Skip to content
This repository has been archived by the owner. It is now read-only.

What does EFV:NLI mean? #211

Closed
juppin opened this issue Nov 29, 2018 — with docs.microsoft.com · 33 comments
Labels

Comments

Copy link

@juppin juppin commented Nov 29, 2018 — with docs.microsoft.com

My header is "X-Forefront-Antispam-Report: EFV:NLI;"

EFV is not listed in the list above...


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@AndreaBarr

This comment has been minimized.

Copy link
Contributor

@AndreaBarr AndreaBarr commented Nov 30, 2018

@juppin Thank you for this inquiry

I am not sure what this means either. Let me get this over to the o365seccomp team for investigation.

Thank you for reporting and making the docs better. Much appreciated.

I made a note to request the team to update this when the work is complete.

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Dec 13, 2018 — with docs.microsoft.com

Hi, I got the same problem. What is funny is (sarcasm), that it started within an email communication with the same person that went back and forth a few times. The customer missed my reply because of that. It seems to affect 365 and hotmail as well. Is there any update on this?

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Dec 14, 2018 — with docs.microsoft.com

NLI seems to mean not listed, but what is EFV?

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Dec 14, 2018 — with docs.microsoft.com

If it helps in any way we joined the SNDS program and our IP addresses have normal status there. There is nothing else reported except EFV:NLI in the anti-spam header field.

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Dec 14, 2018 — with docs.microsoft.com

We also have a valid SPF record in place.

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Dec 14, 2018 — with docs.microsoft.com

One update, which is maybe helpful. I checked an email that did not went to the junk folder and it had the same header. So it seems, at least in my case, that this is unrelated to detecting it as spam.

@MSFTTracyP

This comment has been minimized.

Copy link
Contributor

@MSFTTracyP MSFTTracyP commented Feb 15, 2019

Thank you for your feedback on this. I've been talking about this issue internally. The article will be undergoing some updates.

@MSFTTracyP MSFTTracyP closed this Feb 15, 2019

This comment has been minimized.

Copy link

@onspring-technologies onspring-technologies commented Feb 21, 2019 — with docs.microsoft.com

How is this closed? THERE IS NO ANSWER?!?!

This comment has been minimized.

Copy link
Contributor

@Absoblogginlutely Absoblogginlutely commented Feb 21, 2019 — with docs.microsoft.com

We're still getting efv:nli in headers too. I agree the document needs an overhaul, but this issue should not be closed until it is.

@rbianic

This comment has been minimized.

Copy link

@rbianic rbianic commented Feb 27, 2019

Same message here, no documentation, spf/dkim/dmarc/dnssec/dane and my email view as spam by outlook...

This comment has been minimized.

Copy link

@RichardKBR RichardKBR commented Mar 14, 2019 — with docs.microsoft.com

Same problem here X-Forefront-Antispam-Report: EFV:NLI;
My status is ok, in SNDS and other stuffs.

@denisebmsft

This comment has been minimized.

Copy link
Contributor

@denisebmsft denisebmsft commented Mar 14, 2019

Hello @onspring-technologies, @Absoblogginlutely, @rbianic, @RichardKBR, and everyone!

First of all, please accept our apologies for not being more clear in our closing this issue. The article has been updated a few times since this issue was first open, but we didn't explicitly address the EFV question in our responses here. We are sorry about that.

Second, we have looked into this further, and there is no current impact of the EFV:NLI header/verdict. It will be removed in the coming weeks.

We hope this helps clarify things, and once again, we apologize for any confusion.

@ktecho

This comment has been minimized.

Copy link

@ktecho ktecho commented Mar 14, 2019

@denisebmsft I have that EFV:NLI in Outlook.com too, and my message went to Spam folder. If EFV:NLI don't have impact, how do I know why the email went to Spam?

@justinzhong

This comment has been minimized.

Copy link

@justinzhong justinzhong commented Mar 18, 2019

As reported by others in this thread, I am receiving the following header when sending to outlook.live.com (hotmail address) and it is arriving in the Junk Email folder.

X-Forefront-Antispam-Report: EFV:NLI;

DKIM/SPF all passed, reverse IP record added for my mail server as well.

The same email send to Office 365 business accounts and Gmail accounts are delivered to inbox.

Would be appreciated if @denisebmsft from MSFT could please advise if EFV:NLI is not an issue, what other information we can use to troubleshoot further.

Thank you!

@onspring-technologies

This comment has been minimized.

Copy link

@onspring-technologies onspring-technologies commented Mar 18, 2019

It might actually be more relevant if there were any documentation on the numeric spam codes. Literally the only report code we get is EFV:NLI, yet we're ending up in spam (when we're definitely not spam). Yet we've got 5 numeric codes in the other header.

