============================================================================== O365 headers https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers 5321.MailFrom address - MAIL FROM, P1 sender, envelope sender 5322.From address - From address, P2 sender Authentication-Results spf= smtp.mailfrom= pass (IP address): passed - client authorized to send or relay email on behalf of the sender's domain fail (IP address): failed, sometimes called hard fail softfail (reason): host not allowed to send, but in transition neutral: record explicitly states it does not assert whether IP address is authorized to send none: domain has no SPF record or SPF record doesn't evaluate to a result temperror: temporary error occurred, same check later may succeed - NDS error, etc permerror: permanent error occurred - domain has a badly formatted SPF record, etc smtp.mailfrom: domain of the 5321.MailFrom address - used for Non-Delivery Reports (NDR) or bounces dkim= header.d= pass: DKIM check passed fail (reason): DKIM check failed none: message was not signed header.d: domain from DKIM signature, queried for public key dmarc= action= header.from= pass: DMARC check passed fail: DMARC check failed bestguesspass: no domain DMARC TXT record exists, if one had, DMARC check would have passed - domain in the 5321.MailFrom address matches domain in the 5322.From address none: no DMARC TXT record exists for the sending domain action oreject or o.reject: override reject - message fails DMARC check from a domain whose DMARC TXT record has a policy of p=reject, message marked as spam pct.quarantine: message failed DMARC, policy set to quarantine, pct field not set to 100% - system randomly decided not to apply DMARC action, per domain policy pct.reject: message failed DMARC, policy set to reject, pct field not set to 100% - system randomly decided not to apply DMARC action, per domain policy permerror: permanent error during DMARC evaluation, resend isn't likely to to result in different outcome temperror: temporary error during DMARC evaluation, resend may result in different outcome header.from: 5322.From address - recipient sees as from address reason (Nxx - xx used by Microsoft 365) 000: failed explicit authentication (compauth=fail) 001: failed implicit authentication (compauth=fail) - sending domain did not have email authentication records published, or they had a weaker failure policy (SPF soft fail or neutral, DMARC policy of p=none) 002: policy for the sender/domain pair that is explicitly prohibited from sending spoofed email 010: message failed DMARC with an action of reject or quarantine, sending domain is an accepted domain 1xx or 7xx: passed authentication (compauth=pass) 2xx: soft-passed implicit authentication (compauth=softpass) 3xx: not checked for composite authentication (compauth=none) 4xx or 9xx: bypassed composite authentication (compauth=none) 6xx: failed implicit email authentication, sending domain is an accepted domain X-Forefront-Antispam-Report CIP - connecting IP address (use for IP allow/block lists) CTRY - country associated with the CIP value LANG - language the message is written SCL - Spam Confidence Level -1: skipped spam filter (safe sender, IP allow list, etc) 0,1: message not spam, deliver to inbox 5,6: message is spam, deliver to junk folder 9: high-confidence spam, deliver to junk folder SRV BULK: identified as bulk by filtering and BCL value IPV CAL: skipped spam filtering due to being on IP allow list NLI: IP address was not found on any IP reputation list SFV BLK: filtering skipped, message blocked - on user blocked sender list NSPM: filtering marked as not spam SFE: filtering skipped, message allowed - on user safe sender list SKA: filtering skipped, message allowed - by policy allow sender/domain SKB: marked as spam - by policy blocked sender/domain SKI: filtering skipped - non-specific reason, prob internal message SKN: message was already marked to skip spam filtering SKQ: message released from quarantine SKS: message already marked as spam, prob mail flow rule SPM: marked as spam by filtering H - HELO or EHLO string from the connecting server PTR - reverse DNS lookup for the source IP address CAT - highest priority policy that was applied to message BULK: Bulk DIMP: Domain Impersonation GIMP: Mailbox intelligence based impersonation HPHSH or HPHISH: High confidence phishing HSPM: High confidence spam MALW: Malware PHSH: Phishing SPM: Spam SPOOF: Spoofing UIMP: User Impersonation AMP: Anti-malware SAP: Safe attachments OSPM: Outbound spam SFS - list of spam rules the filter matched? DIR - message direction? INB: inbound? OUT: outbound? SFP (found on outbound message) 1101? X-Microsoft-Antispam BCL: Bulk Complaint Level 0: not from bulk sender 1,2,3: from bulk sender who has very few complaints 4,5,6,7: from bulk sender who has mixed number of complaints 8,9: from bulk sender who has high number of complaints ============================================================================== ------------------------------------------------------------------------------ ==============================================================================