I’m glad you were able to track it down, to a degree.
Here are a few things I’ve found via Google.
-
Check the headers to see how they are being marked: Anti-spam message headers - Office 365 | Microsoft Learn
-
Check your domain to see if it is blocked: https://www.spamhaus.org/query
-
Sometimes the email content can be the issue. (Source).
Just FYI, I am not an email/SPAM expert and can only help so much here. I am pulling directly from Google. Once the email has successfully left Auth0, it’s up to the provider to make the next move.