@amcorp1

This comment has been minimized.

Copy link

@amcorp1 amcorp1 commented Mar 21, 2019

We are running into the same problem. Our emails are marked with EFV:NLI, and they're all ending up in the spam folder! Same emails get processed without any issues on other providers (Gmail, etc.).

@maximilianh

This comment has been minimized.

Copy link

@maximilianh maximilianh commented Mar 26, 2019

Same here. BCL SCL are all 0, SPF is working. On stackoverflow someone suggests to send email only over IPv4 and use DKIM.

@maximilianh

This comment has been minimized.

Copy link

@maximilianh maximilianh commented Mar 26, 2019

Contacting Microsoft support worked but only for a week. We're sending email through the University server, Gmail servers, so definitely a well-known server with an address that has never been used for spam. The emails are signup confirmation emails, so if they land in spam, people cannot login to our website.

@kasinjsh

This comment has been minimized.

Copy link

@kasinjsh kasinjsh commented Mar 30, 2019

I have this issue too. Only other mails service that lands My mail in Spam is Yahoo. I have SPF, DKIM, DMARC, PTR setup correctly. My servers IP address is not on any blacklist, I have checked a lot of them.

Mail still is marked whit EFV:NLI.

@ERKSagency

This comment has been minimized.

Copy link

@ERKSagency ERKSagency commented Apr 2, 2019

The same thing is happening to me:
https://www.mail-tester.com/test-02af9

From Amazon SES (console -> TEST EMAIL) arrives at INBOX but from my script NO (only in Hotmail).

The strange thing is that by analyzing the headings, they are practically identical.

@kasinjsh

This comment has been minimized.

Copy link

@kasinjsh kasinjsh commented Apr 5, 2019

The same thing is happening to me:
https://www.mail-tester.com/test-02af9

From Amazon SES (console -> TEST EMAIL) arrives at INBOX but from my script NO (only in Hotmail).

The strange thing is that by analyzing the headings, they are practically identical.

You don't have MX record record setup correctly. Fix that first.

@sponte

This comment has been minimized.

Copy link

@sponte sponte commented Apr 8, 2019

I too seem to have this problem. For some time, Outlook.live.com seems to be very spam hungry and a lot of genuine messages end up in my junk folder. New services I signed up to recently, official BMW correspondence, virgin media. Looking into source of these messages, they all seem to have EFV:NLI in them.

Seems like the issue is more generic than just individual domains.

@AndreaBarr – has that been addressed properly?

@ERKSagency

This comment has been minimized.

Copy link

@ERKSagency ERKSagency commented Apr 8, 2019

Me está pasando lo mismo:
https://www.mail-tester.com/test-02af9
Desde Amazon SES (consola -> TEST EMAIL) llega a INBOX pero desde mi script NO (solo en Hotmail).
Lo extraño es que al analizar los encabezados, son prácticamente idénticos.

No tienes la configuración de registro de registro MX correctamente. Arregla eso primero.

MX records are already there, could you check it out? ... I have tried everything and still do not get to INBOX.

If you need an Amazon capture, mail header, or any configuration, let me know.

Thanks

@Andy9999

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented May 24, 2019

Bump! This issue is still ongoing.

From a mail header of an email categorized as spam yesterday with EFV:NLI:
...
X-Forefront-Antispam-Report: EFV:NLI;
...

SPF is being validated and is OK. No DKIM here. This should not go to spam. There is no other indicators in the mail headers explaining why it was sorted out. Bad AI???

@romain10009

This comment has been minimized.

Copy link

@romain10009 romain10009 commented May 28, 2019

Hi everyone, I'm experiencing same issues, I tried sending the mail from gmail, from my own SMTP, and from mailgun. It keeps landing in spam.

Regards,

@ProBackup-nl

This comment has been minimized.

Copy link

@ProBackup-nl ProBackup-nl commented Jun 9, 2019

Over here there is also an issue of X-Forefront-Antispam-Report: EFV:NLI; (and all messages going to spam in Outlook/Hotmail.com and O365).

Other headers (munged):
Authentication-Results: spf=pass (sender IP is 8.1.5.1) smtp.mailfrom=s.nl; outlook.com; dkim=pass (signature was verified) header.d=s.nl;outlook.com; dmarc=pass action=none ...
helo does not match with rDNS of sender IP due to outbound link load balancing (outbound traffic is sent over multiple links of a Peplink Balance), helo=x.y.s.nl where rDNS of IPv4 = z.s.nl

Received: from x.y.s.nl (8.1.5.1) by HE1EUR01FT003.mail.protection.outlook.com (10.152.0.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.12 via Frontend Transport; Sun, 9 Jun 2019 09:09:02 +0000

Note: the TLS certificate has expired.

