Which System Blocked the Email: INKY, Microsoft Defender, Safe Links, or Quarantine?

Overview

This article helps you determine which system blocked, quarantined, moved, or prevented access to an email.

When an email is flagged or blocked, INKY may not always be the system taking the final action. INKY may classify the message, add a banner, rewrite links, or apply policy-based handling, while Microsoft 365, Google Workspace, Safe Links, browser security, endpoint protection, or another mail security tool may be responsible for the final block or quarantine.

Use this article if you are seeing behavior such as:

  • A message was quarantined and needs to be released.
  • A sender was allowlisted, but the message is still blocked.
  • A message is missing from the recipient’s mailbox.
  • A message was delivered to Junk.
  • A user can open the email but cannot click a link.
  • A Microsoft Safe Links page appears when clicking a URL.
  • A browser warning or security block appears after clicking a link.
  • INKY added a banner, but Microsoft or Google appears to have moved or quarantined the message.

Why identifying the blocking system matters

The correct fix depends on which system took the final action.

For example:

  • If Microsoft 365 quarantined the message, the release action must be completed in Microsoft 365 Defender.
  • If Google Workspace rejected or quarantined the message, the investigation should start in Google Admin and Email Log Search.
  • If INKY classified the message but delivered it with a banner, the next step may be an INKY allow, false-positive report, or policy review.
  • If only a link is blocked, the issue may be related to INKY link rewriting, Microsoft Safe Links, browser protection, or another URL security service.
  • If the message was never delivered, the issue may be routing, rejection, quarantine, or mail flow configuration.

Before changing allow lists or bypass rules, first determine where the message is and which system is acting on it.

Step 1: Identify the symptom

Start by matching the reported issue to the closest symptom below.

SymptomLikely area to check first
Message is in Inbox with an INKY bannerINKY classification or policy
Message is in JunkMicrosoft 365, Google Workspace, mailbox rules, or mail security policy
Message is in Microsoft quarantineMicrosoft 365 Defender
Message is in Google quarantineGoogle Workspace Admin console
Message is in INKY quarantineINKY quarantine settings and release workflow
Message is missing from the mailboxMessage trace or Email Log Search
Message was rejected before deliveryMail flow, routing, gateway, or sender authentication
User can open the email but cannot click a linkINKY link rewriting, Microsoft Safe Links, browser protection, or endpoint security
User sees a Microsoft Safe Links block pageMicrosoft Safe Links
User sees an INKY block pageINKY link rewriting or INKY URL analysis
User sees a browser warningBrowser protection, endpoint security, or destination website issue

Step 2: Confirm where the message is now

Ask the affected user or customer to check where the message currently appears.

Possible locations include:

  • Inbox
  • Junk
  • Deleted Items
  • Microsoft 365 quarantine
  • Google Workspace quarantine
  • INKY quarantine
  • Not delivered
  • Delivered, but links are blocked

If the email is not in the user’s mailbox, use Microsoft 365 Message Trace or Google Workspace Email Log Search to confirm what happened to it.

Step 3: If the message is in Microsoft 365 quarantine

If the message is in Microsoft 365 quarantine, Microsoft 365 is holding the message.

INKY may have contributed to the classification by adding headers, rewriting links, or identifying the message as suspicious, but the release action must be performed in Microsoft 365 Defender.

Recommended checks:

  1. Open Microsoft 365 Defender.
  2. Go to the quarantine area.
  3. Search for the message by sender, recipient, subject, or timestamp.
  4. Review the quarantine reason.
  5. Confirm whether the message was quarantined by anti-spam, anti-phishing, anti-malware, transport rules, Safe Attachments, or another Microsoft policy.
  6. Release the message only if you confirm it is safe.
  7. If this is a recurring trusted sender, review whether an INKY allow, Microsoft allow, transport rule, or sender authentication correction is the appropriate long-term fix.

Important: Releasing a message from Microsoft quarantine only releases that message. It may not prevent future messages from being quarantined. If future messages from the same sender are also affected, review the classification reason, authentication results, and allow configuration.

Step 4: If the message is in Google Workspace quarantine or rejected by Google

If the message is in Google Workspace quarantine, rejected, or routed unexpectedly, begin in the Google Admin console.

Recommended checks:

  1. Open Google Admin.
  2. Run an Email Log Search for the affected message.
  3. Search by sender, recipient, subject, message ID, or timestamp.
  4. Review the message status and routing path.
  5. Confirm whether Google accepted, rejected, quarantined, rerouted, or delivered the message.
  6. Check routing, compliance, spam, attachment, and inbound gateway settings.
  7. If INKY routing was recently changed or removed, confirm old routing rules are no longer pointing mail to INKY.

If the message is being routed through INKY unexpectedly after uninstalling or changing configuration, review Google routing and compliance rules for any remaining INKY relay entries.

Step 5: If the message is in the Inbox with an INKY banner

If the message was delivered to the Inbox with an INKY banner, the message was not fully blocked from delivery.

