I checked from the w.s. instead of the phone, and this is the response. The MID I observed from the iPhone is actually part-of a different header of the same e-mail. The true MID is well-formed and RFC compliant:
> Message-ID: > <sn1pr0601mb161608603664931c0d08805aa8...@sn1pr0601mb1616.namprd06.prod.outlook.com> The e-mail is still flagged as SPAM here. - DMARC fails, because it passes DKIM, but fails SPF. - From:name domain mismatches From:addr domain (*) - Two minor flags are also available and add up to the final score: the MID domain does not match the FROM domain, the FROM domain does not occur among the RECEIVED domains. The test (*) has been discussed in this list, without solution. I wrote a rule two weeks ago and it proved useful a few times already, without any false positive or negative. I will share it in the next post. R Sent with [ProtonMail](https://protonmail.com) Secure Email. > -------- Original Message -------- > Subject: Re: Bank fraud phish > Local Time: 25 October 2017 12:50 PM > UTC Time: 25 October 2017 10:50 > From: mar...@clardy.eu > To: Rupert Gallagher <r...@protonmail.com> > John Hardin <jhar...@impsec.org>, SA Mailing list > <users@spamassassin.apache.org> > > That isn't the Message-Id, that is the > X-MS-Exchange-CrossTenant-Network-Message-Id... The Message-Id is compliant. > > On Wed, Oct 25, 2017 at 11:43 AM, Rupert Gallagher <r...@protonmail.com> > wrote: > >> The raw e-mail in pastebin returns a non-well-formed Message-ID. I attach a >> photo of what I see. >> >> Sent from ProtonMail Mobile >> >> On Tue, Oct 24, 2017 at 10:05 PM, John Hardin <jhar...@impsec.org> wrote: >> >>> On Tue, 24 Oct 2017, Rupert Gallagher wrote: > Easy one. The Message-ID is >>> not well formed / RFC compliant. We reject such junk upfront. How so? That >>> looks totally valid to me... < dot-atom-text @ dot-atom-text > The line >>> break between the header and the ID is unusual, but not invalid. That might >>> potentially be a usable spam sign. > > -- > - Markus
