Configure anti-spam policies in EOP
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spam by EOP. EOP uses anti-spam policies (also known as spam filter policies or content filter policies) as part of your organization's overall defense against spam. For more information, see Anti-spam protection.
Tip
We recommend turning on and adding all users to the Standard and/or Strict preset security policies. For more information, see Configure protection policies.
The default anti-spam policy automatically applies to all recipients in the organization. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains.
You can configure anti-spam policies in the Microsoft Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
Tip
As a companion to this article, see our Security Analyzer setup guide to review best practices and learn to fortify defenses, improve compliance, and navigate the cybersecurity landscape with confidence. For a customized experience based on your environment, you can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.
What do you need to know before you begin?
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).
-
- Add, modify, and delete policies: Membership in the Organization Management or Security Administrator role groups.
- Read-only access to policies: Membership in the Global Reader, Security Reader, or View-Only Organization Management role groups.
Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
For our recommended settings for anti-spam policies, see EOP anti-spam policy settings.
Tip
Settings in the default or custom anti-spam policies are ignored if a recipient is also included in the Standard or Strict preset security policies. For more information, see Order and precedence of email protection.
You can't completely turn off spam filtering, but you can use Exchange mail flow rules (also known as transport rules) to bypass most spam filtering on incoming messages (for example, if you route email through a third-party protection service or device before delivery to Microsoft 365). For more information, see Use mail flow rules to set the spam confidence level (SCL) in messages.
- High confidence phishing messages are still filtered. Other features in EOP aren't affected (for example, messages are always scanned for malware).
- If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't use mail flow rules. For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.
End-user spam notifications in anti-spam policies are replaced by quarantine notifications in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see Anatomy of a quarantine policy.
Use the Microsoft Defender portal to create anti-spam policies
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, select Create Create policy and then select Inbound from the dropdown list to start the new anti-spam policy wizard.
On the Name your policy page, configure these settings:
- Name: Enter a unique, descriptive name for the policy.
- Description: Enter an optional description for the policy.
When you're finished on the Name your policy page, select Next.
On the Users, groups, and domains page, identify the internal recipients that the policy applies to (recipient conditions):
- Users: The specified mailboxes, mail users, mail contacts or mail enabled public folders.
- Groups:
- Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
- The specified Microsoft 365 Groups.
- Domains: All recipients in the organization with a primary email address in the specified accepted domain.
Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (*) by itself to see all available values.
You can use a condition only once, but the condition can contain multiple values:
Multiple values of the same condition use OR logic (for example, <recipient1> or <recipient2>). If the recipient matches any of the specified values, the policy is applied to them.
Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
- Users:
romain@contoso.com
- Groups: Executives
The policy is applied to
romain@contoso.com
only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.- Users:
Exclude these users, groups, and domains: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions.
You can use an exception only once, but the exception can contain multiple values:
- Multiple values of the same exception use OR logic (for example, <recipient1> or <recipient2>). If the recipient matches any of the specified values, the policy isn't applied to them.
- Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.
When you're finished on the Users, groups, and domains page, select Next.
On the Bulk email threshold & spam properties page, configure the following settings:
Bulk email threshold section: The slider specifies the bulk complaint level (BCL) of a message that must bet met or exceeded to trigger the specified action for the Bulk compliant level (BCL) met or exceeded spam filtering verdict that you configure on the next page. A higher value indicates the message is less desirable (more likely to resemble spam). For more information about BCL, see Bulk complaint level (BCL) in EOP.
Spam properties section:
Increase spam score, Mark as spam* and Test mode: Advanced Spam Filter (ASF) settings that are turned off by default.
For details about these settings, see Advanced Spam Filter settings in EOP.
* The Contains specific languages and From these countries settings aren't part of ASF.
Contains specific languages: Select On or Off from the dropdown list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages appears. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select next to the value.
From these countries: Select On or Off from the dropdown list. If you turn it on, a box appears. Start typing the name of a country/region in the box. A filtered list of supported countries/regions appears. When you find the country/region that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select next to the value.
When you're finished on the Bulk email threshold & spam properties page, select Next.
On the Actions page, configure the following settings:
Message actions section: Review or select the action to take on messages based on the spam filtering verdicts:
- Spam
- High confidence spam
- Phishing
- High confidence phishing
- Bulk compliant level (BCL) met or exceeded
The available actions for spam filtering verdicts are described in Actions in anti-spam policies.
Tip
If the spam filtering verdict quarantines messages by default (Quarantine message is already selected when you get to the page), the default quarantine policy name is shown in the Select quarantine policy box. If you change the action of a spam filtering verdict to Quarantine message, the Select quarantine policy box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see EOP anti-spam policy settings.
