A customer recently notified me that they were missing a lot of important updates to tickets. The updates were expected to be delivered via an email integration.

Checking sys_email, I noticed a ton of new received-ignored messages with failure messages like this...



The error string didn't provide any help, so I dug into the headers. BAM! All the failures had X-ServiceNow-Spam flags in the headers.

That's critical info because of this default sys_property:

What troubled me is why this suddenly became a problem. I managed to find KB0549426 which stated...

"Note that as of 6/29/2017, SPF checks now factor more heavily into a mail's spam score. In order to be flagged as spam, a message must have an aggregate score of 6.2 or higher. A soft SPF failure will add 6.0 to the score, whereas a hard SPF failure will add 7.0 to the score (immediately flagging it as spam). It is recommended to check and ensure that your company's SPF records are correct and up-to-date, or some messages may be inadvertently marked as spam."

So that explains why inbound email actions have been so unreliable for the past couple weeks. I recommend everyone check their sys_email logs for anything with "received-ignored" state. You could be in my customer's position with a *TON* of missing data.

- So the KB article instructs you to "update the SPF records", but this is coming from another ServiceNow instance. Does this mean all SN to SN mail integrations are now suspect?

- Remove X-ServiceNow-Spam-Flag:YES from the "Ignore mail with these headers" sys_property.