cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meaning of 365 Mail Security's "SFS" Header Field

BochulainCV
Copper Contributor

‎Jan 18 2024 11:23 AM

‎Jan 18 2024 11:23 AM

Meaning of 365 Mail Security's "SFS" Header Field

I've seen quite a few threads in various forums with this question.

I'm trying to troubleshoot a message that was quarantined. The provided information doesn't contain any justification for the spam verdict. There is one field that might have an answer, however I can't find any official documentation on it. That's the SFS field.

This page: 

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/message-headers-eop-mdo...

contains definitions for all of the header fields *except* the SFS field. The SFS field contains nothing but a long list of numerical codes. I'm inclined to think that these codes represent the reasons a message was marked spam. 

I saw a request for a list of definitions for the SFS codes in GitHub that was marked "resolved," "merged," and then deleted. That's concerning because the ticket it was merged into had a link to the document, but did not contain the requested information after all. I'm going to just assume it was an oversight on the part of tech working on the documentation:

https://webcache.googleusercontent.com/search?q=cache:bMqVZtmJ-eUJ:https://github.com/MicrosoftDocs/...

Any chance we can get some information on the SFS field in order to properly troubleshoot quarantined messages? It seems pretty important, and really strange that the info is so hard to find.

581 Views
0 Likes
2 Replies
Reply
2 Replies
BochulainCV

‎Jan 30 2024 12:11 PM

‎Jan 30 2024 12:11 PM

Re: Meaning of 365 Mail Security's "SFS" Header Field

I'm going to move on at this point because we disabled/bypassed the Exchange Online filter and sold the client on a better spam filtering option, but it's really suspicious that this "SFS" thing is so clandestine. I can't think of how it benefits Microsoft to hide the info, but hey guys, you do you.
0 Likes
Reply
logphil3

‎Jan 30 2024 03:20 PM - edited ‎Jan 30 2024 03:23 PM

‎Jan 30 2024 03:20 PM - edited ‎Jan 30 2024 03:23 PM

Re: Meaning of 365 Mail Security's "SFS" Header Field

@BochulainCV 

 

I believe you are correct and the message was quarantined because it matched spam rules. Deep in the Exchange Online documentation, regarding message tracing, the SFS field is mentioned. The SFS field is an entry from the Spam Filter Agent (S:SFA). 

SFS=[a] This denotes that spam rules were matched.
SFS=[b]

It looks like you worked around the issue and moved on. If you are curious, here is the documentation about quarantined emails, retention, policies, etc.  The Spam Confidence Level (SCL) are discussed here  and can be adjusted to reduce false positives.

Best of luck!

0 Likes
Reply