We have a client who's his Office365 is configured to use Cisco Email Security (CES) for both Inbound and Outbound mail traffic.
However, the client has reported an issue that they're experiencing emails showing twice in the Office365 logs , double signatures and random internal emails going into spam/junk within the users mailbox. We have checked the internet message headers for those emails (in the spam/junk folder) and checked the a header of X-Forefront-Antispam-Report and all of them were SFV:NSPM which means that the message was marked as non-spam and was sent to the intended recipients !!
The client has contacted Microsoft to resolve the issue,however, Microsoft got back to the client and they can’t find any relevant information on why the emails are going to spam/junk folder.
Could you please help to identify and resolve this issue, please?
Emails when they pass through ESA's security engines, the headers that are added by ESA will be starting with X-Ironport-
If the email has been scanned by ESA's Antispam engine, you will see the header as X-Ironport-Antispam, X-IPAS-Result in the Message headers of a specific email.
The next step will be to check the ESA's Antispam ( CASE ) verdicts in Message Tracking. If the CASE verdict is Negative, this means ESA never flagged the email. Go through the whole tracking and check if any of the ESA's security engines flagged the email as malicious or not.
If the ESA's engines gave Clean verdict for the email then for further discrepancies observed in the email, the troubleshooting has to be done in hops that come after the ESA.
Regarding email showing logs twice in O365 or signatures doubled, ESA doesn't add or remove anything from an email unless a filter is configured to take additional actions because ESA is a relaying device. It may be a defect at O365 level, but still if Microsoft suspects issue with ESA, you may open a TAC case for for further diving.
Emails landing in the Junk folder of the Email Client, if ESA's verdict is Clean for that email points towards an issue with the email server (O365 in this case)
Thanks for you reply!
I couldn't find X-Ironport-Antispam, X-IPAS-Result in the Message headers of the emails in spam/junk folder; I only can see Microsoft headers though. Similarly I can't find ESA's Anti-spam (CASE) verdicts in Message Tracking for those emails (I guess because the message has been delivered )
When an email passes through ESA, then ideally X-Ironport headers should be present. Seeing only MS headers points towards, the emails being directly received and processed in O365.
CASE verdicts for an email must be present even for DELIVERED emails, unless the Antispam scanning has been disabled in the Mail Policies or Mail Flow Policies or skipped using a filter.
But the emails if they land in Junk Folder of the email client, that is more likely related to the Email server. Please note that this has nothing to do with the ESA processing since the ESA delivers the message to the receiving email server and beyond that the classification of the message is entirely up to the server. In case a message is classified by the ESA as spam, the ESA will take an action itself (quarantine, drop, edit header as per config) but it has no control over the destination folder of the message in outlook.
I would suggest if you can engage the Server admins or MS in this aspect, that will be helpful.