Why are emails being marked as junk or phishing in Outlook 365?

Key findings

• Increased junking: There has been a noticeable rise in legitimate emails being classified as junk by Outlook 365, particularly when they receive an SCL score of 5 or higher, which typically triggers automatic spam folder placement.
• New policy updates: Microsoft appears to have implemented new anti-spam policies or adjusted existing rules internally, leading to more stringent filtering.
• Link interaction: A significant development is Microsoft's practice of opening links in a sandboxed browser environment, including the execution of JavaScript and network access. This suggests deeper content analysis of linked web pages.
• Impact on single-use links: The automated link-clicking by Microsoft can cause issues for emails containing single-use or expiring links, such as password reset links, rendering them unusable for the end-user.
• Client-level issues: The problem often appears to be client-specific, persisting across multiple email service providers (ESPs) for some senders, suggesting that domain reputation and email content play a crucial role.

Key considerations

• Content and domain adjustments: Be prepared to adjust your email content and potentially your sending domain if you experience persistent junking issues. This often helps in achieving inbox placement.
• Re-evaluate link strategies: For transactional emails with sensitive links (e.g., password resets), consider modifying your approach. Links should either have a reasonable expiration time or direct users to a page requiring an interactive click to complete the action. This helps mitigate issues caused by automated link scanning.
• Monitor key scores: Keep a close eye on your Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) scores in Microsoft's systems, as these are critical indicators for Outlook deliverability. For more on this, see Spotler's insights on junk emails and Microsoft Outlook.
• Stay informed: Microsoft frequently updates its filtering algorithms. Regularly consult official documentation or industry forums for announcements regarding changes to anti-spam policies.

Key opinions

• Widespread impact: Many email marketers are observing a significant increase in O365 customers reporting emails being quarantined or flagged as phishing risks.
• Transactional email disruption: There's a specific concern that emails like 'Forgot Password' notifications are frequently being flagged as phishing.
• Automated link clicking: Marketers have discovered that Microsoft is now pre-clicking links within emails, which can cause single-use links to expire before the recipient even sees the message.
• Policy change suspicion: The general sentiment is that Microsoft has updated its filtering policies, leading to these new and disruptive behaviors.
• Content and domain sensitivity: Many find that adjusting content or changing the sending domain can help improve deliverability, suggesting a strong content- and domain-based filtering approach.

Key considerations

• Link strategy adaptation: Marketers need to adapt their strategies for how links are used in emails, particularly for single-use or time-sensitive links, to account for Microsoft's automated pre-clicking.
• Content review: Regularly review and adjust email content to avoid triggers that Microsoft's filters might flag as junk or phishing. This includes subject lines, keywords, and overall message structure.
• Targeted deliverability testing: Perform specific deliverability tests to Outlook 365 environments to identify and address issues promptly. This can help understand why emails are suddenly going to spam.
• Leverage reporting: Encourage recipients to report legitimate emails that land in junk or phishing folders as not junk or not phishing, as this feedback can help improve Microsoft's filtering accuracy.

Key opinions

• SCL score significance: An SCL score of 5+ is a clear signal that Outlook 365 considers an email to be spam, and its default policy is to direct such messages to the spam folder.
• Internal policy updates: Microsoft's internal documentation references 'default anti-spam policy' and 'new anti-spam policies,' suggesting that updates have been pushed to enhance filtering.
• Sandboxed link analysis: Microsoft has deployed infrastructure that opens links in emails within a sandboxed browser environment, complete with JavaScript and potential network access, enabling deeper analysis of linked web content.
• Targeted filtering: The increased filtering seems to be specifically targeting certain sender behaviors and content patterns.
• Single-use link challenges: The automated link scanning renders single-use links in emails, such as those for password resets, largely unusable.
• Interactive content necessity: For critical actions, users must be directed to pages where they perform an interactive step, such as clicking a submit button, to ensure the action is genuinely user-initiated.

Key considerations

• Re-engineer link workflows: It is crucial to re-architect any email workflows that depend on single-use links. Instead, implement mechanisms that require explicit user interaction after the link is clicked.
• Implement DMARC correctly: Ensure your DMARC, SPF, and DKIM configurations are flawless. This authentication foundation is critical for establishing sender trust with Microsoft. If you're seeing issues, refer to our guide on how to fix common DMARC issues in Microsoft 365.
• Proactive policy monitoring: Actively monitor for Microsoft's unannounced policy changes and adapt your sending practices accordingly. Given their continuous efforts to combat spam, new technologies and rules are frequently deployed.
• Address SCL scores: Recognize that an SCL score of 5 or higher means your email is strongly flagged as spam. Investigate why your emails are receiving such high scores, as this is a direct indicator of deliverability issues. For advanced troubleshooting, check out why Microsoft Defender marks emails as spam. Learn more about general deliverability best practices from SpamResource.

Key findings

• Automatic junking: Microsoft 365 email accounts automatically move messages identified with high SCL scores (e.g., 5+) to the Junk Email folder.
• Spam definition: Junk email, commonly known as spam, refers to unsolicited messages, often advertising unwanted products or containing offensive content.
• User reporting importance: Users are advised to report emails that are incorrectly classified as junk or not junk, as this feedback contributes to improving the accuracy of Microsoft's spam filters.
• False positive prevention: Proper handling of legitimate emails that are incorrectly blocked by Microsoft Defender for Office 365 is essential to prevent business disruption.
• SCL and BCL correlation: Consistent inbox delivery in Microsoft environments is often tied to the Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) scores assigned to emails.

Key considerations

• Score criteria understanding: It is important to understand the specific criteria Microsoft uses to calculate SCL and BCL scores, as these directly influence email placement.
• User education: Educate your recipients on how to use Outlook's reporting features to mark emails as 'Not Junk' or 'Not Phishing', which can positively impact your sender reputation. For more details on compliance, refer to how to comply with Outlook's new sender requirements.
• Policy adherence: Regularly review Microsoft's official anti-spam policies and guidelines to ensure your sending practices remain compliant and optimized for deliverability. Microsoft's documentation on anti-spam policies is a key resource.
• BCL score management: If your emails are receiving a high BCL score, investigate the cause as this indicates a high volume of recipient complaints. Learn how to fix high BCL scores.