Replacement Characters appearing in emails sent fr...

TheGovernor21 · ‎08-31-2022

My team uses playbooks to automate email alerts in Phantom. Some playbooks have been randomly sending emails with the replacement character (a black diamond with a white question mark). Other times the emails are working fine and have normal text. Has anyone had this issue in the past? If so, how did you resolve it?

I was thinking of updating the Splunk SMTP App in Phantom.

Thanks for the help!

victor_menezes · ‎08-31-2022

It looks like you're sending HTML emails and that black diamont is basically charset mismatch between source and destination (the string send to the body VS the email server I mean), so in those emails you have that character displayed, that means the playbook got a string that has special encoded characters on that and it don't match the expected encoding from your mail server.

If you don't need HTML, just send it as text (send rawemail action).

If you do need HTML emails (send htmlemail action), try to change the encoding asset configuration flag to true/false depending if you are using unicode characters or not.

Finally you can also add the charset at the header of your HTML message body if you are for sure using HTML code in text.

Check that and see if you have any different behavior

Replacement Characters appearing in emails sent from Splunk SMTP APP

troubleshooting

upgrade

using SOAR ⁄ Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation