Export (0) Print
Expand All

Anti-spam message headers

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-07-16

When Microsoft Exchange Online Protection or Microsoft Exchange Online scans an inbound email message it inserts the X-Forefront-Antispam-Report header into each message. The fields in this header can help provide administrators with information about the message and about how it was processed. In addition to the X-Forefront-Antispam-Report header, the X-Microsoft-Antispam header provides additional information about bulk mail and phishing.

TipTip:
For information about how to view an email message header in various email clients, see the Message Header Analyzer topic. You can copy and paste the contents of the message header into the Message Header Analyzer. When you select a message in the quarantine in the Exchange admin center, the View message header link also easily lets you copy and paste the message header text into the tool. Once in the Message Header Analyzer tool, click Analyze headers in order to retrieve information about the header.

After accessing the message header information, search for X-Forefront-Antispam-Report and then look for these field values:

 

Header

Description

CIP: [IP address]

The connecting IP address. You may want to specify this IP address when creating an IP Allow list or an IP Block list in the connection filter. For more information, see Configure the Connection Filter Policy.

CTRY

The country from which the message connected to the service. This is determined by the connecting IP address, which may not be the same as the originating sending IP address.

LANG

The language in which the message was written, as specified by the country code (for example, ru_RU for Russian).

SCL

The Spam Confidence Level (SCL) value of the message. For more information about interpreting these values, see Spam confidence levels..

PCL

The Phishing Confidence Level (PCL) value of the message. See below more information about PCL values.

SRV:BULK

The message was identified as a bulk email message. If the Block all bulk email messages advanced spam filtering option is enabled, it will be marked as spam. If it is not enabled, it will only be marked as spam if the rest of the filtering rules determine that the message is spam.

SFV:SFE

Filtering was skipped and the message was let through because it was sent from an address on an individual’s safe sender list.

SFV:BLK

Filtering was skipped and the message was blocked because it was sent from an address on an individual’s blocked sender list.

Tip: For more information about how end users can create safe and blocked sender lists, see Block or allow (junk email settings) (OWA) and Overview of the Junk Email Filter (Outlook).

IPV:CAL

The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.

IPV:NLI

The IP address was not listed on any IP reputation list.

SFV:SPM

The message was marked as spam by the content filter.

SFV:SKS

The message was marked as spam prior to being processed by the content filter. This includes messages where the message matched a Transport rule to automatically mark it as spam and bypass all additional filtering.

SFV:SKN

The message was marked as non-spam prior to being processed by the content filter. This includes messages where the message matched a Transport rule to automatically mark it as non-spam and bypass all additional filtering.

SFV:SKI

Similar to SFV:SKN, the message skipped filtering for another reason such as being intra-organizational email within a tenant.

SFV:SKQ

The message was released from the quarantine and was sent to the intended recipients.

SFV:NSPM

The message was marked as non-spam and was sent to the intended recipients.

H: [helostring]

The HELO or EHLO string of the connecting mail server.

PTR: [ReverseDNS]

The PTR record of the sending IP address, also known as the reverse DNS address.

X-CustomSpam: [ASFOption]

The message matched an advanced spam filtering (ASF) option. For example, X-CustomSpam: Image links to remote sites denotes that the Image links to remote sites ASF option was matched. To find out which X-header text is added for each specific ASF option, see Advanced Spam Filtering Options.

NoteNote:
Other fields in this header are used exclusively by the Microsoft anti-spam team for diagnostic purposes.

The following table lists and describes the current fields in the X-Microsoft-Antispam message header:

 

Header

Description

BCL

The Bulk Complaint Level (BCL) of the message. For more information, see Bulk Complaint Level values.

PCL

The Phishing Confidence Level (PCL) of the message, which indicates whether it’s a phishing message.

This status can be returned as one of the following values:

  • Neutral   The message's content isn't likely to be phishing.

  • Suspicious   The message's content is likely to be phishing.

The PCL value can range from 1 through 8. A PCL rating from 1 through 3 returns a status of Neutral. This means that the message's content isn't likely to be phishing. A PCL rating from 4 through 8 returns a status of Suspicious. This means that the message is likely to be phishing.

The values are used to determine what action your email client takes on messages. For example, Microsoft Office Outlook uses the PCL stamp to block the content of suspicious messages. For more information about phishing, and how Outlook 2013 processes phishing messages, see Turn on or off links in email messages.

NoteNote:
Other fields in this header are used exclusively by the Microsoft anti-spam team for diagnostic purposes.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft