Knowledgebase: OCAD U 365
Email: Messages Not Delivered to Inbox as Expected
Updated: 24 July 2020 03:14 PM

A message or mulitple messages you were expecting from a legitimate known external sender was never delivered to your Inbox.  There are many reasons this may have occurred, but first we'll clear a few things up:

  • Myth: There is a 'blacklist' that OCAD U IT Services maintains and the person sending you email is on it.
  • Fact: Except in the case of known high volume phishing/scam/spam campaigns against the institution - that Microsoft has not yet proactively blocked - OCAD U IT Services does not maintain a 'blacklist' that would actively prevent message delivery from legitimate known senders.
  • Fact: OCAD U relies almost exclusively on Microsoft, the provider of our Exchange/Outlook Email service (via OCAD U 365), to analyse and filter email appropriately, based on their assessment of numerous potential threat factors.  These technologies are called Exchange Online Protection (EOP) and Advanced Threat Protection (ATP)
  • Fact: Email infrastructure is rooted in decades old technology at its core - From: addresses can be forged very easily for example (spoofing). Numerous 'bolted-on' (DNS-based) technologies have been developed to help ensure the security and safety of email. As you are likely aware - despite best attempts of IT departments the world over - spam, phishing, and scams still find their way to your Inbox from time to time and you are hopefully well versed in what to be suspicious of.  IT Security is very aware of the threat landscape via email and is extremely active in responding to threats quickly and works daily to prevent the delivery of malicious content to your Inbox.
  • Fact: Email sent internally (from other or accounts) or from Students (via is trusted implicitly and would only be actively blocked if a compromised account, malware, or suspicious activity was detected.
  • Fact: We receive (and successfully filter 99.99% of) more spam and malicious email than we receive legitimate email.  In a recent 30 day period, we received approximately 330,000 legitimate messages and blocked over 550,000 spam messages, 20,000 phishing messages, and 300 malware infected attachments.

We occasionally come across a situation where employees tell us that someone sent them an email but it never arrived to their Inbox. Typically, we find that these messages are coming from an external organization using a custom domain and hosting services. When we investigate the reason for non-delivery, Exchange Online Protection has deemed to message to be suspicious due to poor configuration at the originating end (the sender domain).

We're going to get a little technical...

One of the 'bolted-on' DNS-based technologies referred to above is called SPF (Sender Policy Framework). Simply, this framework tells receiving mail servers (us) that a message did or did not originate (the sender) from an expected and approved IP address (a potential sign of spoofing or malicious activity). If an incoming message fails the SPF check, it is treated harshly by Exchange Online Protection. Failing this check identifies a message as possible spoofing and the message is often routed to a quarantine and not your Inbox - for your own and the institution's protection.

SPF is perhaps a bit confusing for some folks running small businesses and is therefore often overlooked when setting up their business domain and email services. However, it is a vital component in the fight against malicious email, and time should be spent setting it up properly based on the best practices of a hosting provider.

What can you do?

If you were expecting a message from someone and it did not arrive to your Inbox within a reasonable time frame (lets say 30 minutes to cover other potential unexpected delays in delivery), please contact and state the exact sender email address and approximate date you were expecting to receive the message (we really need details here). Systems administrators will analyse the mail flow for you and identify the exact reason a message was not delivered.

We can release any quarantined message to your Inbox, but it is also entirely possible we will come back to you and say the sender does not have a properly configured SPF record on their domain. If this is the case, we cannot guarantee the future delivery of mail from that sender to your Inbox until they have resolved the issue at their end. The reason you did not receive the message has nothing at all to do with OCAD U 365 and everything to do with how they have configured things at their end.  IT Services will never add these senders to any 'whitelist' that can bypass protections and put the institution at risk.

It is the sole responsibility of senders and domain owners to ensure they are following best practices in email delivery to protect their domain, brand, business interests, and reputation.