Summary
Microsoft's high link scanning rates in emails are a multi-faceted issue stemming primarily from their commitment to protecting users from phishing, malware, and other malicious content. This protective measure is influenced by a combination of factors related to the sender, the content of the email, and the recipient's security policies. Key among these are the sender's reputation (influenced by factors like IP age, consistency of sending patterns, and authentication practices), the content of the email (particularly the presence of suspicious links, spam-triggering keywords, or newly created domains), and the recipient organization's security configurations (which may involve aggressive scanning of all external links). Microsoft uses automated systems like Safe Links and Advanced Threat Protection (ATP) to analyze links in real-time, often leading to high scanning rates, especially for new senders or those with inconsistent sending patterns. While Microsoft aims to provide robust security, its scanning practices can sometimes seem excessive or even uncontrolled.
Key findings
- Primary Goal: Security: Microsoft's high scanning rates are primarily driven by the need to protect users from phishing, malware, and other malicious content.
- Sender Reputation Matters: Sender reputation is a significant factor. Poor reputation leads to increased scrutiny, while a good reputation can potentially reduce scanning frequency over time.
- Content is Key: Email content plays a critical role. Suspicious links, spam-triggering keywords, and new domains can all trigger increased scanning.
- Recipient Policies Influence Scanning: The security policies of the recipient organization can significantly impact scanning rates. Some organizations implement aggressive scanning for all external links as a preventative measure.
- Automated Systems at Work: Microsoft employs automated systems like Safe Links and ATP to analyze links in real-time, contributing to the high scanning rates.
- New Senders Face Increased Scrutiny: New senders and IPs typically face higher scanning rates as Microsoft assesses their trustworthiness.
Key considerations
- Improve Sender Reputation: Focus on improving and maintaining a good sender reputation by using consistent sending patterns, authenticating emails properly (SPF, DKIM, DMARC), and warming up new IPs slowly.
- Review Email Content: Carefully review email content to avoid the use of suspicious links, spam-triggering keywords, or links to newly created domains.
- Check Authentication Settings: Ensure that SPF, DKIM, and DMARC records are correctly configured to help establish trust with Microsoft's email filters.
- Consider Recipient Policies: Be aware that the recipient's organization's security policies can significantly impact scanning rates, even if the sender has a good reputation and clean content.
- Contact Microsoft Support: If excessive scanning persists despite following best practices, consider opening a postmaster ticket with Microsoft to investigate potential issues.
- Analyze Customer Activity: Explore whether specific customer activities or sending patterns may be inadvertently triggering increased scanning by Microsoft.
What email marketers say
10 marketer opinions
Microsoft scans links in emails at high rates to protect users from phishing and malware. This behavior is influenced by factors such as sender reputation, the age of the sending IP, email content, recipient security policies, and the presence of suspicious links or keywords. Senders with poor reputations, new IPs, or content triggering spam filters often experience increased scanning. Recipient organizations may also have aggressive scanning policies in place.
Key opinions
- Security: Microsoft's primary goal is to protect users from phishing and malware.
- Sender Reputation: Poor sender reputation triggers more aggressive scanning.
- Email Content: Suspicious links or keywords in content increase scanning frequency.
- Recipient Policies: Recipient organizations may have aggressive scanning policies.
- New Senders: New senders or IPs often face higher scrutiny.
Key considerations
- Sender Reputation: Monitor and improve sender reputation to reduce scanning frequency.
- Email Content: Ensure email content is clean and free of spam triggers.
- IP Warm-up: Warm up new IPs slowly to establish a positive sending history.
- Authentication: Properly configure SPF, DKIM, and DMARC records for authentication.
- Postmaster Tools: Contact Microsoft Postmaster support to resolve excessive scanning issues.
- Monitor Blocklists: Regularly check domain and IP addresses on blocklists.
Marketer view
Email marketer from Snov.io shares that Microsoft scans links to protect users from phishing and malware, especially when the sender is new or the content seems suspicious. They recommend warming up new IPs slowly and monitoring sender reputation.
2 Sep 2022 - Snov.io
Marketer view
Email marketer from Reddit explains that Microsoft sometimes aggressively scans links, particularly for new senders or when a significant volume of emails are sent to a domain quickly. This is a defense mechanism against potential threats, and it may decrease as sender reputation improves.
