Massive increase of false positive in quarantine

Jon Mercer 1,011 Reputation points
2023-07-06T17:27:37.4933333+00:00

One of our email accounts got spoofed. This caused two things to happen. One Google blacklisted us, which we got removed by adding a TXT record in our DNS to verify we are the owner of the domain. The other is around a 10-fold increase of false positive emails in quarantine being called spam. It initially started with the reply-all storm policy kicking in from the spoofing. Is there a way to go back to how it was.

The emails are mostly Gmail, but there are others, though it seems to be the same couple that are now considered spam. They are going to either individual users or shared mailboxes.

We have one group that does a mail merge, and now that gets their email address blocked since it violates the number of spam emails that can be sent out. It has worked fine for years till the spoofing event on Tuesday.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,681 questions
Microsoft Exchange Online
{count} votes

3 answers

Sort by: Most helpful
  1. Schneider, Tobias 1,160 Reputation points
    2023-07-06T20:50:15.6633333+00:00

    Hello @Jon Mercer,

    SPF is a standard method of email authentication. This protects your domain from spoofing and prevents outgoing messages from being marked as spam by receiving servers. It also defines the mail servers that are allowed to send email for your domain. In inbound mail servers, SPF checks incoming messages that appear to come from your domain to make sure they were really sent from servers you authorized.

    Without SPF, inbound servers are more likely to mark messages sent from your organization or domain as spam.

    As of November 2022, new senders sending email to private Gmail accounts must set up either SPF or DKIM. Google performs random checks on messages from new senders to private Gmail accounts to determine if they have been authenticated. Messages without at least one of these authentication methods are rejected or marked as spam with the 5.7.26 error. This requirement does not apply to existing senders. However, we recommend that you always set up SPF and DKIM to protect your organization's email and meet future authentication requirements.

    For more information on SPF, click here.

    For more information on DKIM, click here.


    If this is helpful, please accept the answer. Thank you.


  2. Aholic Liang-MSFT 13,861 Reputation points Microsoft Vendor
    2023-07-10T09:51:45.6833333+00:00

    Hi @Jon Mercer ,

    Just want to confirm if these senders marked as spam are from a unified organization or a specific few senders?

    If these senders send messages directly to your organization instead of replying to you, will they still be marked as spam?

    If this is the case, these senders need to be in good standing and properly configured for SPF, DKIM, and DMARC.

    Also, from your organization's side, you can also refer to the steps in this link to handle false positive emails:

    1.       Add the sender to the Safe Senders List in Outlook.

    2.     Administrators can submit to Microsoft for analysis and understand why the email was originally blocked.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Jon Mercer 1,011 Reputation points
    2023-07-25T19:40:06.25+00:00

    It took a couple weeks and going to Tier 2, but the root cause was what we suspected that our domain got blacklisted on Exchange and had to be delisted by the Exchange backend (PG) people.

    This is what the Tier 2 said.

    The Engineering team has delisted the domain. 

    Course they also said this, which is kind of irritating since it looks like Tier 2 doesn't have access to a lot of things that might make these issues quicker to be resolved.

    Root cause analysis is always provided on the best effort basis, and there will always be scenarios where root cause analysis is not possible.

    We support team do not have access to servers in data center.

     We are heavily dependent on the logs provided by customer and analysis done by the engineering team.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.