Why are transactional emails sent via PostMarkApp being blocked by Office365 despite correct SPF, DKIM, and DMARC settings?
Matthew Whittaker
Co-founder & CTO, Suped
Published 3 Aug 2025
Updated 16 Aug 2025
6 min read
It can be incredibly frustrating when your transactional emails, essential for user experience like account creation and password resets, are blocked, especially when you've meticulously set up SPF, DKIM, and DMARC through a reliable sender like Postmark. You see the SMTP 250 Queued mail for delivery message, yet the emails never reach Office 365 mailboxes. This scenario, often referred to as sinkholing or silent bounce, means the email was accepted by the receiving server but then quarantined or discarded before reaching the inbox. This indicates that while your authentication is strong, other factors related to Office 365's intricate filtering system are at play.
While SPF, DKIM, and DMARC are crucial for proving email legitimacy, they are only the first line of defense. Office 365 (formerly Microsoft 365) employs a multi-layered filtering system that goes beyond these basic authentication checks. Even with perfect DNS records, messages can still be flagged due to content, sender reputation, or specific organizational policies. It's a common misconception that passing these checks guarantees inbox delivery, but the reality is more complex, especially with the evolving landscape of email security in 2025.
Microsoft's filtering system assigns various internal scores to incoming emails. The Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) are internal metrics that assess the likelihood of an email being spam or bulk mail. A high SCL (e.g., 9) can lead to the message being moved to junk, quarantined, or even outright deleted by the recipient's tenant policy. Similarly, a high BCL indicates the email resembles bulk mail, which might bypass the inbox filters.
This can result in scenarios where Postmark reports successful delivery, but the email is effectively sinkholed into a quarantine folder or silently discarded by Office 365. While deliver then discard is a rare occurrence for standard consumer mailboxes, it is more plausible within corporate Office 365 environments where administrators can configure strict filtering rules. To troubleshoot this, it's essential to understand why emails get blocked by major ISPs beyond the basic authentication layers.
Understanding internal filtering in Office 365
Transactional emails might seem innocent, but certain content characteristics can inadvertently trigger Office 365's spam or phishing filters. The Phishing Confidence Level (PCL) score is particularly relevant here. If an email's content, including subject lines, body text, or embedded links, mimics phishing attempts, it will receive a high PCL score and be blocked. Even the use of URL shorteners, which are frequently abused by spammers, can lead to blocking.
This is a key area to investigate, as Postmark's troubleshooting resources indicate that URL shorteners can cause delivery issues. Similarly, if the application hosting (e.g., Firebase) has a less-than-stellar reputation, this can indirectly affect email deliverability, even if the emails are sent via Postmark.
The sender's reputation, both IP and domain, plays a significant role. Even if your SPF, DKIM, and DMARC are perfect, a tarnished reputation can lead to emails landing in spam. Office 365 maintains internal blocklists (or blacklists) based on various factors, including spam complaints, engagement rates, and previous malicious activity associated with the sending IP or domain. If your domain or IP is on a blocklist, it can explain what happens when your domain is on an email blacklist, preventing messages from reaching their destination.
Office 365 specific filtering mechanisms
Microsoft 365 email security is highly sophisticated. Beyond SPF, DKIM, and DMARC, it applies a range of checks and custom rules configured by the recipient organization's IT department. These rules can be very strict, leading to emails being quarantined or rejected even if they pass standard authentication. For example, some organizations might enforce a strict DMARC alignment policy, causing issues even with a p=none DMARC record.
One of the most effective ways to diagnose these blocks is through the Microsoft 365 Defender portal, specifically the Advanced hunting feature. This allows the recipient's IT team to locate quarantined messages and identify the exact reason for non-delivery. It can reveal if a DMARC misalignment or a custom rule is causing the issue. Understanding these specific flags is crucial for troubleshooting transactional emails landing in spam.
Even with an excellent ESP like Postmark, the ultimate decision for inbox placement rests with the recipient's email server and its configured policies. This is why you might experience Office 365 marking emails from a third-party ESP as spam, even when they adhere to all standard authentication protocols. It's not necessarily a Postmark issue, but rather an interaction with the receiving end's specific settings.
Recipient engagement: High engagement (opens, clicks) signals good sender behavior to ISPs.
Office 365 specific considerations
Internal scoring: Monitor SCL, BCL, and PCL scores in email headers (if available) or through Microsoft 365 Defender logs. High scores are a red flag.
Custom tenant rules: Recipient organizations may have specific DMARC or content filtering rules that supersede standard practices.
Advanced hunting: Advise recipients to check their Microsoft 365 Defender for Office 365 logs for quarantined messages. This is key to pinpointing the exact reason for rejection.