For High confidence phishing, the Move message to Junk Email folder action is effectively deprecated. Although you might be able to select the Move message to Junk Email folder action, high confidence phishing messages are always quarantined (equivalent to selecting Quarantine message).
Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined high confidence phishing messages.
Intra-Organizational messages to take action on: Controls whether spam filtering and the corresponding verdict actions are applied to internal messages (messages sent between users within the organization). The available values are:
- Default: This is the default value. This value is the same as selecting High confidence phishing messages.
- None
- High confidence phishing messages
- Phishing and high confidence phishing messages
- All phishing and high confidence spam messages
- All phishing and spam messages
Retain spam in quarantine for this many days: Specifies how long to keep the message in quarantine if you selected Quarantine message as the action for a spam filtering verdict. After the time period expires, the message is deleted, and isn't recoverable. A valid value is from 1 to 30 days.
Tip
The default value is 15 days in anti-spam policies that you create in PowerShell. The default value is 30 days in anti-spam policies that you create in the Microsoft Defender portal.
This setting also controls how long messages that were quarantined by anti-phishing policies are retained. For more information, see Quarantine retention.
Add this X-header text: This box is required and available only if you selected Add X-header as the action for a spam filtering verdict. The value you specify is the header field name that's added to the message header. The header field value is always
This message appears to be spam
.The maximum length is 255 characters, and the value can't contain spaces or colons (:).
For example, if you enter the value
X-This-is-my-custom-header
, the X-header that's added to the message isX-This-is-my-custom-header: This message appears to be spam.
If you enter a value that contains spaces or colons (:), the value you enter is ignored, and the default X-header is added to the message (
X-This-Is-Spam: This message appears to be spam.
).Prepend subject line with this text: This box is required and available only if you selected Prepend subject line with text as the action for a spam filtering verdict. Enter the text to add to the beginning of the message's subject line.
Redirect to this email address: This box is required and available only if you selected the Redirect message to email address as the action for a spam filtering verdict. Enter the email address where you want to deliver the message. You can enter multiple values separated by semicolons (;).
Safety Tips section: By default, Enable Safety Tips: is selected, but you can disable Safety Tips by clearing the check box.
Zero-hour auto purge (ZAP) section:
- Enable zero-hour auto purge (ZAP): ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. ZAP is turned on by default. When ZAP is turned on, the following settings are available:
- Enable ZAP for phishing messages: By default, ZAP is enabled for phishing detections, but you can disable it by clearing the check box. For more information, see:
- Enable ZAP for spam messages: By default, ZAP is enabled for spam detections, but you can disable it by clearing the check box. For more information, Zero-hour auto purge (ZAP) for spam.
- Enable zero-hour auto purge (ZAP): ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. ZAP is turned on by default. When ZAP is turned on, the following settings are available:
When you're finished on the Actions page, select Next.
On the Allow & block list page, you can configure message senders by email address or email domain who are allowed to skip spam filtering.
In the Allowed section, you can configure allowed senders and allowed domains. In the Blocked section, you can add blocked senders and blocked domains.
The maximum limit for these lists is approximately 1,000 entries, but you can enter only 30 entries in the Defender portal. Use Exchange Online PowerShell to add more than 30 entries.
Important
The functionality of these lists has largely been replaced by the Tenant Allow/Block List. For important information, see Allow and block list in anti-spam policies.
The steps to add entries to any of the lists are the same:
Select the link for the list that you want to configure:
- Allowed > Senders: Select Manage (nn) sender(s).
- Allowed > Domains: Select Allow domains.
- Blocked > Senders: Select Manage (nn) sender(s).
- Blocked > Domains: Select Block domains.
In the flyout that opens, do the following steps:
- Select Add senders or Add domains.
- In the Add senders or Add domains flyout that opens, enter the sender's email address in the Sender box or the domain in the Domain box. As you're typing, the value appears below the box. When you're finished typing the value, select the value below the box.
- Repeat the previous step as many times as necessary. To remove an existing value, select next to the value.
When you're finished in the Add senders or Add domains flyout, select Add senders or Add domains.
Back on the first flyout, the senders or domains that you added are listed.
To change the list of entries from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.
Use the Search box to find entries on the flyout.
To add entries, select Add senders or Add domains and repeat the previous steps.
To remove entries, do either of the following steps:
- Select one or more entries by selecting the round check box that appears in the blank area next to the sender or domain value.
- Select all entries at once by selecting the round check box that appears in the blank area next to the column header.
When you're finished on the flyout, select Done to return to the Allow & block list page.
