Information to Gather for INKY Delivery, False Positive, and Blocked Link Issues

Overview

This article lists the information to gather when investigating an INKY email delivery, false-positive, quarantine, or blocked-link issue.

Providing one complete affected example helps support teams determine whether the issue is caused by INKY, Microsoft 365, Google Workspace, Safe Links, quarantine, sender authentication, link rewriting, or another security tool.

Use this article if you are seeing behavior such as:

  • A legitimate email is flagged as phishing, malicious, suspicious, spam, or graymail.
  • A sender or domain was allowlisted, but the message is still flagged.
  • A user reported a message as safe, but it is still classified by INKY.
  • A message is missing, rejected, quarantined, or delivered to Junk.
  • A user can open the message but cannot click a link.
  • A vendor or third-party sender is still flagged after allowlisting.
  • You are unsure whether INKY, Microsoft Defender, Microsoft Safe Links, Google Workspace, or another tool is blocking the message.

Why this information is needed

Many email delivery issues look similar from the user’s point of view, but they can have different causes.

For example:

  • A message may have an INKY banner but still be quarantined by Microsoft 365.
  • A sender may be allowlisted, but the allow may not match because of the threat category or DMARC setting.
  • A user may be able to open the email, but a URL inside the message may be blocked by INKY link rewriting or Microsoft Safe Links.
  • A vendor may appear to send from one domain, while the actual message is sent through a third-party platform.
  • A message may have been processed before the allow entry was created.

The items below help identify the correct system, classification, and next step.

Required information for all INKY email investigations

Provide one affected example whenever possible.

Include:

  • Customer or team name
  • Sender email address
  • Recipient email address
  • Subject line
  • Date and time received, including time zone
  • Current message location
  • Screenshot of the INKY banner, if present
  • Full message headers or EML file, if available
  • Microsoft 365 Message Trace or Google Workspace Email Log Search result, if available

Current message location

Confirm where the message is now.

Choose the closest option:

  • Inbox with an INKY banner
  • Inbox without an INKY banner
  • Junk
  • Microsoft 365 quarantine
  • Google Workspace quarantine
  • INKY quarantine
  • Deleted Items
  • Missing from mailbox
  • Rejected before delivery
  • Delivered, but link is blocked
  • Unknown

This is one of the most important details because it helps determine which system took the final action.

If the message has an INKY banner

Include a screenshot of the full INKY banner.

The screenshot should show:

  • Banner color
  • Threat category
  • Any visible classification reason
  • Available user action, such as Report This Email or Safe
  • Sender and recipient context, if visible

Common INKY categories may include:

  • Spam Content
  • Graymail
  • Phishing Content
  • Sensitive Content
  • Brand Impersonation
  • Spoofed VIP
  • Spoofed Internal Sender
  • Possibly Misconfigured Service

If the sender or domain was allowlisted

Include a screenshot of the allowlist entry.

The screenshot should show:

  • Sender, domain, subdomain, URL, or message that was allowed
  • Threat category or classification scope, if shown
  • Whether the allow was created at the user, customer/team, organization, or global level
  • Whether “Apply only to messages that pass DMARC authentication” is enabled
  • Date and time the allow was created or modified, if available

Also include:

  • Whether the message was received before or after the allow entry was created
  • Whether the issue affects one user, multiple users, one customer, or multiple customers
  • Whether the issue affects future emails, already-delivered emails, or both

If the message was reported as safe

Include:

  • Screenshot of the INKY banner/reporting option, if available
  • Date and time the message was reported
  • Who reported the message, if known
  • Whether the report was submitted by the end user or an administrator
  • Whether the message category changed after reporting
  • Whether future messages from the sender are still flagged

Reporting a message as safe may not resolve every threat category. Some classifications may require an administrator to review the message and create an allow or policy adjustment at the appropriate level.

If the message is quarantined

Identify which system is holding the message.

Possible quarantine locations:

  • Microsoft 365 quarantine
  • Google Workspace quarantine
  • INKY quarantine

Include:

  • Screenshot of the quarantine entry
  • Quarantine reason
  • Sender
  • Recipient
  • Subject
  • Date and time
  • Release status, if already released
  • Any policy or rule that caused the quarantine, if shown

Important: If Microsoft 365 or Google Workspace is holding the message, the release action must be performed in that platform. Releasing one message may not prevent future messages from being quarantined.

