Investigating why your emails are landing in spam can sometimes be a head-scratcher. If you're seeing this happening only in Outlook, it's worth taking a look at the email headers to see if they reveal more. Email headers hold a lot of valuable information such as whether there were any delivery delays and also what the authentication results were for SPF, DKIM, and DMARC. Let's take a look at a snippet taken from the headers of an email that went to spam in Outlook:
Authentication-Results: spf=pass (sender IP is 126.96.36.199) smtp.mailfrom=pm-bounces.exampleapp.com; dkim=pass (signature was verified) header.d=pm.mtasv.net;dmarc=fail action=oreject header.from=exampleapp.com;compauth=fail reason=000
Let's also look at the DMARC record for exampleapp.com:
v=DMARC1; p=reject; sp=none; rua=mailto:firstname.lastname@example.org; pct=100; aspf=s
According to Microsoft's documentation, a "000" reason means that the message failed DMARC with an action of reject or quarantine. In the headers, we can see that DKIM passes and this should be enough to pass DMARC, so why is it failing?
Let's take another look at the DMARC record above. You'll notice there "aspf=s". There are two different alignment modes that you can set in your DMARC record for DKIM and SPF - Relaxed (r) and Strict (s). Relaxed alignment for SPF is the default and means that the Return-Path domain can be a subdomain of the From address. Strict alignment means that the Return-Path domain must be an exact match with the domain that's used in the From address.
For example, with aspf=r set in your DMARC record, the following would be considered a pass:
From: Shelley <exampleapp.com>
Note that the Return-Path domain "pm-bounces.exampleapp.com" is a subdomain of "exampleapp.com". With aspf=s set in your DMARC record, this would be considered a fail since there's not an exact match between those domains.
When sending through Postmark, the Return-Path header domain (used to validate SPF) will always be a subdomain of the From, so it's not possible to have strict alignment for SPF. If there isn't any particular reason you have strict alignment set, you can edit your DMARC policy in your DNS and change "aspf=s" to "aspf=r".
DMARC spec states that only DKIM *or* SPF must align and pass, so if we see in the message headers above that DKIM passes, then this should be enough to pass DMARC, though what seems to be happening is that Microsoft takes a different approach to strict alignment being used with SPF. Remenber, this only might affect you if you have a DMARC policy of quarantine or reject.