Query Details

Detecting Domains Where Their Emails Will Be Routed To Junk Folders Due To New Outlook Requirement

Query

EmailEvents
| where Timestamp > ago(1d)
| extend SPF = tostring(parse_json(AuthenticationDetails).SPF)
| extend DMARC = tostring(parse_json(AuthenticationDetails).DMARC)
| extend DKIM = tostring(parse_json(AuthenticationDetails).DKIM)
| where SPF !has "pass" or DMARC !has "pass" or DKIM !has "pass"
| summarize Total_Emails=count() by InternetMessageId, SenderFromDomain, SPF, DMARC, DKIM
| where Total_Emails > 4000
| order by Total_Emails

About this query

Explanation

This query is designed to identify email domains that are at risk of having their emails sent to the Junk folder in Outlook due to non-compliance with certain email authentication standards. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at email events from the past day.

  2. Extract Authentication Details: It extracts the results of three email authentication checks: SPF, DKIM, and DMARC, from the email's authentication details.

  3. Filter Non-Compliant Emails: It filters out emails that did not pass any of these checks (SPF, DKIM, or DMARC).

  4. Count Emails by Domain: It counts the total number of non-compliant emails for each domain.

  5. Identify High-Volume Senders: It focuses on domains that have sent more than 4,000 non-compliant emails in the past day.

  6. Sort Results: Finally, it sorts these domains by the total number of non-compliant emails sent.

The purpose of this query is to help identify domains that need to improve their email authentication practices to avoid having their emails marked as junk or eventually rejected by Outlook.

Details

Sergio Albea profile picture

Sergio Albea

Released: April 4, 2025

Tables

EmailEvents

Keywords

EmailEventsAuthenticationDetailsInternetMessageIdSenderFromDomainTimestamp

Operators

ago()extendtostring()parse_json()where!hassummarizecount()byorder by

Actions

GitHub