Email Spam Headers
One way to help reduce the chances of your emails being marked as spam is to understand email spam headers. Spam headers are the hidden messages that are attached to every email. They contain information about the sender, the recipient, and the content of the email.
Two of the most important spam headers are SPF and DKIM. SPF stands for Sender Policy Framework. It is a way for businesses to tell email servers which servers are authorized to send email on their behalf. DKIM stands for DomainKeys Identified Mail. It is a way for businesses to sign their email messages with a digital signature. This signature can be used to verify that the email message is actually from the sender it claims to be from.
What to check
- SPF
SPF is a way for businesses to tell email servers which servers are authorized to send email on their behalf. This information is stored in a DNS record called the SPF record. The SPF record for a domain tells email servers which IP addresses are authorized to send email from that domain.
When an email server receives an email message, it will check the SPF record for the domain that the email message is from. If the IP address of the server that sent the email message is not listed in the SPF record, the email server will likely mark the email message as spam.
To check if this is setup correctly, in the message header you are looking for something that says:
Authentication-Results: spf=pass (sender IP is 159.135.225.169) smtp.mailfrom=daniel-mitchell.com;
If you can see spf=pass
then this means the domain setup is correct. If not you will need to check the instructions provided by your email provider. They require a TXT DNS record that explains which IP addresses are allowed to send email on behalf of your domain.
2. DKIM
While not a requirement for email to be delivered to a users inbox it will increase its chances, and is well worth setting up correctly. The DKIM signature is created by the business that sends the email message. The signature is then included in the email message header. When an email server receives an email message, it will check the DKIM signature to verify that the email message is actually from the sender it claims to be from.
If the DKIM signature is valid, the email server will likely deliver the email message to the recipient's inbox. If the DKIM signature is invalid, the email server may mark the email message as spam or block it altogether.
To check if DKIM is setup correctly, in the message header you are looking for something that says:
dkim=pass (signature was verified)
If DKIM is not setup or the email is not signed, it will say:
dkim=none (message not signed)
To fix these issues you will need to check the instructions provided by your email provider. They require two CNAME DNS record that contain the DKIM signing key.
3. Other SPAM headers
This will vary according to the users email provider. They all have different rules and configuration. These headers are for users who use Microsoft365 for their email.
Header Name | Description |
---|---|
X-MS-Exchange-Organization-PCL: | Phishing score A score between 1-8. Anything 3 or under is good. [1] |
X-Microsoft-Antispam: BCL: | Bulk sending score A score between 0-9. Anything 3 or under is good. [2] |
X-MS-Exchange-Organization-SCL: | Spam confidence level A score between 0-9. Anything under 5 is good. [3] |
Email services use a number of rules and tools to determine the SPAM Confidence Level. This based upon the language and email style.
References
[1] https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019#the-phishing-confidence-level-stamp
[2] https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-bulk-complaint-level-bcl-about?view=o365-worldwide
[3] https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019#the-spam-confidence-level-stamp