KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Domains Where Their Emails Will Be Routed To Junk Folders Due To New Outlook Requirement

Query

**Detecting domains where their emails will be routed to Junk folders due to new Outlook requirement**

Microsoft has reported that After May 5th, 2025, Outlook will begin routing messages from high volume nonโ€compliant domains to the Junk folder, giving senders an opportunity to address any outstanding issues.
๐๐Ž๐“๐„: ๐ญ๐ก๐š๐ญ ๐ข๐ง ๐ญ๐ก๐ž ๐Ÿ๐ฎ๐ญ๐ฎ๐ซ๐ž (๐๐š๐ญ๐ž ๐ญ๐จ ๐›๐ž ๐š๐ง๐ง๐จ๐ฎ๐ง๐œ๐ž๐), ๐ง๐จ๐ง-๐œ๐จ๐ฆ๐ฉ๐ฅ๐ข๐š๐ง๐ญ ๐ฆ๐ž๐ฌ๐ฌ๐š๐ ๐ž๐ฌ ๐ฐ๐ข๐ฅ๐ฅ ๐›๐ž ๐ซ๐ž๐ฃ๐ž๐œ๐ญ๐ž๐ ๐ญ๐จ ๐Ÿ๐ฎ๐ซ๐ญ๐ก๐ž๐ซ ๐ฉ๐ซ๐จ๐ญ๐ž๐œ๐ญ ๐ฎ๐ฌ๐ž๐ซ๐ฌ. 

For domains sending over 5,000 emails per day, Outlook will soon require compliance with SPF, DKIM, DMARC. Nonโ€compliant messages will first be routed to Junk. If issues remain unresolved, they may eventually be rejected. Senders will soon start requiring compliance with the following requirements: 

- SPF (Sender Policy Framework)
Must Pass for the sending domain.
Your domain's DNS record should accurately list authorized IP addresses/hosts.
- DKIM (DomainKeys Identified Mail)
Must Pass to validate email integrity and authenticity.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance)
At least p=none and align with either SPF or DKIM (preferably both).

```
EmailEvents
| where Timestamp > ago(1d)
| extend SPF = tostring(parse_json(AuthenticationDetails).SPF)
| extend DMARC = tostring(parse_json(AuthenticationDetails).DMARC)
| extend DKIM = tostring(parse_json(AuthenticationDetails).DKIM)
| where SPF !has "pass" or DMARC !has "pass" or DKIM !has "pass"
| summarize Total_Emails=count() by InternetMessageId, SenderFromDomain, SPF, DMARC, DKIM
| where Total_Emails > 4000
| order by Total_Emails
```

Explanation

This query is designed to identify email domains that are at risk of having their emails sent to the Junk folder in Outlook due to non-compliance with certain email authentication standards. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at email events from the past day.

  2. Extract Authentication Details: It extracts the results of three email authentication checks: SPF, DKIM, and DMARC, from the email's authentication details.

  3. Filter Non-Compliant Emails: It filters out emails that did not pass any of these checks (SPF, DKIM, or DMARC).

  4. Count Emails by Domain: It counts the total number of non-compliant emails for each domain.

  5. Identify High-Volume Senders: It focuses on domains that have sent more than 4,000 non-compliant emails in the past day.

  6. Sort Results: Finally, it sorts these domains by the total number of non-compliant emails sent.

The purpose of this query is to help identify domains that need to improve their email authentication practices to avoid having their emails marked as junk or eventually rejected by Outlook.

Details

Sergio Albea profile picture

Sergio Albea

Released: April 4, 2025

Tables

EmailEvents

Keywords

EmailEventsAuthenticationDetailsInternetMessageIdSenderFromDomainTimestamp

Operators

ago()extendtostring()parse_json()where!hassummarizecount()byorder by

Actions