Page 1 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

MY E-MAIL APPEARS AS SPAM –

TROUBLESHOOTING PATH | PART 11#17

The current articles and the next three following articles are

dedicated to the subject of a troubleshooting scenario of

internal \ outbound spam in Office 365 and Exchange Online

environment. In the current article is the focus is on:

“drowning” the path of the troubleshooting processes flow.

The troubleshooting flow includes steps such as:

Step 1 – verifying if our domain name is blacklisted.

Step 2 – verifying if the problem is related to E-mail content.

Step 3 – verifying if the problem is related to specific

organization user E-mail address.

Step 4 – Moving the troubleshooting process to the “other

side.

Page 2 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Additionally, we will briefly review the document that I have

created (Outbound spam – Troubleshooting checklist) for

simplifying the task of troubleshooting documentation, etc.

The characters of troubleshooting

internal \ outbound spam scenario

In a scenario of internal \ outbound spam, we will need to deal

with a number of challenges that relate to the complexity of

such as scenario:

Many components and infrastructure that are involved in the

mail flow.

Many cases that could lead to an “outcome” in which our E-mail

is identified as spam mail.

No clear indication of the reason in which our mail was identified

as spam.

No clear indication for the “element” which “decide” to identify

our organization E-mail as a spam.

Internal spam in Office 365 and Exchange

Online environment | Before we start

Before starting the actual Troubleshooting process, it’s

important that we will be aware to a couple of elements that

relates to internal \ outbound spam scenario:

1. Verify that we have evidence

Page 3 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

The first “station” on our journey, is the “clear evidence” for the

problem.

1. The “clear evidence” could be an NDR that was sent to one of

our organization users, who informs him that his E-mail

message was rejected because his mail considers as spam\Junk

mail.

2. A mail notification from a blacklist monitor service, that inform

us that our organization appears as blacklisted.

3. External receipt, that notifies our organization user that he got

his E-mail message but, the E-mail message was saved in his

junk mail folder (our E-mail message was classified as spam\junk

mail).

2. Point out the responsible side that could cause

the problem

Page 4 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

The “cause” of the problem, in which E-mail that was sent from

our organization is identified as spam, could be related to “our

side” or, to the “other side”.

An example that relates to the “other side” could be a scenario

of false positive a scenario in which our mail is identified by

mistake as spam.

Although that the problem could be related to the “other side”,

in most of the scenarios the basic assumption is that the

problem is related to “our side”.

In simple words: it’s recommended to start the

troubleshooting process begging on “our side of the equation”.

Only when we fulfill our “due diligence” and, verify beyond a

doubt that “we are OK”, then we can start the troubleshooting

steps that will verify the “other side”.

Page 5 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

3. Verifying the “scope” of the internal \ outbound

spam issue

The term: “internal \ outbound spam” is a very general term.

To be able to create a clear troubleshooting path, we need to

start with: defining the scope of the problem.

The worst-case scenario could be a scenario in which our

domain name appears as blacklisted. This scenario considers

as the “worst-case scenario” because, in this case, the problem

will impact all of our organization users.

In case that we verify and find that the “problem scope” is not

related to “domain level”, the next level could be:

A problem that relates to a specific E-mail message (E-mail

content) or, to a specific user from our organization.

Page 6 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

From my experience, many of the internal \ outbound spam

scenario realities to a specific E-mail message content that the

Office 365 users try to send.

In this case, we can very easily locate if the problem is indeed

related to the E-mail message content by sending to the

“destination recipient”, an empty E-mail message.

In case that we also experience the problem when sending the

“empty mail message”, this could be related to a problem with

an E-mail address of a specific user organization.

The next step will be: sending an E-mail message to the

“destination recipient” by using an E-mail address of other

organization user.

For example: if the “original sender” was: Alice@o365info.com,

send E-mail by using bob E-mail address: Bob@o365info.com

In case that we have also emoted this scenario, the rest of the

“troubleshooting path” could be related to the “other side”

meaning, some element\s in the destination recipient mail

infrastructure.

