Why messages sometimes end up in the Junk folder in Outlook.com even when the sender is on your Safe Senders list

In Outlook.com, occasionally we get a complaint from a user saying that a message is in their Junk Email folder even though the message's sender is on their Safe Senders list. After all, if it's on the Safe Senders list, shouldn't the message go to the Inbox?While this can happen with any user, it usually occurs most often for people who have Exclusive Mode turned on in Outlook.com (Options > Mail > Junk Email > Filters and reporting > Choose a junk email filter [Standard/Exclusive]), which sends all messages to the Junk folder unless it's on your Safe Senders list. This keeps your mailbox clear of all senders whom you are not already familiar with.


While on the one hand this keeps it free from spam, it also means that you may have false positives. To reduce false positives, it means managing a reasonably large contacts list.

Normally, senders on your Safe Senders list do go to your Inbox. However, there are some domains that are managed by Outlook.com that are frequently targeted for spoofing. If a message comes from that domain and it fails authentication, the safe sender is not respected. This is to prevent a spammer from spoofing one of your contacts and getting a free pass to the Inbox. Since the message is not authenticated, it goes to your Junk folder even though the sender is on your Safe Senders list. But since we can't trust the sender, and this domain is frequently spoofed, we treat it as if they aren't on your Safe Senders list.

That's why it goes to Junk.

The reason why there is confusion is because normally when a message in Outlook.com fails authentication, you'll see the red Safety Tip that the sender failed the fraud detection checks:


However, in Exclusive mode, you see the yellow safety tip about only accepting email from your Safe Senders list. There is no explanation that it failed authentication and therefore Safe Senders were not respected.

So that's why sometimes a message on your Safe Senders list still goes to the Junk folder. And, while it occurs most frequently for users with Exclusive mode, it can also occur to users in Standard mode for a safe sender if the message fails authentication.

* * * * * * * * * *

Now, I realize that this safety tip in Exclusive mode could give more information. So, I'm pushing internally to change the yellow safety tip about "Safe Senders only" to the red safety tip about the sender failing fraud detection checks. That should hopefully give more clarity about why the message is in the Junk Email folder.

Comments (8)
  1. Jesse Thompson says:

    For those of us who are required to use upstream SMTP gateways for processing inbound email before forwarding to ExO, is there a way to securely pass through the Authentication-Results to EOP so that we can take full advantage of how Microsoft handles domain authentication with Safe Senders?

    1. tzink says:

      EOP doesn’t have the same suppression logic of safe senders the way Outlook.com does. A message can fail authentication and still be respected by safe senders in the majority of cases. And even if safe senders don’t work, Transport rules or IP Allow entries will still work.

  2. Skrbnik UM says:

    first of all, thank you for having such a great blog. It is nice to see that there are people out there dealing with similar issues as we do 😉

    Our users are reporting that e-mails sent to “@hotmail.com” users are not being delivered to mailbox, nor to the Junk Folders. But what it worries us the most is that, our users are not also not receiving NDRs…

    The first time we tried to troubleshoot this situation, we ended up joining the SNDS and JMRP programs. Eventually, we opened a support ticket with the “Outlook.com Deliverability Support” team and their answer was so:

    “Our investigation has determined that there are no active blocks against these IP(s); however, some messages were filtered. We have confirmed that these IP(s) are eligible for conditional mitigation, but may be subject to low daily e-mail limits until they have established a good reputation. Please note that this mitigation does not guarantee that your mail will be delivered to a user’s inbox.”

    We were puzzled since we did not know why our IPs had bad reputation. From our side we have SPF+DKIM+DMARC implemented and we are monitoring multiple RBLs and everything would show green… Since then, we started monitoring CSV reports via the “Automated Data Access”, to check for SNDS status…

    The funny thing is that, even though the SNDS reports show us GREEN status, some of the e-mails are still not being delivered to the Inbox, nor Junk Folder nor NDRs…

    I think I cannot generalize this to all our users, but at least, it is happening right now for our testing “@hotmail.com” account…

    Is there any way you could explain this to us? The only similar reference we found with similar symtoms is this article with dating “1 May 2007”:


    Thank you and regards,


    1. Skrbnik UM says:

      Hi @tzink,

      do you have any input here? Your insights would be very helpful to us.

      Let me also share with you that our e-mail system is well monitored, regularly updated and administrated and it includes the following main features:
      2x SMTP Gateways, responsible for AntiSpam/AntiVirus filtering of all incoming e-mails;
      2x hardware Load Balancers set up in HA mode to ensure optimized e-mail traffic load;
      2x corporate Exchange 2016 servers set up HA mode with equally redistributed load;
      Outgoing e-mails are authenticated and secured via “SPF, DKIM and DMARC” full implementation;
      Only authenticated users are allowed to send e-mails;
      Authenticated users are allowed to send a limited number of e-mails per day (500 messages/person/24 hours);

      In addition to that, we are:
      monitoring different types of mail-flows to verify e-mail deliverability of our users;
      monitoring our SMTP Gateway’s IPs reputation in most important blacklists by using the next online services:
      members of Outlook.com Smart Network Data Services (SNDS) and Junk Mail Reporting Program (JMRP) programs, where we are also monitoring our e-mail reputation:

      Currently, one of our IPs is marked as RED. We don’t understand why, because it is being used strictly for testing purposes. We are making e-mail roundtrips to monitor mail-flow, so we are sending every minute an e-mail to Outlook.com and Hotmail.com recipients and they are bounced to us. The status has been green for a very long time, why would that change all of a sudden?

      Can you help us understand this behaviour?

      Thank you and regards,


  3. Terry says:

    Thanks this was confusing me. But I still don’t understand. If I make the decision to add a address to my safe senders list, then why not let it through? Or at least do something so that I can get the messages. notify the company? Something? Right now this address newsletters@cnet.online.com is always ending up in Junk folder.

  4. A837277 says:


    How does the “trust email from contacts” feature in Office 365 manage spoofed email? Will safety tips be applied when SPF/DKIM/DMARC fails? Is it recommended to enable “trust email from contacts” or would you see this as a bad practice?

    Kind regards, Anders

    1. tzink says:

      “Trust email from Contacts” treats a message like a safe sender – it skips filtering and delivers to the inbox, regardless of whether or not the message was spoofed.

      Safety Tips are not necessarily applied when SPF/DKIM/DMARC fails, but see more details in http://aka.ms/AntispoofingInOffice365 and http://aka.ms/LearnAboutSpoofing.

      Trusting your contacts can be a bad practice, although it requires a spammer/phisher to guess who your contacts are. In some cases (such as a high level executive) this is pretty easy, and therefore would expose more risk. For lower level employees who are not as valuable or easy to guess, it introduces less risk.

Comments are closed.

Skip to main content