4 Aug 2022 - Reddit
What the experts say
3 expert opinions
Microsoft's high link scanning rates are attributed to various factors aimed at blocking malicious content and protecting users. These factors include sender reputation, the age of the sending IP, the email's content (particularly triggers for spam filters), and recipient company security policies. Specific customer behaviors and inconsistent sending patterns can also lead to increased scanning. The process is expensive, leading to bracketed rules around when scanning occurs.
Key opinions
- Malicious Content: Microsoft scans aggressively to block malicious content and protect users from threats.
- Sender Reputation: Sender reputation and IP age influence scanning rates; new or inconsistent senders face higher scrutiny.
- Content Analysis: Email content, particularly spam triggers, increases scanning intensity.
- Customer Behavior: Specific customer behaviors may cause Microsoft to increase scanning for particular senders.
- Recipient Policies: Recipient company security policies affect scanning intensity.
Key considerations
- Improve Reputation: Work to improve sender reputation through consistent sending patterns and authenticated email practices.
- Content Review: Review email content to avoid triggers that cause spam filters to flag emails, leading to increased scanning.
- Customer Analysis: Analyze specific customer activity that may be contributing to increased scanning.
- Monitor Security Settings: Understand recipient security settings, if possible, to adapt sending strategies.
Expert view
Expert from Email Geeks suggests exploring if specific customers are doing things that are causing Microsoft to increase scanning. Adds that scanning is expensive, so there tend to be bracketed rules around when it happens and offers to chat about what those might be.
9 Aug 2022 - Email Geeks
Expert view
Expert from Word to the Wise explains that several factors can influence Microsoft's link scanning, including sender reputation, the age of the sending IP, and the content of the email. New senders or those with inconsistent sending patterns may experience higher scanning rates. Also, content that triggers spam filters will cause more scanning.
7 Jan 2022 - Word to the Wise
What the documentation says
5 technical articles
Microsoft's high link scanning rates are primarily due to security measures like Safe Links in Microsoft Defender for Office 365 and Advanced Threat Protection (ATP). This scanning aims to protect users from malicious URLs and is triggered by factors such as perceived sender risk, the reputation of linked domains, organizational security policies, and poor sender reputation. Additionally, broader trends toward enhanced security protocols are contributing to increased scanning.
Key findings
- Safe Links: Safe Links in Microsoft Defender provides URL scanning and rewriting for inbound emails.
- ATP: Microsoft's ATP feature scans links to protect users from malicious URLs.
- Risk Factors: Scanning rates depend on sender risk, linked domain reputation, and organizational policies.
- Sender Reputation: Poor sender reputation leads to more aggressive scanning.
- Enhanced Security: Increased scanning reflects broader efforts to enhance email security.
Key considerations
- Monitor Reputation: Regularly monitor sender reputation and take steps to improve it.
- Review Security Policies: Understand recipient organization's security policies to align sending practices.
- Assess Linked Domains: Ensure the reputation of linked domains is good to avoid triggering security filters.
- Implement Security Best Practices: Implement email security best practices to minimize perceived sender risk.
- Evaluate Security Configuration: Evaluate if the organizational security configurations are triggering high scanning rates.
Technical article
Documentation from Google shares that an increase in scanning may be due to enhanced security protocols. Microsoft, like Google, are tightening security protocols to protect users.
26 Aug 2021 - Google
Technical article
Documentation from Cisco explains that Microsoft's Advanced Threat Protection (ATP) Safe Links feature scans links in emails to protect users from malicious URLs. Higher scanning rates can indicate a heightened security posture or the detection of potentially risky content within the emails.
29 Sep 2021 - Cisco
Are there specific pixel width or SL line character limits that cause Microsoft to mark emails as spam?
Can AMP code in emails cause increased spam placement in Outlook and Hotmail, even if they don't render AMP?
How can I identify and handle bot clicks and opens, particularly from Microsoft/Outlook domains, in email marketing campaigns?
How can I improve email deliverability with Microsoft and avoid spam filters?
How can I prevent Microsoft Defender from triggering unwanted one-click unsubscribes?
How do I get my emails out of spam for Hotmail and Outlook?
