My E-mail appears as spam - troubleshooting path - part 11 of 17

Editor's Notes

• #4: The current articles and the next three following articles are dedicated to the subject of a troubleshooting scenario of internal \ outbound spam in Office 365 and Exchange Online environment. In the current article is the focus is on: “drowning” the path of the troubleshooting processes flow.The troubleshooting flow includes steps such as: Step 1 – verifying if our domain name is blacklisted. Step 2 – verifying if the problem is related to E-mail content. Step 3 – verifying if the problem is related to specific organization user E-mail address. Step 4 – Moving the troubleshooting process to the “other side. Additionally, we will briefly review the document that I have created (Outbound spam – Troubleshooting checklist) for simplifying the task of troubleshooting documentation, etc.
• #5: In a scenario of internal \ outbound spam, we will need to deal with a number of challenges that relate to the complexity of such as scenario: Many components and infrastructure that are involved in the mail flow. Many cases that could lead to an “outcome” in which our E-mail is identified as spam mail. No clear indication of the reason in which our mail was identified as spam. No clear indication for the “element” which “decide” to identify our organization E-mail as a spam.
• #6: Before starting the actual Troubleshooting process, it’s important that we will be aware to a couple of elements that relates to internal \ outbound spam scenario:
• #7: The first “station” on our journey, is the “clear evidence” for the problem. The “clear evidence” could be an NDR that was sent to one of our organization users, who informs him that his E-mail message was rejected because his mail considers as spam\Junk mail. A mail notification from a blacklist monitor service, that inform us that our organization appears as blacklisted. External receipt, that notifies our organization user that he got his E-mail message but, the E-mail message was saved in his junk mail folder (our E-mail message was classified as spam\junk mail).
• #8: The “cause” of the problem, in which E-mail that was sent from our organization is identified as spam, could be related to “our side” or, to the “other side”. An example that relates to the “other side” could be a scenario of false positive a scenario in which our mail is identified by mistake as spam.
• #9: Although that the problem could be related to the “other side”, in most of the scenarios the basic assumption is that the problem is related to “our side”. In simple words: it’s recommended to start the troubleshooting process begging on “our side of the equation”. Only when we fulfill our “due diligence” and, verify beyond a doubt that “we are OK”, then we can start the troubleshooting steps that will verify the “other side”.
• #10: The term: “internal \ outbound spam” is a very general term. To be able to create a clear troubleshooting path, we need to start with: defining the scope of the problem. The worst-case scenario could be a scenario in which our domain name appears as blacklisted. This scenario considers as the “worst-case scenario” because, in this case, the problem will impact all of our organization users. In case that we verify and find that the “problem scope” is not related to “domain level”, the next level could be: A problem that relates to a specific E-mail message (E-mail content) or, to a specific user from our organization. From my experience, many of the internal \ outbound spam scenario realities to a specific E-mail message content that the Office 365 users try to send. In this case, we can very easily locate if the problem is indeed related to the E-mail message content by sending to the “destination recipient”, an empty E-mail message. In case that we also experience the problem when sending the “empty mail message”, this could be related to a problem with an E-mail address of a specific user organization. The next step will be: sending an E-mail message to the “destination recipient” by using an E-mail address of other organization user.For example: if the “original sender” was: Alice@o365info.com, send E-mail by using bob E-mail address: Bob@o365info.com In case that we have also emoted this scenario, the rest of the “troubleshooting path” could be related to the “other side” meaning, some element\s in the destination recipient mail infrastructure.
• #12: Step 1 – verifying if our domain name is blacklisted. Before we start our “troubleshooting journey”, the most important operation in a scenario of – internal \ outbound spam is to verify if – our domain name appears as blacklisted. This is the “worst-case scenario” because this scenario impacts all of our organization users who use an E-mail address with our organization domain name. In case that the answer is “yes”, meaning our domain name appears as blacklisted, we need to start with the most important task: De-list our domain name from the blacklist In a scenario in which our domain name appears as blacklisted, we need to find the blacklist\s in which our domain name appears as blacklisted and, apply a request to be removed from the blacklist. Note – You can read more information about the subject of – de-list our domain name in the article -De-list your organization from a Blacklist | My E-mail appears as spam | Part 16#17 Additional tasks that need to be implemented are: 1. In-house investigation – ROC (Root Cause Analyses) The second task could be described as “in-house investigation”.In case that is not a false-positive scenario and, there is a “real reason” for identifying our domain name as a “problematic domain”, we need to put all our effort into finding the “root cause” for the problem. 2. Consider using a blacklist monitor service This is not a mandatory requirement, but instead, more of a: best practice.Using this type of service enables us to identify in real time a problem in which our domain name appears as blacklisted and, enables us to be proactive instead of reactive. Note – you can read more information about the subject of – blacklist monitor service in the article: My E-mail appears as spam | Troubleshooting – Domain name and E-mail content | Part 12#17 Moving on - In case that the answer is: “No”, meaning that our domain name doesn’t appear as blacklisted, this is actually “good news” because we prefer the less critical scenarios that will be reviewed in the next sections.
