:

v=spf1 include:_spf.protonmail.ch mx ~all

 

DMARC:

v=DMARC1; p=quarantine; rua=mailto:xxx@xxx.xxx; pct=100; aspf=s; adkim=s

 

The first one landed in the junk folder. The second (around 4 minutes later) in the inbox. I'm now trying to find out why this is so but have some difficulty in correctly interpreting some of the header data when investigating it. At least I have noticed some things that are likely to be relevant informations. I used the comparison feature of Notepad++ for this:

 

  1. All mail authentication techniques (SPF, DKIM & DMARC) were transmitted and recognized correctly.
  2. The mail message classified as junk by Outlook on the web is missing the entries "X-MS-Exchange-ATPSafeLinks-Stat" and "X-MS-Exchange-ATPSafeLinks-BitVector".
  3. Right after the entry "X-Microsoft-Antispam-Mailbox-Delivery" the expression "OFR:SpamFilterAuthJ" exists in the junk mail header but missing in the other mail.
  4. Both messages were sent as "text only" mails - however, the entries in the header are different.

 

Left: Header data of the non-filtered mail / Right: Header data of the mail classified as junk

 

1.

4.png

 

2.

1.png

 

3.

2.png

 

4.

3.png

 

My first impression: Especially the first two points looking suspicious. Why were the entries "X-MS-Exchange-ATPSafeLinks-Stat" and "X-MS-Exchange-ATPSafeLinks-BitVector" deleted or not transferred?

 

I am thankful for every feedback.

 

Greetings from germany,

 

fommio

0 Replies