Why do my Exchange Online emails end up in the spam folder? This is because some mail clients use reverse DNS and Exchange Online to decide whether an email is spam.
There can be several reasons why your Exchange Online emails end up in the spam folder. It’s important to understand and resolve these causes to ensure proper delivery of your emails.
Spam Filters and Phishing Detection
Exchange Online Protection (EOP) uses spam filters to identify suspicious emails and move them to the spam folder. If your email meets certain criteria that indicate it may be spam, it can automatically be moved to the spam folder. Additionally, an email marked as phishing can also end up in the spam folder.
Outlook Settings and Zero-hour Auto Purge
The junk email settings in Outlook or the web version of Outlook can affect where your emails end up. Users can configure safe and blocked senders lists. The Zero-hour auto purge (ZAP) feature marks emails that were initially considered safe as spam or phishing and moves them to the spam folder. This mechanism protects us against emerging threats. ZAP can retroactively flag emails that initially passed security filters and move them to the spam folder.
Reverse DNS and Exchange Online
A major contributing factor is the configuration—or lack—of Reverse DNS when using Exchange Online. Office 365 does not support reverse DNS configuration, which can cause emails to be marked as spam by external Outlook users. Reverse DNS is a crucial part of email authentication, and its absence can lower the trustworthiness of your emails.
When users send email from Microsoft Exchange Online or Microsoft Exchange Online Protection to an external recipient, the MTA (Destination Message Transfer Agent) may reject the message. The error message received by users can vary. Usually, it indicates that the hostname of the source server does not match the IP address.
The recipient’s server requires that the server name included in the HELO string of the message has a corresponding pointer resource record (PTR) (reverse IP lookup). Exchange Online and Exchange Online Protection use multiple IP addresses to send email. Due to DNS limitations, not all of these IP addresses are assigned via PTR record to the server name in the HELO string.
The method by which Exchange Online and Exchange Online Protection send email using multiple IP addresses is common among large email systems and is standard. Contact the recipient’s system administrator for assistance.
More Information about Reverse DNS and Exchange Online
In Exchange Online and Exchange Online Protection, outbound email settings follow specific patterns. It’s important to be aware of these patterns if your recipient servers use PTR record lookups for validation. This helps explain why messages sent from the service might be rejected. The patterns are as follows:
The PTR records of the IP addresses in the A record of the EHLO/HELO string do not match the HELO/EHLO string of the sending email server. For example:
PTR record: 207.46.163.150: mail-bn1lp0150.outbound.protection.outlook.com
You can see that mail-bn1lp0150.outbound.protection.outlook.com does not match na01-bn1-obe.outbound.protection.outlook.com.
The sending IP addresses used by Exchange Online and Exchange Online Protection have confirmed reverse DNS records. This means each sending IP address has both a forward (name-to-IP) and reverse (IP-to-name) DNS record that match. For example:
Outbound IP address: 157.56.110.65
PTR record: 157.56.110.65 = mail-bn1on0065.outbound.protection.outlook.com
A-record: mail-bn1on0065.outbound.protection.outlook.com = 157.56.110.65
The HELO/EHLO strings used to identify the email servers used by the service include outbound.protection.outlook.com as well. For example: na01-bn1-obe.outbound.protection.outlook.com
All of these HELO/EHLO strings have A-records that contain a number of outbound IP addresses matching the sending email servers. (The A-records do not contain all of the outbound IPs, however.)
For example:
HELO na01-bn1-obe.outbound.protection.outlook.com
A record:na01-bn1-obe.outbound.protection.outlook.com:
207.46.163.150
207.46.163.151
207.46.163.152
207.46.163.153
207.46.163.154
207.46.163.155
207.46.163.156
207.46.163.157
207.46.163.158
207.46.163.149
Catch-22 with Outlook, Reverse DNS, and Exchange Online
However, Microsoft’s own Outlook requires the reverse lookup to succeed. This means that if you send an email via Exchange Online, these messages may end up in the spam folder.
Users can manually add trusted senders to their Outlook.com accounts via the web interface. Here are the steps:
- Sign in to Outlook.com: Go to Outlook.com and log in to your account.
- Go to Settings: Click the gear icon in the top right corner to open the settings menu.
- View All Outlook Settings: At the bottom of the settings menu, click “View all Outlook settings.”
- Mail Settings: In the settings panel, select “Mail” and then “Junk email.”
- Safe senders and domains: Under “Safe senders and domains,” click “Add” and enter the email address or domain you want to add to the trusted list.
- Save changes: Click “Save” to apply the changes.
SPF, DKIM, and DMARC Settings
To prevent your emails from ending up in the spam folder, ensure that your domain is correctly configured with SPF, DKIM, and DMARC. These authentication mechanisms help verify your emails and improve deliverability. Review and adjust these settings to reduce the likelihood of your emails being flagged as spam.
Sending IP Address Reputation
The reputation of your Exchange Online server’s IP address also plays a role. If the IP address has a poor reputation, emails are more likely to be marked as spam. Check the reputation of your IP address and improve it if needed to increase the trustworthiness of your emails.
In Practice
For example, I find many posts online from people who have become quite frustrated. In their view, Microsoft support doesn’t resolve the issue either. What are some of the things these people (and I myself) have run into?
Conclusion
By paying attention to the configuration of Reverse DNS and Exchange Online, as well as the settings for SPF, DKIM, and DMARC, you can reduce the likelihood that your emails end up in the spam folder of external Outlook users. Improving the reputation of your sending IP address and adjusting the content of your emails are also important steps to enhance deliverability.
More information about sending mail from Exchange Online can be found here. More information about the author of this blog post can be found here.
