This table shows the different header value used by Exchange Online Protection or EOP, and what each value means , and whether it is bypassing anti-spam filtering or not.
Blog Post:
https://blog.ahasayen.com/exchange-scl-and-eop-headers/
Scanning the Internet for External Cloud Exposures via SSL Certs
Exchange Online Protection EOP headers
1. Category Header Description
IP INFORMATION
CIP
[Connecting IP]
Connecting IP [This one that
should be put in the connection
filter if you want to allow a sender.
IPV:CAL
[IP Verdict]
The message was allowed through
the spam filters because the IP
address was specified in an IP
Allow list in the connection filter.
IPV:NLI
[IP Verdict]
The IP address was not listed on
any IP reputation list.
CTRY
[Country]
The Country from which the
message connected to the service.
This is determined by the
connecting IP address, which may
not be the same as the originating
sending IP address.
2. LANG
[Language]
The language in which the
message was written, as specified
by the country code (for example,
ru_RU for Russian).
Inspected by Content
Filter
SFV:SPM[Spam
Filtering Verdict]
The message was marked as spam
by the Content Filter.
SFV:NSPM
[Spam Filtering
Verdict]
The message was marked as non-
spam by the Content Filter and
was sent to the intended recipients.
Spam Filter
Allow/Block lists
SFV:SKA
[Spam Filtering
Verdict]
The message skipped Content
Filtering and was delivered to the
inbox because it matched an allow
list in the Spam Filter policy, such
as the Sender allow list inside the
Spam Filter Policy Allow List.
SFV:SKB
[Spam Filtering
Verdict]
The message was marked as spam
because it matched a block list in
the spam filter policy, such as
the Sender block list inside the
Spam Filter Block List.
3. User Mailbox Junk
Folder Allow/Block
SFV:SFE
[Spam Filtering
Verdict]
Filtering was skipped and the
message was let through because
it was sent from an address on an
individual’s safe sender list.
SFV:BLK
[Spam Filtering
Verdict]
Filtering was skipped and the
message was blocked because it
was sent from an address on an
individual’s blocked sender list.
SKIP SPAM FILTER
SFV:SKN[Spam
Filtering Verdict]
The message was marked as non-
spam prior to being processed by
the content filter. This includes
messages where the message
matched a transport rule to
automatically mark it as non-spam
and bypass all additional filtering
or Connection Filter Allow List.
SFV:SKI
[Spam Filtering
Verdict]
Similar to SFV:SKN, the message
skipped filtering for another reason
such as being intra-organizational
email within a tenant. This include
messages exchanged inside the
organization.
4. Release from
Quarantine
SFV:SKQ
[Spam Filtering
Verdict]
The message was released from
the quarantine and was sent to the
intended recipients.
FORCE
BEING SPAM
SFV:SKS
[Spam Filtering
Verdict]
The message was marked as spam
prior to being processed by the
content filter. This includes
messages where the message
matched a Transport rule to
automatically mark it as spam and
bypass all additional filtering.
SCL
The Spam Confidence Level (SCL)
value of the message
H
[helostring]
The HELO or EHLO string of the
connecting mail server.
PTR
[ReverseDNS]
The PTR record, or pointer record,
of the sending IP address, also
known as the reverse DNS address.
5. X-
CustomSpam:
[ASFOption]
The message matched an
advanced spam filtering (ASF)
option.
SRV:BULK
The message was identified as a
bulk email message. If the Block
all bulk email messages
advanced spam filtering
option is enabled, it will be marked
as spam. If it is not enabled, it will
only be marked as spam if the rest
of the filtering rules determine that
the message is spam.