This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 88%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Hello,
Emails that are sent from the appled.eu domain to Microsoft Office 365 accounts are very frequently marked as "Phishing" and are quarantined automatically.
This happens with mails without any hyperlinks and even with plain-text mails with no attachments.
The appled.eu domain has a valid SPF record, valid DKIM domain keys, and valid dMarc settings.
Why are these mails quarantined?
Thank you
well if that is the case, there is no way to fix that, other than the recipients marking the messages as false positives or they open a case with 365 support.
Ok, thanks again for sharing your insights.
I'll have the dmarc record reconfigured for reject.
We will send out an email to our contacts discribing the issue with Microsoft Office 365 accounts and ask users to open a case with 365 support as you suggest. Maybe, if there are enough requests (we already know of 32 problematic Microsoft-hosted email addresses), Microsoft will adjust its policies and judge based our emails on content instead of suspicion.
@Jan Van Hoye As Andy's suggestion, it is better to open a case with 365 support. If Andy's answer helps you please mark "Accept Answer" so other users can reference it.
The DMARC settings are not enabled. The policy should really be set to "Reject" for optimal usage:
https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3aappled.eu&run=toolpage
Thank you for thinking along, David.
Do you think tsetting the dmarc policy to 'reject' will make a difference?
Will this not cause all mail from appled.eu simply being rejected instead of quarantined?
If not, can you please clarify why? Thanks again!
Assuming these emails are being sent correctly ( passing DMARC) and from authorized senders, then reject is the strongest and best policy to use. Only emails sent incorrectly or from unauthorized IPs will get rejected. If you arent sure if the messages are being sent correctly, then set the policy to "Quarantine" first for a bit and monitor.
But your ultimate goal should be a policy of reject.
I'm sure the mails pass all checks because Microsoft is sending out dmarc reports stating the emails have passed all checks. See below (recipient obscured for privacy reasons). Nevertheless these two particulars email both ended up in quarantine (confirmed by the recipients).
So I agree that setting dmarc to reject is a good practice in general (and we will do so). However, I do believe the issue lies somewhere else. Someone pointed out to us that this might have something to do with the domain name itself, being very close to the "apple" domain. Do you think this could be a reason? And if yes, how can we 'fix' this?
Dmarc report:
<?xml version="1.0"?>
<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<version>1.0</version>
<report_metadata>
<org_name>Enterprise Outlook</org_name>
<email>dmarcreport@microsoft.com</email>
<report_id>2ee81526b4ae45ff9e62f16bb5f5f9ed</report_id>
<date_range>
<begin>1709164800</begin>
<end>1709251200</end>
</date_range>
</report_metadata>
<policy_published>
<domain>appled.eu</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
<fo>1</fo>
</policy_published>
<record>
<row>
<source_ip>193.110.250.124</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>********.be</envelope_to>
<envelope_from>appled.eu</envelope_from>
<header_from>appled.eu</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>appled.eu</domain>
<selector>appledmail</selector>
<result>pass</result>
</dkim>
<spf>
<domain>appled.eu</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>193.110.250.124</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>**********.be</envelope_to>
<envelope_from>appled.eu</envelope_from>
<header_from>appled.eu</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>appled.eu</domain>
<selector>appledmail</selector>
<result>pass</result>
</dkim>
<spf>
<domain>appled.eu</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>