Share via

Exchange filtering stack and where safe sender options are processed

spencer 31 Reputation points
2020-12-15T17:23:14.077+00:00

In the article https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365, different methods of creating safe senders are described:

  1. Mail flow rules
  2. Outlook Safe Senders
  3. IP Allow List (connection filtering)
  4. Allowed sender lists or allowed domain lists (anti-spam policies)

The details for each of these methods suggest that different parts of the Exchange filtering stack are bypassed depending on each method. It is not clear which parts of the stack are bypassed, however, and this has made it difficult to troubleshoot messages that are not making it to our users' inbox.

Is there a diagram, like this one from Nakivo https://www.nakivo.com/blog/wp-content/uploads/2020/05/The-working-principle-of-Exchange-Online-Protection.png, that includes where each safe sender method is processed?

To be more specific to the problem I'm working on, a customer's vendor uses Sendgrid to send critical email notifications. Unfortunately these messages send from shared IP addresses and one of them is on a spam list and gets blocked at the Connection Filtering level (the block action don't show up in Mail Trace). I've added the sender's email address to allowed senders list in EOP spam policies but am still receiving reports that messages are not being received. Does this not bypass connection filtering?

Thank you

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,662 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 149.1K Reputation points MVP
    2020-12-15T17:46:43.087+00:00

    It does not. Connection filtering will block the IP before any other processing and it wont be ever seen by those other methods
    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-connection-filter-policy?view=o365-worldwide

    0 comments
  2. Lucas Liu-MSFT 6,176 Reputation points
    2020-12-16T03:26:21.177+00:00

    Hi @spencer ,

    1. According to the Microsoft article, through "IP Block List" you can block all emails from this IP address, all incoming messages are rejected, are not marked as spam, and no additional filtering occurs. So when it's not possible to use one of the other options to block a sender, only then should you use the IP Block List in the connection filter policy.
    2. For the working flow of Exchange Online Protection, you can refer to the screenshot below, any message that passes all of these protection layers successfully is delivered to the recipient.
      For the working principle of each part, you can refer to: Exchange Online Protection overview
      48546-1111.png

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.