Why is Microsoft Defender marking my one-to-one emails as spam with a high SCL score when authentication is correct and there are no blacklist issues?
Michael Ko
Co-founder & CEO, Suped
Published 16 Jul 2025
Updated 17 Aug 2025
9 min read
It can be incredibly frustrating to discover that your one-to-one emails are consistently landing in spam or junk folders, especially when all the foundational email authentication protocols, such as SPF, DKIM, and DMARC, are correctly configured. What's more, a quick check reveals your sending domain and IP addresses are not listed on any major public blocklists (or blacklists), and other major mailbox providers like Gmail and Yahoo are delivering your messages without issue. Yet, Microsoft Defender for Office 365 consistently assigns a high Spam Confidence Level (SCL) score, often an SCL 9, sending your important communications straight to quarantine. This behavior can be puzzling because it suggests a deeper, less obvious problem.
The challenge with Microsoft's filtering is its sophisticated, multi-layered approach. It extends far beyond basic authentication checks and public blocklists. Even when you've done everything right on the technical side, other factors can influence how your emails are perceived. It's a common scenario that even direct inquiries with Microsoft's support team may not yield immediate, clear answers, making the troubleshooting process feel like navigating a black box. Understanding these nuances is key to resolving junk mail placement. For more on SCL and BCL ratings, refer to our guide on what are Microsoft SCL and BCL ratings.
While passing SPF, DKIM, and DMARC is fundamental for email deliverability, these protocols only verify the sender's identity, not the content or intent of the message. Microsoft Defender employs a sophisticated array of filters that analyze various characteristics beyond simple authentication. This includes evaluating the sender's internal reputation with Microsoft, the content of the email, and even historical sending patterns. Even if your IP address or domain is not on a public blacklist or blocklist, Microsoft maintains its own internal reputation systems that can flag domains or IPs based on aggregated data points.
A high SCL score, such as SCL 9, indicates that Microsoft Defender has a very strong conviction that the message is spam. This level of confidence typically means the message will be quarantined or moved directly to the junk folder, bypassing the recipient's inbox entirely. This conviction often stems from a combination of factors, not just one. For instance, an email can pass authentication but still contain elements that Microsoft's filters associate with spam, such as certain keywords, suspicious links, or unusual formatting. It's not uncommon for Microsoft's filtering layer to assign a high SCL score even with correct authentication.
Even for one-to-one communications, every aspect of the email is scrutinized. This includes the subject line, the body content, any embedded URLs, and the overall sending pattern. For example, if your one-to-one emails share certain characteristics with known spam campaigns, even accidentally, they might be flagged. This could be anything from overly generic subject lines to links that redirect through domains Microsoft deems suspicious, even if they aren't publicly blocklisted. If you're experiencing issues with authenticated emails going to junk in Microsoft Outlook, we have a dedicated guide on this topic.
Microsoft Defender also considers the recipient's personal settings. If a recipient has previously marked emails from your domain or similar senders as junk, or if your domain is on their personal blocked senders list, this can significantly contribute to a high SCL. Similarly, an organization's internal anti-spam policies, configured by administrators, can be very aggressive. These policies can override standard deliverability signals, causing even perfectly legitimate one-to-one emails to be classified as high-confidence spam. You can learn more about configuring anti-spam policies for cloud mailboxes on Microsoft's official documentation.
Unpacking content and behavioral factors
Beyond the technical authentication, Microsoft Defender delves deep into the content and behavioral aspects of emails. This means that even if your SPF, DKIM, and DMARC records are flawless, issues within the email's content or the sending behavior can trigger a high SCL score. This is particularly true for one-to-one communications, where subtle cues can disproportionately impact the spam filtering outcome.
Content analysis involves scrutinizing the email's subject line, body text, links, and attachments for characteristics commonly found in spam or phishing attempts. This isn't just about obvious spam keywords; it includes less apparent factors like unusual font sizes, excessive use of images, or even hidden text. Even legitimate emails can sometimes inadvertently mimic these patterns. Similarly, the reputation of any URLs within your email, even if they're not overtly malicious, can play a role. If a linked domain has a poor reputation, it can affect your email's SCL, even if your own sending domain is pristine.
The sender's reputation, as perceived by Microsoft, extends beyond public blocklists. It includes factors like complaint rates, user engagement (e.g., how often recipients open or reply to your emails), and whether your emails are frequently moved to the junk folder by recipients. Even if your domain is generally reputable, a sudden increase in complaints or low engagement from a specific segment of Microsoft users can negatively impact your internal reputation score, leading to higher SCL values. This can be particularly frustrating for one-to-one senders who aren't engaging in bulk sending, as their individual interactions carry significant weight.
Technical checks
SPF authentication: Verifies authorized sending servers for your domain.
DKIM signatures: Ensures email integrity and sender authenticity.
DMARC policy: Instructs mailbox providers on how to handle authentication failures.
Public blocklists: Checks if your IP or domain is listed for spamming activities.
Behavioral & content signals
Content analysis: Suspicious keywords, abnormal formatting, high image-to-text ratio.
URL reputation: Trustworthiness of embedded links, even if not explicitly malicious.
Sender reputation (internal): Feedback loops, complaint rates, engagement from recipients.
Recipient-specific settings: Personal blocked lists, safelists, or organizational policies.
Deep-diving into the investigation
When you encounter a persistent high SCL score, a methodical troubleshooting approach is essential. Since basic authentication and public blacklist checks have come up clean, the focus shifts to more granular details of your email and the receiving environment.