Page 7 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

The internal \ outbound spam

Troubleshooting path

Step 1 – verifying if our domain name is

blacklisted.

Before we start our “troubleshooting journey”, the most

important operation in a scenario of – internal \ outbound

spam is to verify if – our domain name appears as blacklisted.

This is the “worst-case scenario” because this scenario impacts

all of our organization users who use an E-mail address with

our organization domain name.

Page 8 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

In case that the answer is “yes”, meaning our domain name

appears as blacklisted, we need to start with the most

important task: De-list our domain name from the blacklist

In a scenario in which our domain name appears as

blacklisted, we need to find the blacklist\s in which our domain

name appears as blacklisted and, apply a request to be

removed from the blacklist.

Note – You can read more information about the subject of –

de-list our domain name in the article -De-list your

organization from a Blacklist | My E-mail appears as spam |

Part 16#17

Additional tasks that need to be implemented are:

1. In-house investigation – ROC (Root Cause Analyses)

The second task could be described as “in-house

investigation”.

In case that is not a false-positive scenario and, there is a “real

reason” for identifying our domain name as a “problematic

domain”, we need to put all our effort into finding the “root

cause” for the problem.

2. Consider using a blacklist monitor service

This is not a mandatory requirement, but instead, more of a:

best practice.

Using this type of service enables us to identify in real time a

problem in which our domain name appears as blacklisted

and, enables us to be proactive instead of reactive.

Page 9 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Note – you can read more information about the subject of –

blacklist monitor service in the article: My E-mail appears as

spam | Troubleshooting – Domain name and E-mail content

| Part 12#17

Moving on - In case that the answer is: “No”, meaning that our

domain name doesn’t appear as blacklisted, this is actually

“good news” because we prefer the less critical scenarios that

will be reviewed in the next sections.

Step 2 – verifying if the problem is related to E-

mail content.

The most common reason for the scenario in which mail that

was sent from our organization user identified as spam\junk

mail is: the E-mail message content.

Page 10 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

To be able to find out if the problem is related to specific E-

mail message content that appeared in the E-mail message,

we will need to send an “empty E-mail” (no content) to the

destination receipt.

In case that the empty E-mail message was successfully sent to

the destination receipt, we can assume that the problem is

related to the specific E-mail message content.

Additional recommended tasks in a scenario in which we

discover that the problem was realties to the specific E-mail

content are:

1. In-house investigation – ROC (Root Cause Analyses)

Start an “In-house investigation” to find out what part of the

content of the E-mail message is the cause of the problem.

Optional, additional operations:

Page 11 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

2. Using Exchange Online future – outbound spam.

An additional recommended step that we can implement is –

“activating” the Exchange Online option of – outbound spam.

This option will send a notification to the “person that we

indicate” each time that the Exchange Online will recognize E-

mail message that was sent by Office 365 users as a spam \

Junk mail.

Note – You can read more information about the subject of

Exchange Online – outbound spam, in the article: My E-mail

appears as spam | Troubleshooting – Domain name and E-

mail content | Part 12#17

3. Implementing spam score check

This operation is highly recommended because, using a “spam

score” tool will enable us to understand the exact cause of the

problem (the reason to identify the E-mail message as

spam\junk mail).

And additionally in the future, it’s also highly recommended to

perform the spam score before we send out an E-mail

message such as commercial E-mail, etc.

Note – You can read more information about how to

check the spam score in the article: My E-mail appears as

spam | The 7 major reasons | Part 5#17

Page 12 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Moving on - In case that the answer is: “No”, meaning that the

external receipt did not get the “Empty E-mail message”, this

will lead us to the next troubleshooting step, in which we will

need to verify if the problem is related to the specific E-mail

address of our organization recipient .

Step 3 – verifying if the problem is related to

specific organization user E-mail address.

Just a brief summary: as of the current phase, we know that:

Our domain name is not blacklisted.

