To prevent phishing messages from reaching your mailbox, Outlook.com and Outlook on the web verify that the sender is who they say they are and mark suspicious messages as junk email.
Important: When a message is marked as a phishing scam, Outlook.com and Outlook on the web display a warning at the top of the page, but any links in the message can still be opened.
How can I identify a suspicious message in my inbox?
Outlook.com and Outlook on the web show indicators when the sender of a message either can't be identified or their identity is different from what you see in the From address.
You see a '?' in the sender image
When Outlook.com and Outlook on the web can't verify the identity of the sender using email authentication techniques, they display a '?' in the sender photo.
Not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don't authenticate if you don't recognize the sender. Or, if you recognize a sender that normally doesn't have a '?' in the sender image, but you suddenly start seeing it, that could be a sign the sender is being spoofed.
The sender's address is different than what appears in the From address
Frequently, the email address you see in a message is different than what you see in the From address. Sometimes phishers try to trick you into thinking that the sender is someone other than who they really are.
When Outlook.com and Outlook on the web detect a difference between the sender's actual address and the address on the From address, they show the actual sender using the via tag, which will be underlined.
In this example, the sending domain "suspicious.com" is authenticated, but the sender put "email@example.com" in the From address.
Not every message with a via tag is suspicious. However, if you don't recognize a message with a via tag, you should be cautious about interacting with it.
In the new Outlook.com and Outlook on the web, you can hover your cursor over a sender's name or address in the message list to see their email address, without needing to open the message.
How do you know if you're using the new Outlook.com or Outlook on the web? See the following examples:
IF YOUR MAILBOX LOOKS LIKE...
You're using the new Outlook.com or Outlook on the web.
IF YOUR MAILBOX LOOKS LIKE...
You're using classic Outlook.com or Outlook on the web.
Frequently asked questions
For the '?' in the sender image: Outlook.com requires that the message pass either SPF or DKIM authentication. For more details, see Set up SPF in Office 365 to help prevent spoofing and Use DKIM to validate outbound email sent from your custom domain in Office 365.
For the via tag: If the domain in the From address is different from the domain in the DKIM signature or the SMTP MAIL FROM, Outlook.com displays the domain in one of those two fields (preferring the DKIM signature).
You can't override these properties.
For the '?' in the sender image: As a sender, you should authenticate your message with either SPF or DKIM.
For the via tag: As a sender, you should ensure that either the domain in the DKIM signature or the SMTP MAIL FROM is the same as, or is a subdomain of, the domain in the From address.
Does Outlook.com and Outlook on the web show this for every message that doesn’t pass authentication?
Not necessarily. Outlook.com and Outlook on the web may have other properties within the message to authenticate the sender.