X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900115)(4920090)(6375004)(4950130)(4990090)(9140004);RF:JunkEmail;

@ProBackup-nl

This comment has been minimized.

Copy link

@ProBackup-nl ProBackup-nl commented Jun 10, 2019

In our case it seems only the IP address that MS doesn't like.

@ProBackup-nl

This comment has been minimized.

Copy link

@ProBackup-nl ProBackup-nl commented Jun 10, 2019

When inserting a smart host in the outbound mail server connection, the message from the same server with the same content is immediately delivered to the inbox.

I think the indicator is: RF:JunkEmail; with nothing appended, together with X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;

@Andy9999

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Jun 12, 2019

Our BCL problem has been solved and it is zero again after contacting MS here:
https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75

And there (I think this one is only needed if the IP is black listed which wasn't the case for us):
https://sender.office.com/

Also it seems mail gets delivered again. Thank you MS and I hope it stays like this. A bit more transparency about the rules would be good!

I also removed my posting about the two junk mails in the mailbox using my alias name, hosted on the MS systems, even though our MX records never pointed there. Somehow the mailbox got created when signing up for the Windows/Windows Phone store, where an AD tenant was created. It seems the mails got there by a "stupid" MTA written by a spammer, trying each recipient with each mail server of the recipient list, therefore the MS systems picked up the mail, because it found such an alias. So this was kind of a false alert.

@Andy9999

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Jun 14, 2019

Today the delivery problems are back. We are thinking about automating reporting it every day.

Here is another cool tool to test your emails:
https://www.mail-tester.com

We were not yet using DMARC and I now added an entry to our DNS hoping it increases the probability of successfully delivering mail to MS mail services, having a lower probability than any other mail provider (aka under performer).

We score 9/10, because of not having DKIM. But DKIM is not required imo, nor does any RFC specify that.

@rocketraman

This comment has been minimized.

Copy link

@rocketraman rocketraman commented Jun 14, 2019

I have another example of an email which, by all the other headers, should have ended up in the user's inbox, but did not, and has the mysterious EFV:NLI value in the X-Forefront-Antispam-Report header.

Despite using DKIM, SPF, and DMARC (all pass), seeing SFV:NSPM (not spam), SCL:1 (spam score level 1) in the X-Forefront-Antispam-Report header, and BCL:0, and PCL:0 in the X-Microsoft-Antispam header, and absolutely no other indication of a problem in the received email, somehow this email still ended up in the user's spam folder.

Searching for this, I see lots of users with the same issue, but always the same useless non-answers.

@Andy9999

This comment has been minimized.

Copy link

@Andy9999 Andy9999 commented Jul 1, 2019

Our mails are not going to Junk Mail on Hotmail/Live anymore.

Before we had a 9/10 on https://www.mail-tester.com, because of missing DKIM and now, with DKIM in place it is 10/10. If you don't send out bulk-mails, like us, you can safely ignore the orange "Your message does not contain a List-Unsubscribe header" warning. Anything else is green in our case.

We did additionally setup DMARC. I am not sure if DMARC is absolutely required, but it will not hurt if it is properly setup. There is some free services, for example https://dmarc.postmarkapp.com/ (and possibly others). Alternatively you can set up your own infrastructure either using your existing email domain or on a separate one. There is one mail-tester.com result posted above, having DKIM but some kind of DMARC problem reported and therefore getting a 9.6, but still mails are going to junk.

If you use TLS, you may want to check https://www.checktls.com/, because we found that we had an expired certificate from our internal CA. Now we score 100% for all tests there too.

The mails now pass, the mail headers do not contain RF:JunkEmail anymore in the "X-Microsoft-Antispam-Mailbox-Delivery:" header.

The mail still has EV:NLI, but it does not affect delivery negatively on its own (but eventually in conjunction with other criteria).

I hope this helps!

@dariomws306 dariomws306 referenced this issue Aug 19, 2019
@syarkhan

This comment has been minimized.

Copy link

@syarkhan syarkhan commented Aug 22, 2019

The EFV:NLI; probably has nothing to do with your email landing in junk.
I had the same problem as my legit emails were landing in junk folder and then I removed these headers:

  1. X-Fbl
  2. 'List-Unsubscribe-Post': 'List-Unsubscribe=One-Click'
  3. X-Complaints-To
  4. List-Id
  5. X-Mailer

After removing these headers, my emails are now landing in Inbox.

I also did some tests with GlockApps and before removing these headers, all the other providers(gmail, yahoo) were marking my email as inbox but hotmail and outlook were marking it as Spam straightaway.

After removing these headers, outlook and hotmail marked it as Inbox.

Hope this helps people whose legit emails are landing in spam.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.