Learn how to troubleshoot the Email Security.cloud Anti-Spam service for the following issues:

• False positives - Legitimate email incorrectly identified or filtered as spam
• False negatives - Spam email that's missed or not caught
• Email blocked or quarantined by SPF
• Email blocked due to DMARC policies or failures

Email incorrectly identified as spam (false positive)

Bounceback shows "553 - Sorry, your IP/ Email address has been blacklisted"

The email has been blocked based on one of the following:

• An entry in your global Blocked Senders in the Symantec.cloud Management portal.
• An entry in an individual user's list.

To resolve this issue:

• Modify the Blocked Senders list as needed.

Bounceback shows "553 - mail rejected because your IP is in the PBL"

This has been blocked because the sender's IP is in the Spamhaus PBL (Policy Block List).  This is not a spam list, the IP in question has been designated by the ISP as non-mail sending (these are usually Dynamic IPs).

To resolve this issue:

• Add the sender's email address to the Approved Sender list.
• Advise the sender that their IP is listed on the Spamhaus Blocklist, in order to have the IP de-listed.

Bounceback shows "553 - Message filtered" or "No bounceback", but Email Track & Trace indicates "Detected by Heuristics."

This has been blocked because it matched spam signatures or heuristics

To resolve this issue:

• Have the email submitted via Email Submissions tool. For full submission details, see Submitting legitimate emails flagged as spam (false positives) by Symantec.cloud email services.

Spam email not intercepted (false negative)

• .Ensure that the email was scanned by Symantec.cloud Infrastructure by checking Email Track & Trace or the email headers
  • Forward a copy of the email as an attachment to [email protected].
• Enter the address in their Blocked Sender list if you never want to receive an email from that sender again.
• If you believe the sender has already been added, confirm that you added the Envelope Sender address to the list by looking at the sender as reported in Email Track & Trace.
• For full submission details, see Submit false negative spam emails missed by Symantec.cloud email services.

SPF troubleshooting

• To review the sender’s SPF record, use an online SPF lookup tool such as SPF Surveyor.
• For a full validation test comparing the sending IP against the record, use a tool such as SPF Policy Tester.

If the sender is a customer-provisioned on our services, they should have our SPF entry, even if they normally do not route outbound through us. When an email is sent between customers, we look for that reference.

Note: SPF only applies to the envelope from (SMTP Mail FROM).

See also Implement SPF records in Email Security.cloud.

DMARC troubleshooting

• Use an online DMARC lookup tool or DNS Lookup to review the sender’s SPF Record.
• Use a tool such as DMARC Record Checker to obtain the DMARC policy of a domain.
• For raw lookup, you need to perform a TXT record DNS lookup on the _dmarc subdomain (ie: _dmarc.yahoo.com).

There are two steps for a DMARC check to pass:

• First, the email must pass on an SPF or a DKIM check.
• Two, it must pass an alignment check.
  • For SPF: The Body From domain must match the Mail From domain. While an email may pass the SPF check, if the Body From doesn’t match the Envelope From, the email fails DMARC (unless DKIM passes).
  • For DKIM: The domain in the d=example.com tag in the DKIM Signature header must match the Body From domain. While an email may pass the DKIM check, if the Body From doesn’t match the d=example.com domain, the email fails DMARC (unless SPF passes).

For more information, see Enabling spoofed sender detection with DMARC.

See also Anti-Spam best practice settings.