Live Direct Marketing logo
Inbox Placement Test
Microsoft 3658 min read

Microsoft 365 deliverability: why Outlook treats you differently from Hotmail

M365 mail passes through two filters: Defender for Office 365 at the tenant edge, then user-level rules. Both can send you to Junk even when Gmail accepts your mail. Here is why.

Microsoft 365 is not consumer Outlook. Mail destined for an M365 mailbox hits a deeper filter stack than mail to Outlook.com or Hotmail, and every tenant is configured differently. A sender can have perfect Outlook.com placement and 0% M365 placement — same authentication, same content, same domain. This article is about why that happens and what to change.

TL;DR

M365 stack: EOP → Defender for Office 365 → tenant transport rules → user Junk. The four common failure modes are IP reputation (EOP), tenant allow/block lists, custom transport rules, and user Safe Senders. Diagnose with message trace from the tenant admin. Test external M365 placement free on Inbox Check across multiple tenants.

The M365 filter stack

A message to user@company.com (on M365) goes through:

  1. Exchange Online Protection (EOP) — the baseline tenant filter. Connection filtering, anti-spam, anti-malware, sender reputation. Every tenant gets EOP.
  2. Microsoft Defender for Office 365 — advanced threat protection layered on top. Safe Links rewrites URLs, Safe Attachments detonates attachments in a sandbox, Anti-Phishing scores sender impersonation. Only on Defender-licensed tenants.
  3. Tenant transport rules (mail flow rules) — admin-defined rules that can rewrite, redirect, block or flag mail by any criterion (sender domain, keyword, attachment type, header).
  4. User-level rules — Outlook client rules, Safe Senders, Blocked Senders. The final gate before the Inbox.

Every layer can send you to Junk. Every layer produces a different fingerprint. This is why "my emails go to Junk in Outlook" is an underspecified problem — the fix depends on which layer is doing it.

The four main M365 failure modes

1. IP reputation at EOP

EOP connection-filters on source IP before it even looks at content. If your IP has a bad reputation with Microsoft (check SNDS), your mail is throttled or rejected at the edge. The symptom: deferred bounces with 450 4.7.650 or outright rejects with550 5.7.1.

Fix: move to a clean IP, register SNDS + JMRP, request mitigation through sender.office.com once your auth is strict.

2. Tenant allow/block lists

Admins maintain tenant-wide lists. Your domain might be explicitly blocked at one tenant and whitelisted at another. Users sometimes add your domain to their Blocked Senders years ago and forgot.

Fix: ask the recipient to check. They can find their Blocked Senders in Outlook under Settings → Mail → Junk email. For tenant-wide blocks, the admin has to remove you from the Tenant Block List (defender.microsoft.com).

3. Custom transport rules

Tenants often have rules like "flag any external mail with a keyword in the subject" or "redirect mail from any .xyz domain to quarantine". These rules are invisible externally. Message trace (see below) is the only way for the recipient's admin to see them.

Fix: there is no external fix. The recipient's admin either relaxes the rule or adds you to an exception list.

4. Safe Senders / Blocked Senders at user level

The user's own Safe Senders list bypasses most filtering. A user who added your domain to Safe Senders will receive you even with weak auth. A user who added you to Blocked Senders will junk you even with perfect auth. Ask new prospects to add your sender address to Safe Senders as part of onboarding.

How admins diagnose with message trace

The recipient's admin can run a message trace in the M365 admin center (Exchange → Mail flow → Message trace). A full trace shows:

  • Which EOP policy matched.
  • Which transport rule fired.
  • Which filter verdict was applied (SCL — Spam Confidence Level).
  • Final delivery location (Inbox, Junk, Quarantine).

For B2B outreach, if you have a trusted contact at the target organisation, asking them to run a message trace and share the verdict is often the fastest diagnosis. Most senders never bother — which is why the same failure repeats across prospects.

ATP Safe Links and Safe Attachments gotchas

On Defender-licensed tenants, Safe Links rewrites every URL in your email to route through a Microsoft proxy. Consequences:

  • Your tracking links are rewritten. Clicks recorded by your ESP may include Microsoft detonation bot traffic, inflating CTR.
  • If the destination URL reputation is poor, Safe Links blocks the click with an interstitial warning — even if the email itself passed.
  • Safe Attachments detonates attachments in a sandbox, adding 2–10 minutes of latency before delivery. Time-sensitive mail with attachments may feel "stuck" to the recipient.

Spoof Intelligence and impersonation protection

Defender's anti-phishing includes impersonation protection — the tenant admin can designate "protected users" (usually the CEO, CFO, IT admin) and any mail that appears to impersonate them by display name or domain similarity gets flagged. This is why cold outreach that uses "CEO of Example Corp" as a display name trips Junk at many M365 tenants even with clean auth — Spoof Intelligence scored your message as a potential exec impersonation.

Fix: use your own name and company, not the recipient's exec names. Don't try to sound like someone internal.

How to get delisted from Microsoft

  1. Check SNDS. Fix whatever the data says (high complaint rate, trap hits, green → yellow → red transitions).
  2. Confirm DMARC is at p=quarantine or p=reject with alignment.
  3. Confirm DKIM is 2048-bit.
  4. Submit a mitigation request at sender.office.com with your IP range and domain. Processing: 3–10 business days.
  5. For JMRP complaint volume, suppress all complainers from future sends immediately. A single JMRP feedback loop takes precedence over any other reputation signal.

How to test M365 placement for free

Inbox Check includes Microsoft 365 seed mailboxes on multiple independent tenants. The result shows how your mail lands across a cross-section of M365 configurations — Defender-enabled, Defender-off, different licence tiers, different admin policies. This is the closest externally-available view of M365 placement behaviour.

M365 coverage comparison

GlockApps ($59+/mo): has M365 seeds, mostly on single-tenant setups.

Inbox Check (free): M365 across multiple tenants and licence configurations. Plus Outlook.com, Hotmail, Live, and 17+ other providers. Real screenshots. Public API + MCP endpoint.

Frequently asked questions

Why does my email land in Inbox at one M365 tenant and Junk at another?

Tenant-specific transport rules and Defender configuration. There is no universal M365 placement — every tenant is configured differently. Test across multiple seed tenants to get a representative picture.

How is EOP different from SmartScreen?

EOP is the M365 protection stack (connection filter + anti-spam + anti-malware). SmartScreen is the consumer Outlook.com / Hotmail filter. They share underlying signals but EOP is tenant-configurable while SmartScreen is not.

Does a high SCL (Spam Confidence Level) always mean Junk?

SCL 5+ usually routes to Junk by default, but tenant rules can override. Some tenants raise the threshold to SCL 7. Some route SCL 9 to quarantine instead of Junk. Check the message trace for the actual delivery location.

If my SPF and DKIM pass, why am I still in Junk?

Auth passing is necessary but not sufficient. M365 also checks DMARC alignment, IP reputation, content via Defender, tenant rules, and user lists. Any one of those can route a fully authenticated message to Junk.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required