Why are transactional emails sent via PostMarkApp being blocked by Office365 despite correct SPF, DKIM, and DMARC settings?

Key findings

• Silent blocking: Emails can be accepted by the Office365 server but then silently quarantined or discarded before reaching the recipient's inbox, appearing as 'delivered' in the sending ESP's logs.
• Internal scoring: Microsoft assigns internal scores like SCL (Spam Confidence Level) and BCL (Bulk Complaint Level). High scores can lead to messages being blocked or quarantined, even with proper authentication.
• Tenant-specific rules: Individual Office365 organizations can implement custom mail flow rules that override standard delivery, potentially quarantining emails based on specific content, sender reputation, or even strict DMARC alignment requirements.
• Phishing detection: The PCL (Phishing Confidence Level) score can also cause issues. If an email is perceived as phishing, it may be blocked.
• Content and domain factors: Beyond authentication, factors like email content, sender IP reputation, or links within the email (e.g., to a newly deployed or unknown application hosted on platforms like Firebase) can trigger filters.

Key considerations

• Verify delivery status: Confirm that emails are truly being silently blocked and not merely misdirected to junk or other folders within the recipient's Office365 mailbox.
• Check header scores: For any successfully delivered emails to Office365, examine the headers for the X-MS-Exchange-Organization-SCL and X-Microsoft-Antispam: BCL scores. This provides insight into Microsoft's internal assessment of your emails.
• Understand O365 filtering: Familiarize yourself with how Microsoft 365 manages inbound emails, particularly concerning DMARC checks and potential misconfigurations.
• Review custom rules: Work with the recipient's IT department to investigate if custom mail flow rules or strict DMARC enforcement policies are causing the quarantine.
• Improve sender reputation: Even with perfect authentication, a low sender reputation can lead to blocking. Consider reviewing your overall deliverability practices to avoid being seen as untrustworthy.
• Troubleshoot O365 specific issues: Consult resources on why emails land in Office 365 spam for further diagnosis.

Key opinions

• Uncommon behavior: It is generally rare for emails to be silently discarded without any bounce message or delivery to junk folders.
• Focus on tenant settings: Many marketers find that recipient-side Office365 configurations, rather than sender-side authentication, are often the root cause of these hidden blocks.
• Internal scoring impact: Microsoft's internal scoring (SCL/BCL) plays a significant role, even for transactional emails, and a high score can lead to deletion by recipient policies.
• Broad impact: When emails are blocked across all Office365 domains for a given sender, it suggests a systemic issue, not just a specific mailbox problem.
• Evolving standards: Email deliverability standards are continually evolving, with platforms like Microsoft introducing stricter authentication requirements and best practices.

Key considerations

• Proactive monitoring: Implement continuous monitoring of your email deliverability, especially to Office365 domains, to catch issues early.
• Recipient engagement: Educate recipients to check all mail folders (including junk) and, if possible, whitelist your sending domain.
• Sender reputation: Maintain a strong sender reputation through consistent sending practices and by avoiding spam traps or complaints. Read more about why low-volume emails go to spam.
• Content review: Regularly review email content for anything that might trigger spam filters, even for transactional messages.
• Align DMARC: While Postmark handles DMARC alignment, ensure your DMARC policy is correctly configured and that all mail streams align properly to prevent issues, especially with Microsoft 365.

Key opinions

• Deliver then discard is rare: While Microsoft used to be known for this, it is now uncommon, and other causes should be investigated first.
• BCL/SCL influence: Microsoft's internal Bulk Complaint Level (BCL) and Spam Confidence Level (SCL) scores significantly impact delivery. A high score (e.g., 9) can lead to emails being deleted by the tenant's settings.
• PCL scoring: Phishing Confidence Level (PCL) is another critical factor. Emails scoring high on PCL are likely to be blocked.
• Sinkholing/silent bounce: Experts regularly observe emails being accepted by the receiving server but then quarantined by content filters before reaching the inbox, a phenomenon known as "sinkholing" or "silent bounce".
• Custom tenant rules: Many Office365 deliverability issues stem from custom rules set by individual organizations, sometimes including strict DMARC alignment requirements.
• O365 vs. consumer MSFT: There can be significant differences in how Office365 handles emails compared to consumer Microsoft services (like Outlook.com or Hotmail).

Key considerations

• Check all folders: Ensure recipients check all possible folders, including junk, focused inbox, or other filtered views, before concluding an email is blocked.
• Investigate SCL/BCL scores: For messages that successfully reach Office365, analyze the message headers to determine the SCL and BCL scores. This provides crucial insight into Microsoft's assessment.
• Utilize Microsoft tools: Recipients' IT departments can use Microsoft 365 Defender's advanced hunting feature to locate quarantined messages and determine the specific rules that triggered the block.
• Review PCL and content: Evaluate potential phishing indicators in your email content and any links to newly deployed or unfamiliar domains, which might increase the PCL score.
• Domain reputation: Consider the overall reputation of your sending domain and PostMarkApp's shared IP pools. While authentication is in place, underlying reputation issues can still lead to blocklisting. Learn how email blacklists work.
• ESP relationship: Work closely with your Email Service Provider (ESP), like PostMarkApp, for detailed insights into their deliverability to Office365 and any unique challenges they observe.

Key findings

• Authentication is foundational: SPF, DKIM, and DMARC are crucial for establishing sender legitimacy, but they are not the sole determinants of inbox placement.
• Reputation matters: Beyond technical alignment, sender IP and domain reputation play a significant role in how emails are processed by Office365 filters.
• Advanced filtering: Microsoft 365 uses complex internal algorithms (SCL, BCL, PCL) to assess emails, which can lead to quarantining or rejection irrespective of SPF, DKIM, or DMARC passes.
• Custom rules flexibility: Office365 tenants have the ability to implement highly customized mail flow and anti-spam rules, which can block emails that would otherwise be delivered.
• Postmaster tools: Microsoft offers Postmaster tools and security dashboards that provide insights into deliverability and filtering actions, although these are typically accessed by the recipient's IT team.

Key considerations

• Review DMARC policy: Ensure your DMARC policy is robust but also consider a phased approach when moving to quarantine or reject policies.
• Content best practices: Adhere to content best practices to avoid triggering spam filters, even for transactional emails. This includes avoiding suspicious links or overly promotional language.
• Monitor sender reputation: Regularly check your domain and IP reputation using tools available, and address any potential blocklisting issues promptly. Find out what happens when your domain is on a blacklist.
• Engage with recipients' IT: Collaborate with the IT administrators of recipient organizations using Office365 to understand their specific filtering rules and whitelist your domain if necessary.
• Review ESP practices: Ensure your ESP (PostmarkApp) follows all recommended practices for sending to Office365 and has a strong reputation within the Microsoft ecosystem.