The issue is not related to a specific content that “appear” in the

E-mail message because even when we sent an “empty E-mail

message”, the E-mail message didn’t reach to the destination

receipt and also; we didn’t get a notification from Exchange

Page 13 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Online about “outgoing mail” that was identified as spam\Junk

mail (assuming that we have activated the outbound spam

option of Exchange Online).

The next “parts” that we need to check in “our side”, is a

scenario in which a specific user from our organization

appears as blacklisted.

To be able to find out if the problem is related to the specific

email address of an organization’s recipient, we will need to

send an E-mail to destination receipt, by using an E-mail

account (other E-mail address) of another organization user.

In case that when using other organization user E-mail

address, the E-mail message was successfully sent to the

destination receipt, we can assume that the problem is related

to the specific E-mail address of our organization user.

Page 14 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Note – Another option is a “problem” on the “other side” (the

destination recipient or the destination recipient mail

infrastructure).

Optional, additional operations:

1. In-house investigation – ROC (Root Cause Analyses)

Start an “In-house investigation” for finding out, what is the

reason in which a specific E-mail address of the organization

user is blacklisted.

Optional, additional operations:

2. Exchange Online – Message trace

In case that we suspect the problem is caused because a “bulk

mail” scenario, in which the organization users “load” external

recipients with a large amount of E-mail messages, we can use

the Exchange Online tool: Message trace, for getting more

detailed information about the user organization user

“activity”.

Additional reading

Run a Message Trace and View Results

Monitoring, reporting, and message tracing in Exchange

Online

Troubleshoot email delivery using the Exchange Online

message trace tool

Page 15 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

3. SPF record

An addition parameter that is important to verify is our

organization SPF record. The verification process could

include:

Verify that we use SPF record, verify the SPF record is

configured correctly, etc.

Note – You can read more information about SPF record

infrastructure in the articles:

What is SPF record good for? | Part 7#17

Implementing SPF record | Part 8#17

Note – the need to verify the organization SPF record, is not

related to a specific “phase” in the troubleshooting process

and practically, you can even start by completing this step at

the begging of the troubleshooting process.

Moving on - In case that the answer is: “No”, meaning the

external receipt did not get an E-mail message that was sent

from the “other organization user”, we will need to move on to

the next troubleshooting step.

Page 16 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Moving the troubleshooting process to

the “other side.

In this phase, we “move” into the territory of the “other side”

meaning: the destination receipt realm.

Because we didn’t manage to point out a specific element

from “our side”, we assume that the reason in which our E-

mail is identified as spam is related to the “other side” of the

equation.

The term “the other side” can be translated into factors that

are related to the specific destination recipient infrastructure

or to the destination recipient mail infrastructure.

Page 17 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

In case that in our scenario the “evidence” for the outbound

spam problem is an NDR message that was sent from the mail

server of the destination receipt, we can “jump” to step 5.

Asking for help from the “other side” | Overcomes

possible obstacles.

Yes, I know it’s not so simple to get help or, asks for help from

the “other side” because we need to overcome a number of

obstacles such as – most of the time it’s not so simple to

contact the destination recipient, many times the destination

recipient is not a “technical person” and so on.

In case that we need to contact the “technical representative”

of the destination recipient, it’s even harder.

Page 18 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

There no way that we can ensures his cooperation throughout

the process because that often, “the other side” has no

interest.

Despite all of this “obstacle,” it’s necessary to understand that

in a scenario of “mail flow” that is implemented using different

mail infrastructure (us and them), it is not always passable to

find the causes of the spam problem, only by Investigating and

troubleshooting “our side” (our Office 365 and Exchange

Online mail infrastructure) of the story.

Step 4 – verifying if the problem is related to

the external receipt environment.

The main charters of this scenario are – E-mail that was sent

from our organization, is reaching to the destination recipient

mailbox but, sent to the junk mail folder.

There could be three major reasons for this issue:

1. Inbox rule – inbox rule (or blocked recipient list) that was

defined by the destination receipt, which classify E-mail message

that was sent from our domain as spam\junk mail.

