Detecting Domains Where Their Emails Will Be Routed To Junk Folders Due To New Outlook Requirement
Query
EmailEvents
| where Timestamp > ago(1d)
| extend SPF = tostring(parse_json(AuthenticationDetails).SPF)
| extend DMARC = tostring(parse_json(AuthenticationDetails).DMARC)
| extend DKIM = tostring(parse_json(AuthenticationDetails).DKIM)
| where SPF !has "pass" or DMARC !has "pass" or DKIM !has "pass"
| summarize Total_Emails=count() by InternetMessageId, SenderFromDomain, SPF, DMARC, DKIM
| where Total_Emails > 4000
| order by Total_EmailsAbout this query
Explanation
This query is designed to identify email domains that are at risk of having their emails sent to the Junk folder in Outlook due to non-compliance with certain email authentication standards. Here's a simplified breakdown of what the query does:
-
Data Source: It looks at email events from the past day.
-
Extract Authentication Details: It extracts the results of three email authentication checks: SPF, DKIM, and DMARC, from the email's authentication details.
-
Filter Non-Compliant Emails: It filters out emails that did not pass any of these checks (SPF, DKIM, or DMARC).
-
Count Emails by Domain: It counts the total number of non-compliant emails for each domain.
-
Identify High-Volume Senders: It focuses on domains that have sent more than 4,000 non-compliant emails in the past day.
-
Sort Results: Finally, it sorts these domains by the total number of non-compliant emails sent.
The purpose of this query is to help identify domains that need to improve their email authentication practices to avoid having their emails marked as junk or eventually rejected by Outlook.
Details

Sergio Albea
Released: April 4, 2025
Tables
Keywords
Operators