Why does O365 mark emails from my domain sent via a third-party ESP as spam?

Key findings

• Internal configuration: Office 365 may be configured to treat emails sent from a domain it hosts, but originating from an external SMTP server, as potentially forged. This is often an intentional (or unintended) local setting.
• Advanced threat protection (ATP): Microsoft Defender for Office 365 (formerly ATP) includes anti-phishing capabilities that might flag legitimate emails that appear to spoof an internal domain, even if they are properly authenticated. This is particularly relevant when external ESPs are used.
• Authentication strictness: While SPF, DKIM, and DMARC might pass, O365 can have additional internal checks or policies that go beyond standard authentication, especially for intra-domain spoofing prevention. For more details, consider our guide on advanced email authentication.
• Domain reputation: Although your overall domain reputation may be good, Microsoft's internal reputation system or specific user feedback within O365 could influence filtering for intra-organization emails. Learn how to improve domain reputation.

Key considerations

• Review authentication headers: Carefully examine the full email headers for messages sent from the third-party ESP and received by an O365 inbox. Look for 'Authentication-Results' and 'X-Forefront-Antispam-Report' headers to understand why the message was flagged. This can provide clues regarding local O365 policies.
• Check O365 security settings: Administrators should check the anti-phishing policies within Microsoft Defender for Office 365. Specifically, look for impersonation policies that might be configured to protect users from spoofed domains, even legitimate ones coming from external sources. For a deeper dive into why emails might be going to spam, see this HostPapa blog post.
• Create transport rules: Consider creating a transport rule in the Exchange admin center (EAC) to bypass spam filtering for emails originating from your third-party ESP's IP address or sending domain, specifically when destined for internal O365 mailboxes. This whitelisting can resolve issues where internal policies are overly aggressive.
• Sender reputation of ESP: While less likely if emails deliver everywhere else, ensure your ESP maintains a good sending reputation. If the ESP's IPs are on any blocklists, it could contribute to deliverability problems, including within O365. Keep an eye on blocklists with our blocklist checker.

Key opinions

• Local configuration issues: Many marketers suspect that the problem stems from specific configurations within the O365 tenant itself, rather than a universal Microsoft policy. It appears some settings can lead to aggressive filtering of internally-addressed emails from external sources.
• Anti-forgery processing: There's a strong belief that O365's anti-forgery mechanisms are at play, potentially flagging emails that appear to be internal but originate externally as suspicious, even if SPF/DKIM align. This is a common reason for emails landing in Office 365 spam.
• Advanced threat protection (ATP): The Advanced Threat Protection add-on in O365 is frequently cited as a culprit, as it's designed to counter phishing and can mistakenly flag legitimate third-party sends as such.
• User-specific rules: In some cases, third-party security layers like Mimecast, or even user-specific impersonation rules, might be contributing to these localized spam classifications, particularly with subdomains.

Key considerations

• Examine authentication results: Always start by checking the detailed authentication results within the O365 message headers. These headers provide crucial insights into how Microsoft is processing and evaluating your email, especially concerning its origin.
• Check O365 configuration: Investigate your O365 tenant's security and mail flow settings. Look for any checkboxes or rules that might specifically treat mail using your domain but originating from different SMTP servers as forged. This aligns with what Microsoft suggests to fix.
• Bypass spam filtering: If the issue is persistent and only affects O365 internal recipients, consider implementing transport rules to bypass spam filtering for emails from your trusted third-party ESP when sent to internal users.
• DMARC monitoring: While authentication might pass, continuous DMARC monitoring can highlight subtle alignment issues or reporting discrepancies that O365 might be interpreting strictly. Our DMARC monitoring tool can help.

Key opinions

• Internal spoofing detection: Experts confirm that O365 has specific processing rules against a domain being hosted there but sending from an outside source. This is primarily aimed at preventing internal spoofing.
• Config file settings: There are, or were, checkboxes in O365 config files that could be set to treat all mail using a domain but coming from a different SMTP server as forged, causing legitimate emails to be flagged.
• Advanced threat protection (ATP) behavior: Experts commonly identify O365's Advanced Threat Protection (ATP) as a component that, without specific tweaking, is designed to counter phishing and can inadvertently flag legitimate third-party emails from an internal domain. This is similar to why emails get quarantined in O365.
• Local site-specific issue: The consensus among experts is that such issues are typically local, site-specific configurations within the O365 tenant, rather than a bug or global O365 policy. This means the solution lies within the user's O365 settings.

Key considerations

• Audit O365 anti-spoofing: Review the anti-spoofing and anti-phishing policies within Microsoft Defender for Office 365. Pay close attention to settings that might aggressively detect impersonation attempts for your own domain, even if legitimate. This is critical for emails that pass SPF, DKIM, and DMARC.
• Check mail flow rules: Examine existing mail flow rules (transport rules) in the Exchange admin center (EAC) to see if any are inadvertently marking legitimate emails as spam or triggering specific security policies for internal delivery.
• Whitelisting and exceptions: Consider creating specific exceptions or whitelisting entries for the sending IP addresses or domains of your third-party ESP within your O365 environment, targeting internal recipients only. This allows you to specifically instruct O365 to trust these senders for internal mail.
• DMARC policy enforcement: Ensure your DMARC policy is properly configured for all sending sources. While O365 might have additional internal checks, a robust DMARC implementation helps establish sender legitimacy. Twilio offers insights into broader reasons for emails going to spam.

Key findings

• Anti-phishing policies: O365 includes built-in anti-phishing policies that use machine learning to detect and block impersonation attempts, including domain spoofing. These policies are active by default and can be configured to protect both internal and external domains.
• Spoof intelligence: Microsoft's spoof intelligence feature is specifically designed to identify and block messages from senders who are trying to impersonate an organization's domain. This often targets emails that fail DMARC, but can also apply to legitimate third-party senders if not properly configured.
• DMARC enforcement: O365 rigorously enforces DMARC. If a third-party ESP sends on behalf of your domain and fails DMARC (or SPF/DKIM alignment), it will be marked as spam or rejected. Even a 'p=none' DMARC policy might not prevent internal filtering if other signals are negative. Learn more about DMARC, SPF, and DKIM.
• Tenant allow/block list: Administrators can manage a tenant allow/block list to explicitly permit or deny specific senders, domains, or IP addresses. This tool is often recommended for whitelisting legitimate third-party senders that are being inadvertently blocked.

Key considerations

• Configure anti-phishing policies: In the Microsoft 365 Defender portal, administrators should review and adjust anti-phishing policies, especially the 'impersonation' and 'spoof intelligence' settings. It's possible to create exceptions for trusted third-party senders under these policies.
• Create mail flow rules (transport rules): Microsoft documentation advises using mail flow rules in Exchange Online to bypass specific security checks for emails originating from trusted sources. This can be used to set the spam confidence level (SCL) to -1 for emails from your ESP, ensuring they land in the inbox.
• Check email authentication headers: Microsoft's message header analyzer is a valuable tool for understanding why an email was filtered. It provides detailed information on authentication results (SPF, DKIM, DMARC), spam assessment, and any policies that were triggered. You can also use our Email Deliverability Tester.
• Submit to microsoft for analysis: If all configurations appear correct, Microsoft's documentation suggests submitting false positives (emails incorrectly marked as spam) to them for analysis, which helps train their filtering systems.