2. Antivirus or other mail security application, which identifies our

organization user E-mail as spam.

3. Mail application that includes spam filter and identifies our

organization user E-mail as spam.

To be able to verify this option or, to eliminate this option, we

will need to contact the destination recipient and ask for his

help.

Page 19 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

The destination recipient will need to check this option and

update us regarding the results.

In case that we could not find the specific “element” or in case

that we got an NDR message from the destination mail server,

we will need to move to the next troubleshooting step.

Step 5 – verifying if the problem is related to

external receipt mail infrastructure.

In this step, we will need the assistance of a technical person

that manages the mail infrastructure of the “destination

receipt”.

We will need to ask the “technical contact”, to look over the

mail server log or, into his mail security gateway log and try to

locate information about the “event” in which mail that was

sent from our organization was identified as spam and if

possible, the reason for this “identification”

Summary and recap

Page 20 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

In case that you have read all the former articles in this article

series, there were additional troubleshooting steps and

actions that could have been performed such as:

Using online web services that will help us to get our spam

score for a specific E-mail message that we are going to send.

We can combine this steps, as a “preventive action” or as a

part of the troubleshooting flow. This decision about what are

the specific steps that will be included in the internal \

outbound spam troubleshooting flow, is for you to decide,

based on the specific scenario charters, your organization’s

business needs and so on.

Using Outbound spam – Troubleshooting

checklist document

For your convenience, I have created a document that includes

a short troubleshooting checklist for a scenario of internal \

outbound spam.

The purpose of this document is to facilitate the

documentation process and to enable you to get a quick list of

the troubleshooting steps that need to be implemented.

Page 21 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

In the following screenshot, we can see the first part in which

we document the general charters of the scenario.

Despite the fact that it seems obvious, it is very important that

we will have a very accurate and clear scope of the problem:

who is our organization user who reports about the problem,

who is the “destination recipient”, does the problem reported

by many of our organization users or only one and so on.

Page 22 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

The next part is troubleshooting cubes” that includes:

A brief description of the task

A brief description of the purpose of the task

The documentation of the troubleshooting step’s results

Page 23 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Download the: Outbound spam – Troubleshooting

checklist document Download

Find help for office 365 | EOP and spam

Another useful resource that we can use is the “Find help for

office 365”

The “Find help for office 365” is a wizard based

troubleshooting tool that was created for helping us to get the

“right answer” is quick as possible.

In our example, we are dealing with a scenario of internal \

outbound spam.

Page 24 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

In the “first section”, we will choose the relevant Office 365

products. In our scenario its: Exchange Online Protection.

In the section: “what is your question about”, we will

choose: Mail Protection (Spam and Malware)

On the last section: “ok, and which part of that topic specifically?”

we will select the option: user mailbox was blocked for sending

spam

Page 25 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

The “result” is article and information that relate to our specific

problem.

Page 26 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

Internal \ outbound spam in Office 365

environment | Article series index

A quick reference for the article series

My E-mail appears as a spam | Article

series index | Part 0#17

The article index of the complete

article series

Introduction to the concept of internal \ outbound spam in general

and in Office 365 and Exchange Online environment

Page 27 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

My E-mail appears as a spam –

Introduction | Office 365 | Part 1#17

The psychological profile of the

phenomenon: “My E-mail appears as

a spam!”, possible factors for causing

our E-mail to appear a “spam mail”,

the definition of internal \ outbound

spam.

Internal spam in Office 365 –

Introduction | Part 2#17

Review in general the term: “internal \

outbound spam”, miss conceptions

that relate to this term, the risks that

are involved in this scenario,

outbound spam E-mail policy and

more.

Internal spam in Office 365 –

Introduction | Part 3#17

What are the possible reasons that

could cause to our mail to appear as

spam\junk mail, who or what are this

“elements”, that can decide that our

mail is a spam mail?, what are the

possible “reactions” of the destination

mail infrastructure that identify our E-

mail as spam\junk mail?.