When you're finished on the Allow & block list page, select Next.
On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
When you're finished on the Review page, select Create.
On the New anti-spam policy created page, you can select the links to view the policy, view anti-spam policies, and learn more about anti-spam policies.
When you're finished on the New anti-spam policy created page, select Done.
Back on the Anti-spam policies page, the new policy is listed.
Use the Microsoft Defender portal to view anti-spam policy details
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, the following properties are displayed in the list of policies:
- Name
- Status: Values are:
- Always on for the default anti-spam policy (for example, Anti-spam inbound policy (Default)).
- On or Off for other anti-spam policies.
- Priority: For more information, see the Set the priority of custom anti-spam policies section.
- Type: One of the following values for anti-spam policies:
- Protection templates for anti-spam policies that are associated with the Standard and Strict preset security policies.
- Custom anti-spam policy
- Blank for the default anti-spam policy (for example, Anti-spam inbound policy (Default)).
To change the list of policies from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.
Use the Search box and a corresponding value to find specific policies.
Select an anti-spam policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
Tip
To see details about other anti-spam policies without leaving the details flyout, use Previous item and Next item at the top of the flyout.
Use the Microsoft Defender portal to take action on anti-spam policies
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, select the anti-spam policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
- Modify policy settings by clicking Edit in each section (custom policies or the default policy)
- Turn on or Turn off (custom policies only)
- Increase priority or Decrease priority (custom policies only)
- Delete policy (custom policies only)
The actions are described in the following subsections.
Use the Microsoft Defender portal to modify anti-spam policies
After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the Create anti-spam policies section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.
For the anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with preset security policies, you can't modify the policy settings in the details flyout. Instead, you select View preset security policies in the details flyout to go to the Preset security policies page at https://security.microsoft.com/presetSecurityPolicies to modify the preset security policies.
Tip
The bulk senders insight is currently in Preview, isn't available in all organizations, and is subject to change.
If you select Edit spam threshold and properties at the bottom of the Bulk email threshold & spam properties section in the details flyout of the default anti-spam policy or a custom anti-spam policy, the Bulk email threshold section contains the bulk senders insight: information about the number of messages that were detected as bulk at all BCL levels by all anti-spam policies over the last 60 days.
By default, the bulk senders insight shows the number of messages that were delivered and identified as bulk at the current BCL threshold of the anti-spam policy.
If you decrease the bulk email threshold value, the bulk senders insight changes to show how many fewer messages would be delivered and how many more messages would be identified as bulk. The insight also shows how many bulk message identifications are likely to be false positives (good email identified as bad).
If you increase the bulk email threshold value, the bulk senders insight changes to show how many more messages would be delivered and how many fewer messages would be identified as bulk. The insight also shows how many bulk message identifications are likely to be false negatives (bad email delivered).
Selecting View bulk senders insight takes you to the main Bulk sender insights page. For more information, see Bulk senders insight in Exchange Online Protection.
Use the Microsoft Defender portal to enable or disable anti-spam policies
You can't disable the default anti-spam policy (it's always enabled).
You can't enable or disable the anti-spam policies that are associated with Standard and Strict preset security policies. You enable or disable the Standard or Strict preset security policies on the Preset security policies page at https://security.microsoft.com/presetSecurityPolicies.
After you select an enabled custom anti-spam policy (the Status value is On) by clicking anywhere in the row other than the check box next to the name, select Turn off at the top of the policy details flyout.
After you select a disabled custom anti-spam policy (the Status value is Off) by clicking anywhere in the row other than the check box next to the name, select Turn on at the top of the policy details flyout.
When you're finished in the policy details flyout, select Close.
On the Anti-spam policies page, the Status value of the policy is now On or Off.
Use the Microsoft Defender portal to set the priority of custom anti-spam policies
Anti-spam policies are processed in the order that they're displayed on the Anti-spam policies page:
- The anti-spam policy named Strict Preset Security Policy that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is enabled).
- The anti-spam policy named Standard Preset Security Policy that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is enabled).
- Custom anti-spam policies are applied next in priority order (if they're enabled):
- A lower priority value indicates a higher priority (0 is the highest).
- By default, a new anti-spam policy is created with a priority that's lower than the lowest existing custom anti-spam policy (the first is 0, the next is 1, etc.).
- No two anti-spam policies can have the same priority value.
- The default anti-spam policy always has the priority value Lowest, and you can't change it.
Anti-spam protection stops for a recipient after the first policy is applied (the highest priority policy for that recipient). For more information, see Order and precedence of email protection.
