Exchange SCL and EOP headers
Exchange Online Protection or EOP is Microsoft cloud anti-spam solution, that protects Office 365 mailboxes, and on-premise email systems. Exchange SCL and EOP headers are essential to understand how EOP really works. Please check the EOP Exchange Online Protection Architecture post for more information.
During inspecting messages for malware and spam, EOP generate SCL for each message that indicates the probability that a message is a spam or not. EOP also adds multiple headers to the message throughout the transport pipeline.
In this blog post, we will touch on the different headers that EOP works with, and how they are used withing the overall EOP solution.
Spam confidence level (SCL)
To understand Exchange SCL and EOP headers, you have to understand SCL. Spam confidence level (SCL) is a score that is set by anti-spam engines, that indicates the probability that this message is considered a spam or not.
The values for SCL that is set by EOP range from -1 (not spam) up to a value of 9 (high confident spam).
Here is a table taken from Microsoft documentation that shows the different values of SCL:
When a message is inspected by EOP, the anti-spam engine will analyze the message, and will determine the SCL score for the message. According to each SCL value, there is a default action that is taken.
In EOP, you can change the default action that is taken for different SCL values. This can be deleting the message, move it to quarantine, deliver it to the recipient’s junk email folder or others.
It is worth mentioning also that EOP never assign an SCL value = 2, 3, 4, 7 and 8. So, when EOP inspect a message, it will only set the SCL to 0, 1, 5, 6 or 9.
EOP will insert a message header called X-Forefront-Antispam-Report Header and within that header, EOP will insert the SCL value.
Spam Filtering Verdict (SFV)
The next thing to understand in the Exchange SCL and EOP headers is the SFV value. Exchange Online Protection or EOP uses Spam Filtering Verdict value, to help you understand why a specific anti-spam filtering action is taken on that message.
For example, suppose that you find the message delivered to the user’s inbox folder instead of the junk folder. You expected that this message should end at the junk folder. So you open the message headers, and look for the SFV value. You might find the value SFV = SFE , which indicates that “Filtering was skipped and the message was let through because it was sent from an address on an individual’s safe sender list.”
If you are an Exchange Online Protection administrator, then this SFV value is your magic place to understand how EOP handle messages. You should master and understand all possible values of SFV so that you can understand how each message was handled by EOP anti-spam filtering.
Bonus:
Check the resources section at the end of this blog post, to download my own full list of all EOP headers, and SFV values.
EOP Headers
EOP will add to three headers as shown in the below figure:
X-Forefront-Antispam-Report
This is a unique header that is inserted by EOP to host multiple values, like SCL, SFV and many others. You can download the list of values in the resource section of this blog post.
Whenever you want to analyze a message, search for this header, and inspect all values here. This will give you full insight about how EOP inspected this message, and why it ended in the recipient inbox or junk folder. This header is considered your play area when it comes to understanding how EOP works.
X-Microsoft-Antispam
This is another header inserted by EOP and contains the following information:
- The Bulk Complaint Level (BCL).
- The Phishing Confidence Level (PCL).
BCL is a score that is assigned by EOP to indicate if this message is considered a bulk message or not. A complete overview about this value can be found here.
PCL is a score that is assigned by EOP to which indicates whether it’s a phishing message.
- 0-3 The message’s content isn’t likely to be phishing.
- 4-8 The message’s content is likely to be phishing.
- -9990 (Exchange Online Protection only) The message’s content is likely to be phishing.
Authentication-results
This header is used by EOP to stamp the result of message authentication. The results of checks against SPF, DKIM, and DMARC are recorded here.
Here is how the SPF Authentication results are treated:
Here is how the DKIM Authentication results are treated:
Here is how the DMARC Authentication results are treated:
Resources
Download my own EOP Header Table, that shows each EOP header value and description, that will help you understand how EOP really works.