In this case, the next step is to review the INKY classification and decide whether the message is correctly classified.

Check:

  • What is the exact INKY threat category?
  • Is the banner red, gray, yellow, blue, or another color?
  • Is the sender trusted?
  • Is the message from a third-party platform?
  • Did the message pass SPF, DKIM, and DMARC?
  • Was the sender, domain, or message already allowlisted?
  • Was the allow created at the correct level?
  • Does the allow entry require DMARC pass?

If the message is incorrectly classified, review the appropriate allow list, false-positive, or trusted sender workflow.

Step 6: If the message is in Junk

If the message is in Junk, confirm whether INKY moved the message or whether Microsoft 365, Google Workspace, or mailbox-level filtering moved it.

Check:

  • Microsoft 365 message trace or Google Email Log Search
  • Mailbox rules
  • Junk email settings
  • Microsoft anti-spam policy
  • Google spam settings
  • INKY classification details
  • Any transport or compliance rules

A message may have an INKY banner but still be moved to Junk by the mail platform or another filtering policy.

Step 7: If the user cannot click a link

If the user can open the email but cannot click a link, this is usually a URL or link-protection issue rather than a message-delivery issue.

Check what appears when the user clicks the link.

What the user seesSystem to check first
INKY block pageINKY link rewriting or INKY URL analysis
Microsoft Safe Links pageMicrosoft Safe Links
Browser warning pageBrowser protection, endpoint security, or destination website reputation
Timeout or 404 errorDestination website, rewritten URL, or network issue
Nothing happensBrowser, endpoint, or email client issue

Also check:

  • Is the link rewritten by INKY?
  • Is the link rewritten by Microsoft Safe Links?
  • Was the sender allowlisted, but not the URL/domain?
  • Is the message already delivered, or are you trying to prevent future blocks?
  • Is the INKY banner red/Danger or gray/Caution?

A sender or domain allow does not always unblock a URL. If the issue is only with link access, use the rewritten link or URL exception troubleshooting workflow.

Step 8: If the message is missing or not delivered

If the recipient cannot find the message, run a message trace or email log search.

For Microsoft 365:

  • Use Message Trace to search by sender, recipient, subject, or time range.
  • Review whether the message was delivered, failed, quarantined, filtered, redirected, or rejected.
  • Check whether any transport rules, anti-spam policies, anti-phishing policies, or quarantine policies applied.

For Google Workspace:

  • Use Email Log Search.
  • Review whether Google accepted, rejected, quarantined, delivered, or rerouted the message.
  • Check routing, compliance, spam, and inbound gateway settings.

If the message never reached the mail platform, the issue may be outside INKY and should be reviewed from the sender side, DNS/authentication side, or mail routing side.

Step 9: If the message was rejected

A rejected message usually has a bounce-back or non-delivery report.

Review the bounce-back for:

  • Error code
  • Rejection reason
  • Rejecting server
  • Sender domain
  • Recipient domain
  • Timestamp
  • Authentication failures
  • Relay or routing errors

Common causes include:

  • Sender authentication failure
  • DMARC failure
  • SPF failure
  • DKIM failure
  • Mail routing issue
  • Google or Microsoft policy rejection
  • Old INKY relay or gateway configuration
  • Connector or transport rule issue
  • Recipient does not exist
  • Domain or tenant configuration issue

Quick decision guide

Use this table to decide where to troubleshoot first.

SituationStart here
Email is in Microsoft quarantineMicrosoft 365 Defender
Email is in Google quarantineGoogle Admin console
Email is delivered with an INKY bannerINKY classification details
Email is delivered but link is blocked by INKYINKY link rewriting / URL analysis
Email is delivered but link is blocked by Microsoft Safe LinksMicrosoft Safe Links
Email is in JunkMessage trace or Email Log Search, then mail platform junk/spam policy
Email is missingMessage trace or Email Log Search
Email was rejectedBounce-back/NDR and routing logs
Sender is allowlisted but still flaggedAllow category, scope, DMARC setting, and actual sending domain
Vendor mail is flagged as spoofed internalTrusted Third-Party Sender configuration

Information to gather before contacting support

If you still need help after reviewing the items above, gather one affected example.

Include:

  • Customer or team name
  • Sender address
  • Recipient address
  • Subject line
  • Date and time received, including time zone
  • Where the message is now: Inbox, Junk, Microsoft quarantine, Google quarantine, INKY quarantine, missing, rejected, or delivered with blocked links
  • Screenshot of the INKY banner, if present
  • Screenshot of the block page, if the issue is a blocked link
  • Screenshot of the quarantine entry, if quarantined
  • Full message headers or EML, if available
  • Microsoft 365 Message Trace result or Google Workspace Email Log Search result
  • Any bounce-back or non-delivery report, if the message was rejected
  • Screenshot of any allow list entry related to the sender, domain, or URL
  • Whether the allow entry requires DMARC pass

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section