One effective strategy is to perform iterative content testing. This involves sending emails with slight modifications to different test accounts within Microsoft 365. Try altering the subject line, removing your email signature, simplifying the body text, or even sending an email with just a single word. This process of dichotomy helps pinpoint if a specific element within your email's content is triggering the high SCL. Remember, even legitimate-looking external domains or URLs in your email can sometimes contribute to a higher spam score if their reputation isn't impeccable.
Analyzing the full email headers provides invaluable clues. Look for fields such as X-Forefront-Antispam-Report and X-Microsoft-Antispam. These headers contain detailed information about the filtering process, including the assigned SCL and BCL (Bulk Complaint Level) scores, as well as specific spam filter rules that were triggered. Sometimes, the problem might stem from subtle issues like Outlook junk mail placement even with proper authentication.
Example X-Forefront-Antispam-Report Header Snippettext
Microsoft 365's Message Trace feature in the Exchange admin center (EAC) is another powerful diagnostic tool. It can show you the path an email took, the filters it encountered, and the final delivery status, including why it was marked with a high SCL. While Microsoft's filters are complex and often referred to as a black box even by their own engineers, these tools can provide granular detail on the specific rule or pattern that triggered the high SCL. If you're encountering varying SCL scores for the same email to different Office 365 accounts, it might be due to a combination of factors, as discussed in our related article.
Another area to investigate is the broader context of your domain's email activity. Even if your current one-to-one sending is pristine, historical issues, or activities on subdomains, could be impacting your overall sender reputation with Microsoft. Sometimes, the problem lies not in the explicit content of the email, but in the perceived risk associated with the sending domain based on past events or other, less visible, sending streams associated with your domain.
Understanding SCL scores
The Spam Confidence Level (SCL) score is a crucial indicator in Microsoft Defender for Office 365. It's a numerical rating assigned to each email, predicting the likelihood of it being spam. A higher score means a greater chance of being marked as junk or quarantined. Understanding these scores is the first step in diagnosing deliverability issues.
SCL -1: Skipped spam filtering or determined to be legitimate (safe sender).
SCL 0, 1: Legitimate email, delivered to inbox.
SCL 5, 6: Likely spam, often delivered to the junk folder.
SCL 7, 8, 9: High confidence spam, typically quarantined or blocked. SCL 9 is the highest.
Navigating Microsoft's nuanced filtering
Resolving high SCL scores for one-to-one emails in Microsoft Defender can be a challenging endeavor, largely due to the opaque nature of Microsoft's advanced filtering algorithms. While traditional checks like SPF, DKIM, DMARC, and public blocklist status are essential, they often don't tell the whole story when it comes to Microsoft's sophisticated spam detection.
The core of the problem often lies in behavioral and content-based factors, including internal sender reputation, specific keywords or patterns in the email body, URL reputations, and even recipient-specific settings or organizational policies. These elements collectively contribute to the Spam Confidence Level assigned by Microsoft Defender, even for seemingly innocuous one-to-one messages.
To effectively combat this, a multi-faceted approach is required. This includes meticulous content testing, thorough analysis of email headers for granular insights, leveraging Microsoft 365's Message Trace for delivery details, and ensuring no other email activity on your domain or subdomains is inadvertently impacting your sender reputation. While direct answers from Microsoft can be elusive, persistence with these diagnostic steps often reveals the underlying cause and guides you toward a solution.
Views from the trenches
Best practices
Actively monitor your sender reputation, not just on public blocklists, but also through Microsoft's internal feedback loops and complaint rates.
Segment your email sending based on content type and recipient engagement. This can help isolate issues to specific campaigns or audiences.
Use clear, concise, and personalized subject lines to avoid triggering spam filters. Avoid all-caps or excessive punctuation.
Ensure your email content is well-formatted and uses standard HTML. Avoid overly complex or image-heavy layouts in one-to-one emails.
Common pitfalls
Over-relying on basic authentication (SPF, DKIM, DMARC) as the sole indicator of deliverability for Microsoft recipients.
Ignoring subtle content cues that might trigger spam filters, such as generic phrases or embedded links to less reputable domains.
Failing to check if recipients have added your address to their personal blocked sender lists, which can override other positive signals.
Not thoroughly investigating all sending activities on your domain, including subdomains, that could impact overall reputation.
Expert tips
Use Microsoft's Message Trace and Header Analyzer tools to gain deeper insights into why an email received a specific SCL score.
Implement iterative testing with slight content variations to pinpoint the exact element causing the high SCL score.
Regularly review your Microsoft anti-spam policies within the tenant to ensure they are not overly aggressive for legitimate one-to-one emails.
If using Google Workspace for sending, ensure your Google Workspace configuration is optimized for Microsoft deliverability.
Expert view
An expert from Email Geeks says that an SCL 9 score is a strong indication that the message is spam and will likely be quarantined. They suggest a deep dive into the sender's identity, business model, sending mechanics, address acquisition, and mail content to understand the root cause.
2024-12-04 - Email Geeks
Marketer view
A marketer from Email Geeks suggests trying different subject lines, changing the friendly from address, removing external domains from the message, and using a dichotomy approach to remove body content to test what might be triggering the filter.
Gmail and 
Yahoo are delivering your messages without issue. Yet, 
Microsoft Defender for Office 365 consistently assigns a high Spam Confidence Level (SCL) score, often an SCL 9, sending your important communications straight to quarantine. This behavior can be puzzling because it suggests a deeper, less obvious problem.
