DKIM, DMARC, and antispoofing. These techniques verify that the sender is who they say they are, and they are used to mark the message either as Junk Email, or deliver it to your Inbox. They sometimes also add Safety Tips.In the next few weeks, Outlook Web Access (OWA) and Outlook.com will be rolling out indicators to show indicators when the sender of the message either cannot be identified (authenticated).
Unauthenticated messages show a '?' in the sender photo
When Outlook.com or Office 365 cannot verify the identity of the sender using SPF, DKIM, or any other technique, it will display a '?' in the sender photo:
Not every message that fails to authenticate is malicious. However, you should be careful before interacting with messages that do not authenticate if you do not recognize the sender. Or, if you recognize the sender and they normally don't have a '?' in the sender photo and you suddenly start seeing it, that could be a sign the sender is being spoofed.
Frequently Asked Questions
What criteria does Outlook.com and Office 365 use to stamp the '?' in the sender photo?
Both Outlook.com and Office 365 require the message to pass either SPF or DKIM. Office 365 also has some other internal logic for identifying senders.
Why not simply block the email?
The modern problem of spam, and especially phishing, is that we don't live in a world where the question of "Is it phish?" is so clear-cut. Filters have trouble making decisions sometimes, and this helps to surface an extra little bit of information to the user.
Also, there is a lot of unauthenticated email in the world that is not spam nor phish. This is usually legacy software that hasn't been updated in ages, or comes from servers that never bothered to authenticate their email. Showing a '?' can hopefully act as a nudge to do the right thing - if you want the '?' to go away, authenticate your email.
Can customers of Office 365 or Outlook.com override this with IP Allows, Exchange Transport Rule Allows, or safe senders?
No.
This is a good thing, because if a spammer spoofs that sender, you have no way of differentiating between it and a "legitimate" message that failed authentication. But, if you do allow rules on a sender that does authenticate, then that is a safe allow rule and the '?' will not be displayed.
This doesn't prevent allow rules from executing, they still go to the inbox. They won't remove the '?', however.
I'm a big sender. How do I make these properties disappear?
As a sender, you should authenticate your message with either SPF or DKIM.
I'm a medium sender. How do I make these properties disappear?
See above.
I'm a small sender. How do I make this '?' disappear?
Same as a medium sender.
Does Outlook.com and Office 365 show this for every message that doesn't pass authentication?
Not necessarily. In addition to SPF and DKIM, Office 365 has additional logic to authenticate a message.
In addition, Office 365 only shows these properties in the event that the receiving domain's MX record points to Office 365, and has not undergone routing into and out of the environment.
Isn't this kind of similar to the way Gmail shows a '?' for an unauthenticated sender?
Gmail shows the following for messages that don't pass authentication:
So yes, it is similar. Because there is a lot of user overlap between Gmail, Outlook.com, and Office 365, we decided it was best to unify the experiences across multiple email platforms. We don't want to retrain users.
They aren't identical, however. Office 365 has additional criteria that Gmail does not have.
The official version of this documentation lives here: Identify suspicious messages in Outlook.com or Outlook on the web