 

If the message is missing or rejected

Provide the mail platform trace or log result.

For Microsoft 365:

  • Run a Message Trace.
  • Search by sender, recipient, subject, or time range.
  • Include the trace result showing whether the message was delivered, failed, quarantined, redirected, filtered, or rejected.

For Google Workspace:

  • Run an Email Log Search.
  • Search by sender, recipient, subject, message ID, or timestamp.
  • Include the log result showing whether the message was accepted, rejected, quarantined, rerouted, or delivered.

If the message was rejected, also provide:

  • Bounce-back or non-delivery report
  • Error code
  • Rejection reason
  • Rejecting server
  • Timestamp
  • Sender and recipient domains

If the user cannot click a link

Include:

  • Screenshot of the page shown after clicking the link
  • Whether the page is from INKY, Microsoft Safe Links, the browser, endpoint security, or another tool
  • The rewritten URL, if safe to share
  • The final destination URL or domain, if known and safe to share
  • Whether the link is rewritten by INKY
  • Whether the link is rewritten by Microsoft Safe Links
  • Whether the sender/domain, message, URL, or link domain was allowlisted
  • Whether the email was already delivered before the allow or exception was added
  • Whether this affects one user, multiple users, one message, or multiple messages

If the email has an INKY banner, also include the banner color and category.

 

If a vendor or third-party sender is involved

Third-party sending platforms can affect authentication and classification.

Include:

  • Vendor sender address
  • Customer recipient address
  • Vendor domain
  • Customer/team domain
  • Whether the vendor is sending directly or through a third-party platform
  • Full message headers or EML
  • SPF result
  • DKIM result
  • DMARC result
  • Any visible third-party sending service, such as SendGrid, Mailchimp, Constant Contact, Intuit, Autotask, or another platform
  • Screenshot of the INKY banner category
  • Screenshot of any allowlist or Trusted Third-Party Sender entry

If the message appears to come from your own domain but was sent by an outside platform, review whether Trusted Third-Party Sender configuration is needed.

 

 

If Microsoft Safe Links or another URL protection tool is enabled

Include:

  • Whether Microsoft Safe Links is enabled
  • Whether another URL protection tool is enabled
  • Screenshot of the block page
  • Example rewritten URL, if safe to share
  • Whether the URL is rewritten by INKY, Microsoft, or both
  • Whether the user sees the block before or after reaching the destination website

A link may be delivered by INKY but later blocked by Microsoft Safe Links, browser protection, endpoint security, DNS filtering, or another tool.

If the issue affects multiple users or customers

Include the scope of impact.

Examples:

  • One user
  • Multiple users in the same customer/team
  • Multiple customers
  • One sender to one recipient
  • One sender to multiple recipients
  • Multiple senders from the same domain
  • Multiple vendors using the same sending platform
  • One link across multiple messages
  • Multiple links in the same message

Also include whether all affected users see the same behavior.

Recommended screenshot list

When possible, provide screenshots of:

  • INKY banner showing category and color
  • INKY dashboard message details
  • Allowlist entry showing scope, category, and DMARC option
  • Microsoft 365 Message Trace
  • Google Workspace Email Log Search
  • Microsoft 365 quarantine entry
  • Google Workspace quarantine entry
  • INKY quarantine entry, if applicable
  • Link block page
  • Rewritten URL
  • Message headers or authentication results
  • Bounce-back or non-delivery report

Redact sensitive information as needed, but leave enough visible detail to confirm sender, recipient, timestamp, classification, and system behavior.

Quick checklist

Use this quick checklist before contacting support.

ItemIncluded?
Customer/team name 
Sender address 
Recipient address 
Subject line 
Date/time with time zone 
Current message location 
INKY banner screenshot 
Threat category 
Allowlist screenshot, if applicable 
DMARC checkbox state, if applicable 
Full headers or EML 
Microsoft Message Trace or Google Email Log result 
Quarantine screenshot, if applicable 
Link block screenshot, if applicable 
Rewritten URL or destination domain, if applicable 
Bounce-back/NDR, if rejected 
Scope of impact 

 

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section