Why messages sometimes end up in the Junk folder in Outlook.com even when the sender is on your Safe Senders list

In Outlook.com, occasionally we get a complaint from a user saying that a message is in their Junk Email folder even though the message's sender is on their Safe Senders list. After all, if it's on the Safe Senders list, shouldn't the message go to the Inbox?While this can happen with any user, it usually occurs most often for people who have Exclusive Mode turned on in Outlook.com (Options > Mail > Junk Email > Filters and reporting > Choose a junk email filter [Standard/Exclusive]), which sends all messages to the Junk folder unless it's on your Safe Senders list. This keeps your mailbox clear of all senders whom you are not already familiar with.

2017-05-20-safe-senders-safety-tip

While on the one hand this keeps it free from spam, it also means that you may have false positives. To reduce false positives, it means managing a reasonably large contacts list.

Normally, senders on your Safe Senders list do go to your Inbox. However, there are some domains that are managed by Outlook.com that are frequently targeted for spoofing. If a message comes from that domain and it fails authentication, the safe sender is not respected. This is to prevent a spammer from spoofing one of your contacts and getting a free pass to the Inbox. Since the message is not authenticated, it goes to your Junk folder even though the sender is on your Safe Senders list. But since we can't trust the sender, and this domain is frequently spoofed, we treat it as if they aren't on your Safe Senders list.

That's why it goes to Junk.

The reason why there is confusion is because normally when a message in Outlook.com fails authentication, you'll see the red Safety Tip that the sender failed the fraud detection checks:

Suspicious_Fraud

However, in Exclusive mode, you see the yellow safety tip about only accepting email from your Safe Senders list. There is no explanation that it failed authentication and therefore Safe Senders were not respected.

So that's why sometimes a message on your Safe Senders list still goes to the Junk folder. And, while it occurs most frequently for users with Exclusive mode, it can also occur to users in Standard mode for a safe sender if the message fails authentication.

* * * * * * * * * *

Now, I realize that this safety tip in Exclusive mode could give more information. So, I'm pushing internally to change the yellow safety tip about "Safe Senders only" to the red safety tip about the sender failing fraud detection checks. That should hopefully give more clarity about why the message is in the Junk Email folder.

Comments

  • Anonymous
    May 22, 2017
    For those of us who are required to use upstream SMTP gateways for processing inbound email before forwarding to ExO, is there a way to securely pass through the Authentication-Results to EOP so that we can take full advantage of how Microsoft handles domain authentication with Safe Senders?
    • Anonymous
      May 22, 2017
      EOP doesn't have the same suppression logic of safe senders the way Outlook.com does. A message can fail authentication and still be respected by safe senders in the majority of cases. And even if safe senders don't work, Transport rules or IP Allow entries will still work.
  • Anonymous
    May 29, 2017
    The comment has been removed
  • Anonymous
    November 17, 2017
    The comment has been removed
  • Anonymous
    June 08, 2018
    Hi,How does the "trust email from contacts" feature in Office 365 manage spoofed email? Will safety tips be applied when SPF/DKIM/DMARC fails? Is it recommended to enable "trust email from contacts" or would you see this as a bad practice?Kind regards, Anders
    • Anonymous
      June 08, 2018
      The comment has been removed