• #13: The most common reason for the scenario in which mail that was sent from our organization user identified as spam\junk mail is: the E-mail message content. To be able to find out if the problem is related to specific E-mail message content that appeared in the E-mail message, we will need to send an “empty E-mail” (no content) to the destination receipt.
• #14: n case that the empty E-mail message was successfully sent to the destination receipt, we can assume that the problem is related to the specific E-mail message content. Additional recommended tasks in a scenario in which we discover that the problem was realties to the specific E-mail content are: 1. In-house investigation – ROC (Root Cause Analyses) Start an “In-house investigation” to find out what part of the content of the E-mail message is the cause of the problem. Optional, additional operations: 2. Using Exchange Online future – outbound spam. An additional recommended step that we can implement is – “activating” the Exchange Online option of – outbound spam.This option will send a notification to the “person that we indicate” each time that the Exchange Online will recognize E-mail message that was sent by Office 365 users as a spam \ Junk mail. Note – You can read more information about the subject of Exchange Online – outbound spam, in the article: My E-mail appears as spam | Troubleshooting – Domain name and E-mail content | Part 12#17 3. Implementing spam score check This operation is highly recommended because, using a “spam score” tool will enable us to understand the exact cause of the problem (the reason to identify the E-mail message as spam\junk mail). And additionally in the future, it’s also highly recommended to perform the spam score before we send out an E-mail message such as commercial E-mail, etc. Note – You can read more information about how to check the spam score in the article: My E-mail appears as spam | The 7 major reasons | Part 5#17 Moving on - In case that the answer is: “No”, meaning that the external receipt did not get the “Empty E-mail message”, this will lead us to the next troubleshooting step, in which we will need to verify if the problem is related to the specific E-mail address of our organization recipient .
• #15: Just a brief summary: as of the current phase, we know that: Our domain name is not blacklisted. The issue is not related to a specific content that “appear” in the E-mail message because even when we sent an “empty E-mail message”, the E-mail message didn’t reach to the destination receipt and also; we didn’t get a notification from Exchange Online about “outgoing mail” that was identified as spam\Junk mail (assuming that we have activated the outbound spam option of Exchange Online). The next “parts” that we need to check in “our side”, is a scenario in which a specific user from our organization appears as blacklisted.
• #16: To be able to find out if the problem is related to the specific email address of an organization’s recipient, we will need to send an E-mail to destination receipt, by using an E-mail account (other E-mail address) of another organization user. In case that when using other organization user E-mail address, the E-mail message was successfully sent to the destination receipt, we can assume that the problem is related to the specific E-mail address of our organization user. Note – Another option is a “problem” on the “other side” (the destination recipient or the destination recipient mail infrastructure). Optional, additional operations: 1. In-house investigation – ROC (Root Cause Analyses) Start an “In-house investigation” for finding out, what is the reason in which a specific E-mail address of the organization user is blacklisted. Optional, additional operations: 2. Exchange Online – Message trace In case that we suspect the problem is caused because a “bulk mail” scenario, in which the organization users “load” external recipients with a large amount of E-mail messages, we can use the Exchange Online tool: Message trace, for getting more detailed information about the user organization user “activity”. Additional reading Run a Message Trace and View Results Monitoring, reporting, and message tracing in Exchange Online Troubleshoot email delivery using the Exchange Online message trace tool 3. SPF record An addition parameter that is important to verify is our organization SPF record. The verification process could include: Verify that we use SPF record, verify the SPF record is configured correctly, etc. Note – You can read more information about SPF record infrastructure in the articles: What is SPF record good for? | Part 7#17 Implementing SPF record | Part 8#17 Note – the need to verify the organization SPF record, is not related to a specific “phase” in the troubleshooting process and practically, you can even start by completing this step at the begging of the troubleshooting process. Moving on - In case that the answer is: “No”, meaning the external receipt did not get an E-mail message that was sent from the “other organization user”, we will need to move on to the next troubleshooting step.
