Outlook might label some emails as ‘Unverified’ and the photo/initials is just a question ? mark. What does ‘unverified’ mean? Is the email safe to open and how to stop some messages showing as ‘Unverified’?
Unverified can appear in mailboxes hosted by Microsoft directly (Microsoft 365, Outlook.com). It’s a feature mostly controlled by the server mailbox, not the Outlook software (Windows, Mac etc).
What does Unverified mean?
Unverified means that Microsoft could not confirm that the sender is the real person or organization NOT an impersonator or hacker.
These days there are various ways to confirm that the sender is legitimate * and if an incoming email doesn’t pass those tests, Microsoft tags the message as ‘Unverified’.
* Strictly speaking the verification methods confirm that the owner of the domain name has authorized the email system to send messages on behalf of the domain. The methods do NOT verify individual senders.
We’ll go into a little detail about the verification methods below.
Do you trust an ‘Unverified’ message?
An ‘Unverified’ message is a warning that the email might be spoofed (impersonated) so extra caution is advisable. Double-check that any links in the message go to the correct domain.
‘Unverified’ could simply mean the senders system hasn’t been setup correctly. The sample message we’re using in the article really did come from The Old Vic theatre in London. It seems someone dropped the ball with the domain settings, nothing more.
How to verify an ‘Unverified’ sender
Fixing an ‘Unverified’ tag is a job for the sender or their IT admin team, see ‘Email Verification Methods’ below.
According to some reports adding the sender or sending domain to the Outlook ‘Safe Senders’ list will override the ‘Unverified’ label. Right-click on the message then Junk | then one of the ‘Never block …’ options’; Sender, Sender’s Domain or ‘this Group or Mailing List’.
Choose Junk E-mail Options … to see the Safe Senders list.
However, our tests with the latest Outlook 365 for Windows ‘Safe Senders’ did NOT change the ‘Unverified’ label.
Email Verification Methods
The three email verification systems are:
(no relation to sunscreen)
Sender Policy Framework (SPF) lists the mail servers authorized to send mail on behalf of the domain. SPF records are included in the domain record.
DomainKeys Identified Mail (DKIM) is also listed in the domain record. Emails are sent with a digital key based on the DKIM domain setting and the contents of the email.
Domain-based Message Authentication, Reporting and Conformance (DMARC) allows domain owners to suggest what action to take for email that don’t pass SPF or DKIM (quarantine, reject or nothing). Domains can also receive reports of unauthorized emails.
For ‘Unverified’ The Old Vic email shown above, the reason is a little more obscure. Looking in the email header (File | Info | Properties) shows that the message passed both SPF and DKIM at Microsoft’s servers.
A closer look at the header shows the connection from the sending server was encrypted but “(Client did not present a certificate)” and “compauth=fail” could be the problem. Using the header parsing tool we recommend to make sense of an Outlook email header shows there were issues with both SPF and DKIM. There was no DMARC record.
In other words, there’s complexity in how Microsoft decides a message is ‘Unverified’. It’s up to the domain owner and IT admins to ensure the SPF, DKIM and DMARC records are up to date.
If your domain email is hosted by Microsoft 365, the domain setup includes the necessary SPF and DKIM records to verify emails coming from your mailboxes.
If your organization has other mailing services (like bulk emails to customers), those services need to be included in the domain records. Any competent mail service will help with that.