Office 365 Exchange Online — Incoming Messages Sent To Junk

Mailboxes hosted in Office 365 Exchange Online may send incoming messages to junk despite the sending domain having correct SPF and DKIM records and the email originating from a valid source. Adding the addresses to safe/allow lists does not help.

This may happen if the email fails Microsoft's Composite Authentication process.

To check if this is the case, look for the compauth= value in the message's headers.

Also check the reason code.

If Composite Authentication has failed, this may be because the From, Sender and Return-Path values in the message are not all the same domain. This is a common configuration when using third-party services to send email on behalf of the organisation's domain. Composite Authentication validates the From field. Per Microsoft: “If the domain in SPF or the DKIM signature doesn't align with the domain in the From address, the message can fail composite authentication.”

Additionally, the presence of a DMARC record for the domain listed in the From field can cause more aggressive checking which causes Compound Authentication to fail: “When you use DMARC, the receiving server also performs a check against the From address. In the example above, if there's a DMARC TXT record in place for <sender>.com, then the check against the From address fails”.

One remedy, aside from ensuring the From, Sender and Return-Path fields all contain the same domain, is to remove the DMARC record from the domain in the From field; of course this is only possible if you are the registrant of the domain attempting to send messages rather than someone receiving messages from that domain.