As part of our continuous improvement initiatives, we have updated our guidance on how best to prevent legitimate application emails being categorised as junk by the NHSmail platform.
The following guidance applies to internally hosted applications, third-party integrations and external workflows which send emails into the NHS.net domain over the internet and builds upon the existing Applications Guide, Authentication Configuration, Relay Configuration and LA bulletin documentation.
This article also references the Microsoft O365 troubleshooting guidance.
Exchange Online Protection (EOP)
Since integrating Exchange Online and its increased protections into the NHSmail platform, there have been a number of enhancements which have significantly reduced the number of overall malicious and spam emails successfully entering the domain. An unintended consequence of this enhanced security has been a small increase in the number of genuine emails being incorrectly categorised as junk by one or more of our security components.
How EOP works
Details of how EOP works can be found on the Microsoft website page Exchange Online Protection overview. The below diagram also provides a useful overview of the components involved:
Regarding false-positive junk categorisation, the important components to note are the connection and content filtering, as well as the grading/analysis which is based on user feedback.
Troubleshooting & FAQs
Since integrating Exchange Online and its enhanced protections into the NHSmail platform, we have identified the below contributing factors which increase the probability that a legitimate email will be categorised as junk. Please see below for guidance and advice on troubleshooting.
Please note that while false-positive incidents can and will be raised with our platform vendors, if there are broader configuration issues with the email sending solution/infrastructure, then providing samples for our vendors may not be enough resolve the incorrect junk categorisation issue. Third party troubleshooting and potential configuration changes may be required. Configuration can be tested and validated using third party checkers such as MxToolBox or Microsoft’s Remote Connectivity Analyser.
The below guidance should help in initiating that process:
- Sender Authentication Failures: Please ensure that there are no problems with sender email authentication related failures with SPF, DKIM and DMARC (or a lack thereof). Guidance on SPF, DKIM, DMARC configuration for nhs.uk organisations can be found on the NHSmail support pages here. Microsoft also provide best practice guidance for O365 hosted tenants. External vendors should contact their DNS hosting provider.
- Sender Reputation Level Score: Low Sender Reputation Level (SRL) scores constitute a large part of the overall spam categorisation calculation and can be influenced by:
- HELO/EHLO analysis
- Reverse DNS lookup (PTR)
- Historical Spam Confidence Level (SCL) data
- Sender Score Reputation Network
Guidance on best practice for SRL related components can be found on the Microsoft FAQ page here. If the sender domain has recently suffered reputation damage or has been added to the blocked senders list, we can work with our vendors to mitigate this once the underlying issue or cause is corrected. This can be achieved via the NHSmail Service Desk.
- Content filtering: When mitigating common or newly emerging malicious attack themes, legitimate emails can occasionally be tagged as malicious or spam. Recent examples of such workflows can include:
- Voicemail notifications
- Covid19 appointments or results
When legitimate emails such as the above are categorised as junk and there are no wider configuration issues, the quickest way to resolve this is to provide samples of the emails which are going to junk to the NHSmail Service Desk who can then submit a false-positive case.
NHSmail Service Desk – Minimum Data Set – Junk Emails
When raising requests with the Service Desk we request that the following information is provided to allow the NHSmail resolver teams to investigate and process these incidents as quickly as possible:
- Problem description
- Number of users this issue is affecting
- Are the emails from internal nhs.net, nhs.uk or external?
- Is it happening only with emails containing attachments? If yes, what is the attachments size and type?
- Full sender address
- Full recipient address
- Date/Time email sent within last 7 days
- Please provide a sample email in .msg format
NOTE: If the affected workflow contains confidential information, please create a dummy or blank sample so that we can process the request efficiently with our external vendors.