Configure a spam quarantine mailbox in Exchange Server

Messages determined to be spam by the Content Filter agent can be directed to a spam quarantine mailbox. If the spam confidence level (SCL) quarantine threshold is enabled, all messages that are quarantined are wrapped as non-delivery reports (also known as NDRs, delivery status notifications, DSN, or bounce messages) and are delivered to the spam quarantine mailbox that you specify. Administrators can review quarantined messages and release them to their intended recipients by using Microsoft Outlook.

What do you need to know before you begin?

  • Estimated time to complete this task: 30 minutes.

  • By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.

  • The person that's responsible for the spam quarantine mailbox can view potentially private and sensitive messages, and then send mail on behalf of anybody in the Exchange organization.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Step 1: Verify content filtering is enabled

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic.

  1. Run the following command to verify that the Content Filter agent is installed and enabled on the Exchange server:

    Get-TransportAgent "Content Filter Agent"
    
  2. Run the following command to verify content filtering is enabled:

    Get-ContentFilterConfig | Format-List Enabled
    

For more information, see Content filtering procedures.

Step 2: Create a dedicated mailbox for spam quarantine

To create a spam quarantine mailbox, follow these steps:

  • Create a dedicated Exchange database: We recommend that you create a dedicated database for the spam quarantine mailbox. The spam quarantine mailbox should have a large database, because if the storage quota limit is reached, messages will be lost. For more information, see Manage mailbox databases in Exchange Server.

  • Create a dedicated mailbox and user account: We recommend that you create a dedicated mailbox and user account for the spam quarantine mailbox. For more information, see Create user mailboxes in Exchange Server.

    You can apply recipient policies, such as messaging records management, mailbox quotas, and delegation rights, according to your organization's compliance policies and needs. For more information, see Messaging records management in Exchange Server.

    Note

    If a quarantined message is rejected because of a storage quota, the message will be lost. Exchange doesn't generate NDRs for quarantined messages because the quarantined messages are wrapped as NDRs.

  • Configure Outlook: You need to configure the Outlook delegate access permissions to meet the needs of your organization. In addition, you can configure the Outlook profile to show the original sender, recipient, and SCL value of the message. For more information, see Configure Outlook to show the original sender in the spam quarantine mailbox.

Step 3: Specify the spam quarantine mailbox

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic.

Use the following syntax:

Set-ContentFilterConfig -QuarantineMailbox <SmtpAddress>

This example sends all messages that exceed the spam quarantine threshold to spamQ@contoso.com.

Set-ContentFilterConfig -QuarantineMailbox spamQ@contoso.com

How do you know this step worked?

To verify that you have successfully specified the spam quarantine mailbox, run the following command to verify the value of the QuarantineMailbox property:

Get-ContentFilterConfig | Format-List QuarantineMailbox

Step 4: Configure the SCL quarantine threshold

The SCL quarantine threshold is the SCL value that redirects a message to the spam quarantine mailbox. You can set the SCL quarantine threshold to a value from 0 through 9, where 0 is considered less likely to be spam, and 9 is considered most likely to be spam.

For more information about how to adjust SCL thresholds to suit your organization's requirements, and how to configure per-mailbox SCL thresholds, see Use the Exchange Management Shell to configure SCL thresholds for content filtering and Use the Exchange Management Shell to configure the SCL thresholds on a mailbox.

Step 5: Manage the spam quarantine mailbox

When you manage your spam quarantine mailbox, follow these guidelines:

  • Use Resend this message in Outlook to release quarantined messages to their intended recipients. For more information, see Release quarantined messages from the spam quarantine mailbox.

  • Monitor the size of the spam quarantine mailbox. The volume of email messages can change because of a large influx of new employees, the natural trend of larger message sizes, or the threshold value on the SCL quarantine action.

  • Monitor the spam quarantine mailbox for false positives. If your spam quarantine mailbox includes many false positives, increase your SCL quarantine threshold. For more information about how to determine why false positives are being delivered to the spam quarantine mailbox, see View antispam stamps in Outlook.

  • Use the same Outlook profile to view and release quarantined messages from the spam quarantine mailbox. Applying permissions to a different Outlook profile to release messages isn't supported.

Important

NDRs for quarantined messages aren't delivered to the spam quarantine mailbox. NDRs that are identified as spam are deleted, even if their SCL value indicates that they should be quarantined. To track these messages, use the agent log or the message tracking log. For more information, see Antispam Agent Logging.

Step 6: Adjust the SCL quarantine threshold

After you configure the SCL quarantine threshold, periodically monitor the settings and adjust them based on your organization's needs. For example, if too many false positives are delivered to the spam quarantine mailbox, raise the SCL quarantine threshold to a larger value. For more information about how to adjust the SCL quarantine threshold, see Use the Exchange Management Shell to configure SCL thresholds for content filtering.