Mind-Bender 01 · Email Forensics
SPF pass DKIM pass DMARC pass No blacklist listings Filed as Junk

Passed every authentication check. Still landed in Junk.

An enterprise client sending through Salesforce Marketing Cloud reported that their email consistently landed in Outlook's Junk folder, despite SPF, DKIM, and DMARC all passing, no blacklist listings anywhere, and enterprise-grade sending infrastructure. The objective was simple: find out why Outlook considered it spam. The answer turned out to have almost nothing to do with authentication.

This engagement is covered by a signed NDA, so client identity, domains, hostnames, and IP addresses in this write-up have been altered. The diagnostic path and findings are unchanged.

120+Message headers parsed
25+Anti-spam fields reviewed
4Domains audited
4IPs audited
6+Infrastructure reports examined
Phase 1 · Collecting evidenceInput
  • Original .EML: provided by the client
  • Microsoft message headers: pulled directly from Outlook
  • SMTP route: reconstructed from the headers
  • MX header forensics: full field-by-field analysis
  • DNS audit: run through DNSPulse
  • Infrastructure audit: run through DNSPulse
Phase 2 · Reading Microsoft's verdictHeader fields

SCL: 5

SFV: SPM · CAT: SPM

BCL: 0

CompAuth: pass

This one read immediately ruled out SPF, DKIM, DMARC, and bulk-sender status as the cause. Microsoft's own header was saying: identity accepted, reputation not.

Phase 3 · Authentication investigation

Before trusting the header's implication, every authentication mechanism was verified independently rather than taken on faith from the sending platform.

PASSSPF
PASSDKIM
PASSDMARC
PASSAlignment

No authentication issue existed anywhere in the chain.

Phase 4 · SMTP route reconstruction

Every hop between sender and inbox was reconstructed and documented:

Sender

↓ ESP sending infrastructure

↓ Exchange Online Protection

↓ Outlook mailbox

Every relay checked out. No failures anywhere in the route.

Phase 5 · Infrastructure investigation

Most investigations stop once the SMTP route and authentication both check out clean. This one didn't. Every piece of infrastructure connected to the sending domain was audited, not just the mail server.

Domains reviewed

clientdomain.com

bounce.s1.mc.espdomain.com

mta1.espdomain.com

IPs reviewed

203.0.113.45 (ESP sending IP)

198.51.100.20 (Exchange Online Protection)

203.0.113.88 (hosted website)

Additional infrastructure audited: PTR records, DNS, DMARC, SPF, reverse DNS, the hosted website itself, SSL configuration, blocklist status, and reputation signals across all of it.

Phase 6 · The missing piece

The email infrastructure looked healthy end to end. So the question changed: what else could Microsoft's reputation engine be associating with this sender?

The answer: the hosted website. Historical hosting records showed the domain's website had previously sat on infrastructure with materially weaker reputation signals than the dedicated ESP delivery network handling the actual email send. That website resolved to 203.0.113.88, and DNSPulse flagged that infrastructure as blocked during the investigation.

Root cause The sending IP was clean. The ESP's bounce infrastructure was clean. But Microsoft's content and reputation engine evaluates more than the outbound mail server, it looks at the sender's broader reputation footprint, including web infrastructure tied to the domain. The website's hosting history, combined with the domain's relatively young age and promotional content characteristics, was the likely contributing factor keeping this sender in Junk.

Phase 7 · Corrective action

Hosted website

↓ migrated

↓ new infrastructure, new hosting IP

↓ reputation rebuilt

↓ emails retested

Phase 8 · Result

Following the hosting migration and reputation rebuild, subsequent Outlook tests delivered to the Inbox instead of Junk.

Authentication was never the limiting factor here. The decisive factor was Microsoft's broader reputation assessment, one that extends past SPF, DKIM, and DMARC into infrastructure trust and historical reputation signals most authentication reports never surface.

Something like this happening to you?

If your authentication checks out clean and the inbox still disagrees, that's exactly what Email Forensics is built to find. Send us what you're seeing.