This article explains how to review email message headers to understand how Microsoft classified a message (for example, spam, bulk/graymail, or phishing). Message headers can provide helpful scores and flags, but they do not provide a detailed explanation of the underlying scoring algorithms.

Therefore, we only know the score of a message, not why a message was scored that way.

The following sections describe how to read and interpret message headers related to spam scoring. Microsoft and Google can update their algorithms at any time and do so without any notification. Therefore, it is possible that messages that once were delivered without a problem suddenly get marked as spam or quarantined. The best approach is to mark the item as not spam to help train Microsoft’s algorithm. The Division of IT does not allowlist emails.

Before you begin

• Retrieve the message headers. Use your email client’s capability for viewing headers. See the section, Retrieving and Submitting Email Headers, for more information.
• Copy the entire header block. If possible, copy everything from the top of the headers through the end (not just a few lines).
• Note what happened to the message. Use X-Microsoft-Antispam-Mailbox-Delivery to determine what happened to the message. This value only works if it was delivered to a mailbox. Some key values for this item are listed in the table below.

• Keep the message for reference. If you need to escalate, the full headers plus the original message are required.

Step 1: Find the anti-spam scoring fields in the headers

Microsoft

Start with: X-Forefront-Antispam-Report. This header often contains the most useful summary fields, separated by semicolons, such as SCL (spam confidence level) and SFV (spam filtering verdict). Microsoft documents many of these fields, but not all of them.

• SCL (Spam Confidence Level): Often appears as X-MS-Exchange-Organization-SCL and/or inside X-Forefront-Antispam-Report (for example SCL:1). In general, lower is better (less likely spam). Microsoft uses a range that includes -1 and 0–9 in various contexts.
• BCL (Bulk Complaint Level): Appears in X-Microsoft-Antispam (for example BCL:2). This indicates whether Microsoft considers the message to be from a bulk sender (newsletters/marketing/“gray mail”). Higher BCL values indicate more complaints/undesirable bulk behavior.
• PCL (Phishing Confidence Level) (if present): Indicates phishing likelihood. Like SCL/BCL, higher values are more concerning.

Quick interpretation tip: Don’t rely on one field alone. Look for agreement between the score(s) (for example SCL/BCL/PCL) and any verdict fields (for example, a spam/bulk/phish verdict) to understand how the message was classified.

Google / Gmail indicators (when present)

• X-Gm-Spam: Gmail/Google Workspace spam indicator. A value of 0 generally indicates “not marked as spam,” while a non-zero value may indicate it was treated as spam (depending on the environment and routing configuration).
• X-Gm-Phishy: Gmail/Google Workspace phishing indicator. A value of 0 generally indicates “not marked as phishing,” while a non-zero value may indicate phishing treatment.

Step 2: Check email authentication results (SPF / DKIM / DMARC)

Authentication checks help receiving mail systems determine whether the sender is allowed to send on behalf of a domain and whether the message was modified in transit. Failures don’t automatically mean “malicious,” but they are common signals used in spam/phish decisions.

• Find the Authentication-Results header (there may be more than one).
• Look for spf=pass/fail, dkim=pass/fail, and dmarc=pass/fail values.
• If one or more methods fail, that message is likely treated with extra caution especially when compared with other signals (unexpected sender behavior, suspicious links, urgent requests, etc.).

Step 3: Understand the limits of what headers can tell you

Message headers can show scores, verdicts, and some diagnostic values, but they usually cannot tell you the specific “why” behind the score (for example, the exact content features or reputation signals that drove a decision). Microsoft does not provide detailed information about the scoring algorithms used for spam, bulk, or phishing classification beyond the documented header fields. Some header fields are reserved for Microsoft’s internal diagnostics and are not publicly explained.

Also note: an email trace may confirm delivery status and high-level policy actions but will not provide the level of detail many people expect about why a message received a particular spam/bulk/phish score.

Best practices

For recipients (deciding whether to trust a message)

• Use headers as one input, not the only input. A low spam score does not guarantee a message is safe.
• Verify the sender independently if the email requests money, credentials, gift cards, wire transfers, or sensitive data, especially if it’s urgent or unusual.
• Hover (don’t click) links and verify the destination matches the expected organization and spelling.
• Be wary of “reply-to” mismatches (the From address looks legitimate but replies go elsewhere).
• Report suspicious messages using the Report feature in Outlook so Microsoft can review and tune controls.
• Report false positives using the Reporting feature in Outlook so Microsoft can review and tune controls.

For senders (reducing the chance of legitimate mail going to Junk)

• Use authenticated sending. Ensure SPF, DKIM, and DMARC are configured correctly for your domain.
• Send from stable infrastructure. Sudden changes in sending IPs/domains, or sending from new services, can affect reputation.
• Avoid “spammy” formatting. Excessive capitalization, misleading subjects, and image-only emails increase risk of filtering.
• Include clear identification. Use a consistent From name, legitimate reply-to behavior, and a clear reason the recipient is getting the email.
• For bulk mail: Use approved applications at Virginia Tech

Related KB articles

• Anti-spam message headers - Microsoft Defender for Office 365 | Microsoft Learn
• Retrieving and Submitting Email Headers
• Self-Reporting Spam and Phishes