Anti-Spam Message Headers
Applies to: Exchange Online Protection, Exchange Online
Topic Last Modified: 2013-11-20
When Microsoft Exchange Online Protection or Microsoft Exchange Online scans an inbound email message it inserts the X-Forefront-Antispam-Report header into each message. The fields in this header can help provide administrators with information about the message and about how it was processed.
|For information about how to view an email message header in Microsoft Outlook 2013, see View the Internet header information for an email message.|
After accessing the message header information, search for X-Forefront-Antispam-Report and then look for these field values:
- CTRY: The country from which the message connected to the service. This is determined by the connecting IP address, which may not be the same as the originating sending IP address.
- LANG: The language in which the message was written, as specified by the country code (for example, ru_RU for Russian).
- SCL: The Spam Confidence Level (SCL) value of the message. For more information about interpreting these values, see Spam Confidence Levels.
- SRV:BULK: The message was identified as a bulk email message. If the Block all bulk email messages advanced spam filtering option is enabled, it will be marked as spam. If it is not enabled, it will only be marked as spam if the rest of the filtering rules determine that the message is spam.
- SFE: Filtering was skipped and the message was let through because it originated from a safe sender. For more information about safe senders, see Safe Sender and Blocked Sender Lists FAQ.
- BLK: Filtering was skipped and the message was blocked because it originated from a blocked sender.
- SPM: The message was marked as spam by the content filter.
- SKS: The message was marked as spam prior to being processed by the content filter. This includes messages where the message matched a Transport rule to automatically mark it as spam and bypass all additional filtering.
- NSPM: The message was marked as non-spam and was sent to the intended recipients.
|The SFE, BLK, SPM, SKS, and NSPM fields are all listed under the SFV (Spam Filtering Verdict) property.|