• #17: n this phase, we “move” into the territory of the “other side” meaning: the destination receipt realm.Because we didn’t manage to point out a specific element from “our side”, we assume that the reason in which our E-mail is identified as spam is related to the “other side” of the equation. The term “the other side” can be translated into factors that are related to the specific destination recipient infrastructure or to the destination recipient mail infrastructure. In case that in our scenario the “evidence” for the outbound spam problem is an NDR message that was sent from the mail server of the destination receipt, we can “jump” to step 5. Asking for help from the “other side” | Overcomes possible obstacles. Yes, I know it’s not so simple to get help or, asks for help from the “other side” because we need to overcome a number of obstacles such as – most of the time it’s not so simple to contact the destination recipient, many times the destination recipient is not a “technical person” and so on. In case that we need to contact the “technical representative” of the destination recipient, it’s even harder.There no way that we can ensures his cooperation throughout the process because that often, “the other side” has no interest. Despite all of this “obstacle,” it’s necessary to understand that in a scenario of “mail flow” that is implemented using different mail infrastructure (us and them), it is not always passable to find the causes of the spam problem, only by Investigating and troubleshooting “our side” (our Office 365 and Exchange Online mail infrastructure) of the story.
• #18: The main charters of this scenario are – E-mail that was sent from our organization, is reaching to the destination recipient mailbox but, sent to the junk mail folder. There could be three major reasons for this issue: Inbox rule – inbox rule (or blocked recipient list) that was defined by the destination receipt, which classify E-mail message that was sent from our domain as spam\junk mail. Antivirus or other mail security application, which identifies our organization user E-mail as spam. Mail application that includes spam filter and identifies our organization user E-mail as spam. To be able to verify this option or, to eliminate this option, we will need to contact the destination recipient and ask for his help.The destination recipient will need to check this option and update us regarding the results. In case that we could not find the specific “element” or in case that we got an NDR message from the destination mail server, we will need to move to the next troubleshooting step.
• #19: In this step, we will need the assistance of a technical person that manages the mail infrastructure of the “destination receipt”. We will need to ask the “technical contact”, to look over the mail server log or, into his mail security gateway log and try to locate information about the “event” in which mail that was sent from our organization was identified as spam and if possible, the reason for this “identification” Summary and recap In case that you have read all the former articles in this article series, there were additional troubleshooting steps and actions that could have been performed such as: Using online web services that will help us to get our spam score for a specific E-mail message that we are going to send. We can combine this steps, as a “preventive action” or as a part of the troubleshooting flow. This decision about what are the specific steps that will be included in the internal \ outbound spam troubleshooting flow, is for you to decide, based on the specific scenario charters, your organization’s business needs and so on.
• #20: For your convenience, I have created a document that includes a short troubleshooting checklist for a scenario of internal \ outbound spam. The purpose of this document is to facilitate the documentation process and to enable you to get a quick list of the troubleshooting steps that need to be implemented.
• #21: In the following screenshot, we can see the first part in which we document the general charters of the scenario. Despite the fact that it seems obvious, it is very important that we will have a very accurate and clear scope of the problem: who is our organization user who reports about the problem, who is the “destination recipient”, does the problem reported by many of our organization users or only one and so on.
• #22: The next part is troubleshooting cubes” that includes: A brief description of the task A brief description of the purpose of the task The documentation of the troubleshooting step’s results Download the: Outbound spam – Troubleshooting checklist document Download 
• #23: Another useful resource that we can use is the “Find help for office 365” The “Find help for office 365” is a wizard based troubleshooting tool that was created for helping us to get the “right answer” is quick as possible. In our example, we are dealing with a scenario of internal \ outbound spam. In the “first section”, we will choose the relevant Office 365 products. In our scenario its: Exchange Online Protection. In the section: “what is your question about”, we will choose: Mail Protection (Spam and Malware)
• #24: On the last section: “ok, and which part of that topic specifically?” we will select the option: user mailbox was blocked for sending spam
• #25: The “result” is article and information that relate to our specific problem.