After you select the custom anti-spam policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
- The custom policy with the Priority value 0 on the Anti-spam policies page has the Decrease priority action at the top of the details flyout.
- The custom policy with the lowest priority (highest Priority value; for example, 3) has the Increase priority action at the top of the details flyout.
- If you have three or more policies, the policies between Priority 0 and the lowest priority have both the Increase priority and the Decrease priority actions at the top of the details flyout.
When you're finished in the policy details flyout, select Close.
Back on the Anti-spam policies page, the order of the policy in the list matches the updated Priority value.
Use the Microsoft Defender portal to remove custom anti-spam policies
You can't remove the default anti-spam policy or the anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with preset security policies.
After you select the custom anti-spam policy by clicking anywhere in the row other than the check box next to the name, select Delete policy at the top of the flyout, and then select Yes in the warning dialog that opens.
On the Anti-spam policies page, the deleted policy is no longer listed.
Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-spam policies
In PowerShell, the basic elements of an anti-spam policy are:
- The spam filter policy: Specifies the spam protections to enable or disable, the actions to apply for those protections, and other options.
- The spam filter rule: Specifies the priority and recipient filters (who the policy applies to) for the associated spam filter policy.
The difference between these two elements isn't obvious when you manage anti-spam policies in the Microsoft Defender portal:
- When you create a policy in the Defender portal, you're actually creating a spam filter rule and the associated spam filter policy at the same time using the same name for both.
- When you modify a policy in the Defender portal, settings related to the name, priority, enabled or disabled, and recipient filters modify the spam filter rule. All other settings modify the associated spam filter policy.
- When you remove a policy in the Defender portal, the spam filter rule and the associated spam filter policy are removed at the same time.
In Exchange Online PowerShell, the difference between spam filter policies and spam filter rules is apparent. You manage spam filter policies by using the *-HostedContentFilterPolicy cmdlets, and you manage spam filter rules by using the *-HostedContentFilterRule cmdlets.
- In PowerShell, you create the spam filter policy first, then you create the spam filter rule, which identifies the associated policy that the rule applies to.
- In PowerShell, you modify the settings in the spam filter policy and the spam filter rule separately.
- When you remove a spam filter policy from PowerShell, the corresponding spam filter rule isn't automatically removed, and vice versa.
A significant setting that's available only in PowerShell is the MarkAsSpamBulkMail parameter that's On
by default. The effects of this setting are explained in the Create anti-spam policies section earlier in this article.
Use PowerShell to create anti-spam policies
Creating an anti-spam policy in PowerShell is a two-step process:
- Create the spam filter policy.
- Create the spam filter rule that specifies the spam filter policy that the rule applies to.
Note
- You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy.
- You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Microsoft Defender portal until after you create the policy:
- Create the new policy as disabled (Enabled
$false
on the New-HostedContentFilterRule cmdlet). - Set the priority of the policy during creation (Priority <Number>) on the New-HostedContentFilterRule cmdlet).
- Create the new policy as disabled (Enabled
- A new spam filter policy that you create in PowerShell isn't visible in the Microsoft Defender portal until you assign the policy to a spam filter rule.
Step 1: Use PowerShell to create a spam filter policy
To create a spam filter policy, connect to Exchange Online PowerShell and use this syntax:
New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] <Additional Settings>
This example creates a spam filter policy named Contoso Executives with the following settings:
- Quarantine messages when the spam filtering verdict is spam or high confidence spam, and use the default quarantine policy for the quarantined messages (we aren't using the SpamQuarantineTag or HighConfidenceSpamQuarantineTag parameters).
- BCL 7, 8, or 9 triggers the action for a bulk email spam filtering verdict.
New-HostedContentFilterPolicy -Name "Contoso Executives" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 6
For detailed syntax and parameter information, see New-HostedContentFilterPolicy.
Tip
For detailed instructions to specify the quarantine policy to use in a spam filter policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
Step 2: Use PowerShell to create a spam filter rule
To create a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"]
This example creates a new spam filter rule named Contoso Executives with these settings:
- The spam filter policy named Contoso Executives is associated with the rule.
- The rule applies to members of the group named Contoso Executives Group.
New-HostedContentFilterRule -Name "Contoso Executives" -HostedContentFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso Executives Group"
For detailed syntax and parameter information, see New-HostedContentFilterRule.
Use PowerShell to view spam filter policies
To return a summary list of all spam filter policies, connect to Exchange Online PowerShell and run this command:
Get-HostedContentFilterPolicy
To return detailed information about a specific spam filter policy, use this syntax:
Get-HostedContentFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>]
This example returns all the property values for the spam filter policy named Executives.
