Identify suspicious messages in Outlook.com or Outlook on the web

To prevent phishing messages from reaching your mailbox, Outlook.com and Outlook on the web filter your messages using authentication methods including SPF, DKIM, and DMARC. These techniques verify that the sender is who they say they are, and are used to mark messages as junk email or deliver them to your inbox.

How can I identify a suspicious message in my inbox?

Outlook.com and Outlook on the web show indicators when the sender of a message either can't be identified or their identity is different from what you see in the From address.

  1. You see a '?' in the sender image

    When Outlook.com or Outlook on the web can't verify the identity of the sender using SPF, DKIM, or any other technique, it will display a '?' in the sender photo.

    A screenshot of a question mark in the sender image

    Not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don't authenticate if you do not recognize the sender. Or, if you recognize a sender that normally doesn't have a '?' in the sender image, but you suddenly start seeing it, that could be a sign the sender is being spoofed.

  2. The sender's address is different than what appears in the From address

    Frequently, the email address you see in a message is different than what you see in the From address. Sometimes phishers try to trick you into thinking that the sender is someone other than who they really are.

    When Outlook.com and Outlook on the web detect a difference between the sender's actual address and the address on the From address, it will show the actual sender using the via tag, which will be underlined.

    A screenshot of the via tag

    In this example, the sending domain "suspicious.com" is authenticated, but the sender put "unknown@contoso.com" in the From address.

    Not every message with a via tag is suspicious. However, if you don't recognize a message with a via tag, you should be cautious about interacting with it.

Frequently asked questions

For the '?' in the sender image:  Outlook.com and Outlook on the web require the message to pass either SPF or DKIM authentication. Outlook on the web has additional internal logic for identifying senders.

For the via tag: If the domain in the From address is different from the domain in the DKIM signature or the SMTP MAIL FROM, it will display the domain in one of those two fields (preferring the DKIM signature).

You can't override these properties.

For the '?' in the sender image: As a sender, you should authenticate your message with either SPF or DKIM.

For the via tag: As a sender, you should ensure that either the domain in the DKIM signature or the SMTP MAIL FROM is the same as, or is a subdomain of, the domain in the From address.

Not necessarily. In addition to SPF and DKIM, Outlook on the web has additional logic to authenticate a message. In addition, Outlook on the web only shows these properties if the receiving domain’s MX record points to Outlook on the web, and has not been routed into and out of the environment.

Related Topics

Deal with abuse, phishing, or spoofing in Outlook.com
Help protect your Outlook.com email account

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×