This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 98%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
we created a rule in Exchange Online to Bypass spam filtering however when checking the message trace it shows that the email message is still going to "quarantine". Message trace shows the incoming email is hitting the message rule . Not sure why if its matching the rule and the rule says Bypass spam filtering why is it going to quarantine. what am i missing?
Can you post the exact rule minus any personal info?
Also post what message trace shows if you can
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @dirkdigs ,
Just checking in to see how things are going on with this thread. Have you had a chance to check the suggestions provided earlier?
Sender: user@SENDER.com
Recipient: user@recipient.com
Received -> Processed -> Delivered
Status: The message was delivered to the recipient's Inbox folder.<br/><br/><b>Delivery time:</b> 11/3/2021 9:28:34 PM (UTC)
More information: <div>If the recipient can't find the message in their Inbox folder, it might have been deleted or moved to another folder (such as Junk Email) either manually or automatically based on an Inbox rule or Sweep rule the recipient set up. Ask them to search for the message across all folders in their mailbox.<br/><br/><b>Tip:</b> If the recipient still can't find the message in Outlook, they might be having connectivity issues. Ask them to try restarting Outlook or use <a href='https://outlook.office365.com/owa/' target='_blank'>Outlook on the web</a> to check for the message. To see detailed steps for fixing Outlook, see <a href='http://go.microsoft.com/fwlink/p/?LinkId=708526' target='_blank'>Fix Outlook connection problems in Office 365</a>.</div>
11/3/2021, 9:32 AM | Receive | Message received by: QB1PR01MB3203.CANPRD01.PROD.OUTLOOK.COM using TLS1.2 with AES256
11/3/2021, 9:32 AM | Spam | No detail information available.
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Whitelist domain - domain', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Whitelist domain - domain', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Prepend External Sender disclaimer', ID: ('98ED3E7A-CA0C-4AE9-967D-EF98E212E62B'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Prepend External Sender disclaimer', ID: ('98ED3E7A-CA0C-4AE9-967D-EF98E212E62B'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Receive | Message received by: QB1CAN01H12123.eop-CAN01.prod.protection.outlook.com using TLS1.2 with AES256
11/3/2021, 9:32 AM | Send | Message sent to domain.mail.protection.outlook.com at 104.47.60.36 using TLS1.2 with AES256
11/3/2021, 9:32 AM | Send | Message sent to quarantine.
11/3/2021, 4:28 PM | Receive | Message received by: YQXP234234287.CANPRD01.PROD.OUTLOOK.COM using TLS1.2 with AES256
11/3/2021, 4:28 PM | Deliver | The message was successfully delivered.
More information
Message ID:<20211103143206.431B33EF2F@r3111pvap1318.1dc.com>
Message size | From IP | To IP
98.94 KB | 1.1.1.1 | null
I would change to this instead of using the senders domain
and set:
and make sure this is checked:
"and Is received from 'Outside the organization'"
Should i leave this in or take it out ?
we have another rule to prepend external sender disclaimer in priority 0
Yea, leave in is ok :)
@Andy David - MVP
Now it seems to be not hitting the rule at all after the changes were made.
Also,
Do you know why it would hitting the transport rules twice? is this normal?
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Whitelist domain - domain', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Whitelist domain - domain', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Prepend External Sender disclaimer', ID: ('98ED3E7A-CA0C-4AE9-967D-EF98E212E62B'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/3/2021, 9:32 AM | Transport rule | Transport rule: 'Prepend External Sender disclaimer', ID: ('98ED3E7A-CA0C-4AE9-967D-EF98E212E62B'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
If a rule is setting multiple things, then you will see it showing more than once. You can verify that under the "Action" header.
As for why its not firing, can you set the senders address to words match "@keyman .com"
These always work for me, so not sure why its not working for you.
IF that doesnt work, set it back to "senders domain" and test
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 86%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOS%3C/text%3E%3C/svg%3E)
Bingo.
Not sure which but the "Stop Processig more rules" or the "Header AND Envelope" did the trick for me.
