Microsoft: Decoding hidden spam-related headers

Did you know that Microsoft and O365 emails include special headers that break down the spam filtering results for email messages? These headers can help you decode the Spam Confidence Level (SCL), Phish Confidence Level (PCL) and Bulk Confidence Level (BCL) values for a given email message, which can be helpful as reputation feedback and for deliverability troubleshooting.

I took a random bulk email message sent to my Microsoft Hotmail account this morning and viewed the full message source and headers. I scrolled down a bit from the top until I found three headers in particular: X-MS-Exchange-Organization-PCL, X-MS-Exchange-Organization-SCL and X-Microsoft-Antispam. Here’s what I saw:
  • X-MS-Exchange-Organization-PCL: 2
  • X-MS-Exchange-Organization-SCL: 1
  • X-Microsoft-Antispam: BCL:3 (+ a bunch of other info)
These are all 0-9 scores; lower is better. In this case, this email, one of my favorite Block Club Chicago newsletters, has an SCL score of 1 (not spam), a PCL score of 2 (not a phish), and a BCL score of 3 (a bulk sender, but one with a good reputation).

Microsoft explains BCL scoring thusly:
  • 0: The message isn't from a bulk sender.
  • 1-3: The message is from a bulk sender that generates few complaints.
  • 4-7: The message is from a bulk sender that generates a mixed number of complaints.
  • 8-9: The message is from a bulk sender that generates a high number of complaints.
Here’s how they suggest that you interpret the PCL score:
  • 1-3: Neutral. The message content isn't likely to be phishing.
  • 4-8: Suspicious. The message content is likely to be phishing.
  • 9: There's no mention of scoring a 9 PCL score, so maybe this is unobtainable.
And as far as the SCL score, they say:
  • -1: The message bypassed antispam scanning (for example, the message was from an internal sender).
  • 0-9: Percentage likelihood that the message is spam: 9/9 being 100% belief by Microsoft that the mail is spam.
  • In my extremely non-scientific testing, a score of 5 or higher seems to be enough to cause the message to land in the spam folder in my personal account.
That “X-Microsoft-Antispam:” header has a whole bunch of other information in there, none of which I have any clarity into, unfortunately! There’s also a header called “X-Microsoft-Antispam-Mailbox-Delivery,” from which you can decode a little bit of detail, thanks to this guidance from Egress.

X-Microsoft-Antispam-Mailbox-Delivery header values:
  • ucf:0. “User Controlled Filtering.” Was there any UCF in this case? No.
  • jmr:0. “Junk Mail Routing” criteria. Were any matched? In this case, no.
  • ex:0. Unsure. 
  • auth:1. Authentication. I think it means that it passed authentication checks. (In the message I checked, SPF and DKIM both passed.)
  • dest:I. Destination. In this case, I for inbox. Could also be J for junk folder.
  • ENG:(a bunch of numbers in groups): Internal identifiers for the different spam filtering rules that were checked. Perhaps ENG means "English language email filtering ruleset."
Though none of this information is going to provide you with the magic incantation necessary to ensure that your emails never go the spam folder again, the more information you have about your own sending reputation and the more feedback you can glean from the mailbox provider’s point of view, the better off you’ll be at troubleshooting deliverability issues. So, I hope this information helps you in your deliverability remediation quest!
Post a Comment