False positives block important emails, while false negatives allow harmful ones through. Learn how to manage these emails effectively in Microsoft Defender for Office 365.
How inbound email works in Microsoft 365
To understand why your environment experiences false positives and false negatives, you first need to understand how Microsoft 365 handles inbound email.
Microsoft 365 uses implicit email authentication to verify inbound email. This approach goes beyond traditional SPF, DKIM, and DMARC checks by incorporating additional signals to evaluate inbound email. By leveraging these extra signals, emails that would typically fail standard authentication can pass implicit authentication and be successfully delivered to Microsoft 365.
These signals include:
- Sender reputation
- Sender history
- Recipient history
- Behavioral analysis
- Other advanced techniques
The results of Microsoft’s implicit authentication checks are combined into a single value called composite authentication (compauth). This value is stamped into the Authentication-Results header within the message headers.
False positives and False negatives
- False Positive (
FP): is when an email isn’t actually spam, but your system mistakenly thinks it is and puts it in the spam or quarantine folder. - False Negative (
FN): happens when an email is actually spam, but your system mistakenly lets it through, thinking it’s not spam.
Sometimes the signals of the implicit authentication gets it wrong, and therefore a good message can be a flagged as a bad one (false positive) and a questionable email message can be get through (false negative).
To help these signals to get better you can report good emails as False Positive or report questionable emails as False Negative to Microsoft using the Report Submission page.
Handling false positives
Once you report a false positive (good email), you can create an allow entry in the Tenant Allow/Block List for domains, email addresses, files, and URLs. These entries are retained for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed.
In addition to implicit authentication checks, you can also reduce false positives by disabling the ASF (Advanced Spam Filter) settings in your Anti-spam inbound policy, as enabling one or more ASF settings is an aggressive approach to spam filtering that often results in false positives. For example, messages containing certain elements may be marked as spam or have their spam score increased. Additionally, messages filtered by ASF cannot be reported to Microsoft as false positives.
Handling false negatives
Once you report a false negative (questionable email), you can create a block entry in the Tenant Allow/Block List for domains and email addresses, files and URLs. These entries expire after 30 days, but you can also set them to expire after 90 days or never. Block entries for spoofed senders and IP addresses never expire.
In addition to the implicit authentication checks, anti-phishing and anti-spam techniques offered by MDO, end users should be vigilant in identifying red flags in an email message, such as checking the sender address, subject and content.
To give end users more red flags to look for when they receive an email message, the following can be used or implemented:
You can also give your users the option to report false negatives (or false positives as not junk) to Microsoft by using a report button in Outlook:
- built-in Report (Outlook on the web)
- Microsoft Report Message or Report Phishing add-ins (all Outlook platforms)
Finally, end users can be educated with a security awareness program to help them recognize questionable emails. See also this blog post.