Showing a question mark ‘?’ in the sender photo when a message is not authenticated


In order to help stop phishing messages, Office 365 and Outlook.com already filter messages using authentication methods including SPF,

DKIM, DMARC, and antispoofing. These techniques verify that the sender is who they say they are, and they are used to mark the message either as Junk Email, or deliver it to your Inbox. They sometimes also add Safety Tips.In the next few weeks, Outlook Web Access (OWA) and Outlook.com will be rolling out indicators to show indicators when the sender of the message either cannot be identified (authenticated).

Unauthenticated messages show a '?' in the sender photo

When Outlook.com or Office 365 cannot verify the identity of the sender using SPF, DKIM, or any other technique, it will display a '?' in the sender photo:

Not every message that fails to authenticate is malicious. However, you should be careful before interacting with messages that do not authenticate if you do not recognize the sender. Or, if you recognize the sender and they normally don't have a '?' in the sender photo and you suddenly start seeing it, that could be a sign the sender is being spoofed.

Frequently Asked Questions

What criteria does Outlook.com and Office 365 use to stamp the '?' in the sender photo?

Both Outlook.com and Office 365 require the message to pass either SPF or DKIM. Office 365 also has some other internal logic for identifying senders.

Why not simply block the email?

The modern problem of spam, and especially phishing, is that we don't live in a world where the question of "Is it phish?" is so clear-cut. Filters have trouble making decisions sometimes, and this helps to surface an extra little bit of information to the user.

Also, there is a lot of unauthenticated email in the world that is not spam nor phish. This is usually legacy software that hasn't been updated in ages, or comes from servers that never bothered to authenticate their email. Showing a '?' can hopefully act as a nudge to do the right thing - if you want the '?' to go away, authenticate your email.

Can customers of Office 365 or Outlook.com override this with IP Allows, Exchange Transport Rule Allows, or safe senders?

No.

This is a good thing, because if a spammer spoofs that sender, you have no way of differentiating between it and a "legitimate" message that failed authentication. But, if you do allow rules on a sender that does authenticate, then that is a safe allow rule and the '?' will not be displayed.

This doesn't prevent allow rules from executing, they still go to the inbox. They won't remove the '?', however.

 I'm a big sender. How do I make these properties disappear?

As a sender, you should authenticate your message with either SPF or DKIM.

I'm a medium sender. How do I make these properties disappear?

See above.

I'm a small sender. How do I make this '?' disappear?

Same as a medium sender.

Does Outlook.com and Office 365 show this for every message that doesn't pass authentication?

Not necessarily. In addition to SPF and DKIM, Office 365 has additional logic to authenticate a message.

In addition, Office 365 only shows these properties in the event that the receiving domain's MX record points to Office 365, and has not undergone routing into and out of the environment.

Isn't this kind of similar to the way Gmail shows a '?' for an unauthenticated sender?

Gmail shows the following for messages that don't pass authentication:

So yes, it is similar. Because there is a lot of user overlap between Gmail, Outlook.com, and Office 365, we decided it was best to unify the experiences across multiple email platforms. We don't want to retrain users.

They aren't identical, however. Office 365 has additional criteria that Gmail does not have.


The official version of this documentation lives here: Identify suspicious messages in Outlook.com or Outlook on the web


Comments (6)

  1. mombu says:

    Awesome. Please pary tell what additional criteria does Office 365 have that Gmail does not.

  2. Doug H. says:

    Will this functionality be extended to a future release of the Outlook 2016 desktop client for Windows and Mac?

    1. tzink says:

      We’re planning to take it to Outlook 2016 desktop. I’m not sure about the Mac version. I don’t have timelines, though.

  3. Richard B says:

    Of interest, has the SenderID record been officially retired?
    (e.g. “spf2.0/pra include:xxx.xxx.xxx.xx -all”)

    I see if the above that you reference SPF and DKIM and have been trying to get an official confirmation that we can remove from our zone files. It is still referenced in the Enhance Deliver guidance which is still referenced by the Hotmail Deliverability Team.
    thanks

    1. tzink says:

      We don’t check it in Office 365, I don’t think Outlook.com checks it either. I have also never created a SenderID record for any domain owned by Microsoft, nor do I ever plan to.

Skip to main content