Get-HostedContentFilterPolicy -Identity "Executives" | Format-List
For detailed syntax and parameter information, see Get-HostedContentFilterPolicy.
Use PowerShell to view spam filter rules
To view existing spam filter rules, connect to Exchange Online PowerShell and use the following syntax:
Get-HostedContentFilterRule [-Identity "<RuleIdentity>] [-State <Enabled | Disabled]
To return a summary list of all spam filter rules, run this command:
Get-HostedContentFilterRule
To filter the list by enabled or disabled rules, run the following commands:
Get-HostedContentFilterRule -State Disabled
Get-HostedContentFilterRule -State Enabled
To return detailed information about a specific spam filter rule, use this syntax:
Get-HostedContentFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]
This example returns all the property values for the spam filter rule named Contoso Executives.
Get-HostedContentFilterRule -Identity "Contoso Executives" | Format-List
For detailed syntax and parameter information, see Get-HostedContentFilterRule.
Use PowerShell to modify spam filter policies
Other than the following items, the same settings are available when you modify a spam filter policy in PowerShell as when you create the policy as described in the Step 1: Use PowerShell to create a spam filter policy section earlier in this article.
- The MakeDefault switch that turns the specified policy into the default policy (applied to everyone, always Lowest priority, and you can't delete it) is only available when you modify a spam filter policy in PowerShell.
- You can't rename a spam filter policy (the Set-HostedContentFilterPolicy cmdlet has no Name parameter). When you rename an anti-spam policy in the Microsoft Defender portal, you're only renaming the spam filter rule.
To modify a spam filter policy, connect to Exchange Online PowerShell and use this syntax:
Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-HostedContentFilterPolicy.
Tip
For detailed instructions to specify the quarantine policy to use in a spam filter policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
Use PowerShell to modify spam filter rules
The only setting that isn't available when you modify a spam filter rule in PowerShell is the Enabled parameter that allows you to create a disabled rule. To enable or disable existing spam filter rules, see the next section.
Otherwise, no additional settings are available when you modify a spam filter rule in PowerShell. The same settings are available when you create a rule as described in the Step 2: Use PowerShell to create a spam filter rule section earlier in this article.
To modify a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
Set-HostedContentFilterRule -Identity "<RuleName>" <Settings>
This example renames the existing spam filter rule named {Fabrikam Spam Filter}
.
Set-HostedContentFilterRule -Identity "{Fabrikam Spam Filter}" -Name "Fabrikam Spam Filter"
For detailed syntax and parameter information, see Set-HostedContentFilterRule.
Use PowerShell to enable or disable spam filter rules
Enabling or disabling a spam filter rule in PowerShell enables or disables the whole anti-spam policy (the spam filter rule and the assigned spam filter policy). You can't enable or disable the default anti-spam policy (it's always applied to all recipients).
To enable or disable a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
<Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity "<RuleName>"
This example disables the spam filter rule named Marketing Department.
Disable-HostedContentFilterRule -Identity "Marketing Department"
This example enables same rule.
Enable-HostedContentFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-HostedContentFilterRule and Disable-HostedContentFilterRule.
Use PowerShell to set the priority of spam filter rules
The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five custom rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4.
To set the priority of a spam filter rule, connect to Exchange Online PowerShell and use the following syntax:
Set-HostedContentFilterRule -Identity "<RuleName>" -Priority <Number>
This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).
Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2
Note
To set the priority of a new rule when you create it, use the Priority parameter on the New-HostedContentFilterRule cmdlet instead.
The default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value Lowest.
Use PowerShell to remove spam filter policies
When you use PowerShell to remove a spam filter policy, the corresponding spam filter rule isn't removed.
To remove a spam filter policy, connect to Exchange Online PowerShell and use this syntax:
Remove-HostedContentFilterPolicy -Identity "<PolicyName>"
This example removes the spam filter policy named Marketing Department.
Remove-HostedContentFilterPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-HostedContentFilterPolicy.
Use PowerShell to remove spam filter rules
When you use PowerShell to remove a spam filter rule, the corresponding spam filter policy isn't removed.
To remove a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
Remove-HostedContentFilterRule -Identity "<PolicyName>"
This example removes the spam filter rule named Marketing Department.
Remove-HostedContentFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-HostedContentFilterRule.
How do you know these procedures worked?
Send a GTUBE message to test your spam policy settings
Note
These steps will only work if the email organization that you're sending the GTUBE message from doesn't scan for outbound spam. If it does, you can't send the test message.
Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test message to verify your organization's anti-spam settings. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings.
Include the following GTUBE text in an email message on a single line, without any spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X