Commercial E-mail – Using the right

tools | Office 365 | Part 4#17

What is commercial E-mail?

Commercial E-mail as part of the

business process. Why do I think that

Office 365\ Exchange Online is

Page 28 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

unsuitable for the purpose of

commercial E-mail?

Introduction if the major causes for a scenario in which your

organization E-mail appears as spam

My E-mail appears as spam | The 7

major reasons | Part 5#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

1. E-mail content, 2. Violation of the

SMTP standards, 3. Bulk\Mass mail

My E-mail appears as spam | The 7

major reasons | Part 6#17

Review three major reasons, that

could lead to a scenario, in which E-

mail that is sent from our

organization identified as spam mail:

4. False positive, 5. User Desktop

malware, 6. “Problematic” Website

Introduction if the subject of SPF record in general and in Office

365 environment

Page 29 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

What is SPF record good for? | Part

7#17

The purpose of the SPF record and the

relation to for our mail infrastructure.

How does the SPF record enable us to

prevent a scenario in which hostile

elements could send E-mail on our

behalf.

Implementing SPF record | Part 8#17

The “technical side” of the SPF record:

the structure of SPF record, the way

that we create SPF record, what is the

required syntax for the SPF record in

an Office 365 environment + mix mail

environment, how to verify the

existence of SPF record and so on.

Introduction if the subject of Exchange Online - High Risk Delivery

Pool

High Risk Delivery Pool and Exchange

Online | Part 9#17

How Office 365 (Exchange Online) is

handling a scenario of internal \

outbound spam by using the help of

the Exchange Online- High Risk

Delivery Pool.

Page 30 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

High Risk Delivery Pool and Exchange

Online | Part 10#17

The second article about the subject

of Exchange Online- High Risk

Delivery Pool.

The troubleshooting path of internal \ outbound spam scenario

My E-mail appears as spam –

Troubleshooting path | Part 11#17

Troubleshooting scenario of internal \

outbound spam in Office 365 and

Exchange Online environment.

Verifying if our domain name is

blacklisted, verifying if the problem is

related to E-mail content, verifying if

the problem is related to specific

organization user E-mail address,

moving the troubleshooting process

to the “other side.

My E-mail appears as spam |

Troubleshooting – Domain name and

E-mail content | Part 12#17

Verify if our domain name appears as

blacklisted, verify if the problem

relates to a specific E-mail message

content, registering blacklist

monitoring services, activating the

option of Exchange Online outbound

spam.

Page 31 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

My E-mail appears as spam |

Troubleshooting – Mail server | Part

13#17

What is the meaning of: “our mail

server”?, Mail server IP, host name

and Exchange Online. One of our

users got an NDR which informs him,

that his mail server is blacklisted!,

How do we know that my mail server

is blacklisted?

My E-mail appears as spam |

Troubleshooting – Mail server | Part

14#17

The troubleshooting path logic. Get

the information from the E-mail

message that was identified as

spam\NDR. Forwarding a copy of the

NDR message or the message that

saved to the junk mail

My E-mail appears as spam |

Troubleshooting – Mail server | Part

15#17

Step B – Get information about your

Exchange Online infrastructure, Step

C – fetch the information about the

Exchange Online IP address, Step D –

verify if the “formal “Exchange Online

IP address a

Page 32 of 32 | My E-mail appears as spam - Troubleshooting path | Part 11#17

Written by Eyal Doron | o365info.com

De-list your organization from a

blacklist | My E-mail appears as spam

| Part 16#17

Review the charters of a scenario in

which your organization appears as

blacklisted. The steps and the

operations that need to be

implemented for de-list your

organization from a blacklist.

Summery and recap of the troubleshooting and best practices in a

scenario of internal \ outbound spam

Dealing and avoiding internal spam |

Best practices | Part 17#17

Provide a short checklist for all the

steps and the operation that relates

to a scenario of – internal \ outbound

spam.