ESP interaction: Even if Postmark logs show delivery, the message might be blocked further down the line by Office 365's internal filters or tenant rules.
The first step in resolving this issue is to work with the recipient's IT department. They have access to the Microsoft 365 Defender portal and can check their quarantine logs. Providing them with the friendly FROM address and the recipient email address will help them quickly locate the blocked messages and understand the specific reason, whether it's a high SCL/BCL/PCL score or a custom policy. This direct communication is often the fastest path to resolution.
Next, review the email content thoroughly. Even for simple transactional emails like password resets, certain elements can trigger filters. Avoid generic phrases, excessive capitalization, or links to suspicious-looking domains. If your application is hosted on a platform like Firebase, ensure that any links in your emails lead to a well-known, reputable domain. Sometimes, a new or less established domain can inherently carry a lower trust score, making it more susceptible to filtering. For new applications, consider a warm-up period for your sending domain.
Finally, beyond Postmark's delivery logs, monitor your overall email performance using DMARC reports. These reports provide aggregated data on authentication results, allowing you to see if any of your emails are failing DMARC, even if they appear to pass SPF and DKIM. They can also provide insight into DMARC reports from Google and Yahoo that might indicate broader issues affecting your sender reputation. Consistently reviewing these reports can help you proactively identify and resolve deliverability challenges, ensuring your transactional emails reach their intended recipients.
Views from the trenches
Best practices
Actively communicate with the recipient's IT department for insight into their mail logs.
Review your email content for any elements that might trigger spam or phishing filters.
Monitor your domain and IP reputation regularly to ensure positive standing.
Analyze DMARC reports for comprehensive insights into email authentication results.
Common pitfalls
Assuming perfect SPF, DKIM, and DMARC guarantee inbox delivery.
Overlooking internal Office 365 scores like SCL, BCL, and PCL.
Ignoring the potential impact of email content, including embedded links and language.
Failing to consider that recipient organizations may have custom, strict email filtering rules.
Expert tips
Sometimes, transactional emails can be mistakenly classified due to the content resembling phishing attempts. Ensure your email body is lean and purely informational.
If you're launching a new application, gradually increase your email volume to build sender reputation, especially if your hosting platform has shared IP pools.
Pay close attention to the PCL (Phishing Confidence Level) score if you can obtain it, as this is a common reason for transactional emails being silently blocked.
Remember that Microsoft 365 filtering can be highly customized by tenant administrators; what works for one domain might not work for another.
Expert view
Expert from Email Geeks says that "deliver then discard" is a rare outcome for emails, and it's important to confirm this behavior before troubleshooting. They suggest checking for email forwarding rules, local email filters, or messages being sent to an unexpected folder like a focused inbox.
2023-02-08 - Email Geeks
Expert view
Expert from Email Geeks says that high BCL (Bulk Complaint Level) or SCL (Spam Confidence Level) scores can lead to messages being deleted by the Microsoft 365 tenant's filters. If these scores are high (e.g., 9), improving the BCL score or communicating with the tenant to adjust their filtering rules is necessary.
2023-02-08 - Email Geeks
Summary of resolution strategies
Experiencing transactional emails from Postmark being blocked by Office 365 despite passing SPF, DKIM, and DMARC is a challenging but solvable deliverability issue. It highlights that email security is a dynamic field, with mailbox providers like Microsoft employing advanced filtering beyond foundational authentication protocols. To succeed, you need to go beyond the basics, scrutinizing content, monitoring reputation, and, critically, understanding the specifics of the recipient's mail system. Proactive monitoring and collaboration with recipients are key to ensuring your essential messages reach the inbox and that you can avoid why your emails go to spam.
Ultimately, deliverability is a continuous effort requiring attention to detail and adaptability to evolving anti-spam measures. By adopting a comprehensive approach, you can significantly improve your email success rates and maintain a reliable communication channel with your users, overcoming email deliverability issues.
Microsoft 365 email security is highly sophisticated. Beyond SPF, DKIM, and DMARC, it applies a range of checks and custom rules configured by the recipient organization's IT department. These rules can be very strict, leading to emails being quarantined or rejected even if they pass standard authentication. For example, some organizations might enforce a strict DMARC alignment policy, causing issues even with a p=none DMARC record.
Postmark, the ultimate decision for inbox placement rests with the recipient's email server and its configured policies. This is why you might experience Office 365 marking emails from a third-party ESP as spam, even when they adhere to all standard authentication protocols. It's not necessarily a Postmark issue, but rather an interaction with the receiving end's specific settings.