Many thanks for that.
message still going to quarantine today
Sender: sender@customer.com
Recipient: user@receiver.ca
Received -> Processed -> Delivered
Status: The message was delivered to the recipient's Inbox folder.<br/><br/><b>Delivery time:</b> 11/15/2021 4:30:09 PM (UTC)
More information: <div>If the recipient can't find the message in their Inbox folder, it might have been deleted or moved to another folder (such as Junk Email) either manually or automatically based on an Inbox rule or Sweep rule the recipient set up. Ask them to search for the message across all folders in their mailbox.<br/><br/><b>Tip:</b> If the recipient still can't find the message in Outlook, they might be having connectivity issues. Ask them to try restarting Outlook or use <a href='https://outlook.office365.com/owa/' target='_blank'>Outlook on the web</a> to check for the message. To see detailed steps for fixing Outlook, see <a href='http://go.microsoft.com/fwlink/p/?LinkId=708526' target='_blank'>Fix Outlook connection problems in Office 365</a>.</div>
11/15/2021, 9:42 AM | Receive | Message received by: YT3PR01MB5530.1234.PROD.OUTLOOK.COM using TLS1.2 with AES256
11/15/2021, 9:42 AM | Spam | No detail information available.
11/15/2021, 9:42 AM | Transport rule | Transport rule: 'Whitelist domain - ', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/15/2021, 9:42 AM | Transport rule | Transport rule: 'Whitelist domain - ', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/15/2021, 9:42 AM | Transport rule | Transport rule: 'Whitelist domain - ', ID: ('140DE2C2-6E6E-4175-B4E3-896F1E991F50'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/15/2021, 9:42 AM | Transport rule | Transport rule: 'Prepend External Sender disclaimer', ID: ('98ED3E7A-CA0C-4AE9-967D-EF98E212E62B'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/15/2021, 9:42 AM | Transport rule | Transport rule: 'Prepend External Sender disclaimer', ID: ('98ED3E7A-CA0C-4AE9-967D-EF98E212E62B'), DLP policy: '', ID: (00000000-0000-0000-0000-000000000000).
11/15/2021, 9:42 AM | Receive | Message received by: QB1CAN01HT006.eop-CAN01.prod.protection.outlook.com using TLS1.2 with AES256
11/15/2021, 9:42 AM | Send | Message sent to COMPANY.mail.protection.outlook.com at X.X.X.X using TLS1.2 with AES256
11/15/2021, 9:42 AM | Send | Message sent to quarantine.
11/15/2021, 10:30 AM | Receive | Message received by: YTOPR0101MB0876.CANPRD01.PROD.OUTLOOK.COM using TLS1.2 with AES256
11/15/2021, 10:30 AM | Deliver | The message was successfully delivered.
More information
Message ID:<20211115154004.E939E3F566@r3pvap1318.1dc.com>
Message size | From IP | To IP
98.91 KB | X.X.X.X | null
Does the recipient have this sender on their blocked sender list?
Get-MailboxJunkEmailConfiguration
PS Get-MailboxJunkEmailConfiguration -Identity user1@keyman .ca | fl
RunspaceId : 50912c35-34ba-41a7-8658-44986c7a2863
Status : IsPresent, IsEnabled
Enabled : True
TrustedListsOnly : False
ContactsTrusted : False
TrustedSendersAndDomains : {}
BlockedSendersAndDomains : {}
TrustedRecipientsAndDomains : {}
MailboxOwnerId : username
Identity : username
IsValid : True
ObjectState : Unchanged
Can you go to the quarantine and see what the reason is?
Quarantine reason
High Confidence Phish
Ok, thats why its not working :)
365 wont let you allow these. You will need to contact the sender, something in the way they are sending these are throwing alarms.
is there anything in my anti-phishing policy i can do to allow them?
No, You can report the false positive to Microsoft, thats about it. or ask the sender to open a ticket with 365 if they feel its not warranted.
Can you release it to the sender manually? IF so, thats your only other option, but be careful in doing that unless you are 100% confident its legit
