Create blocked sender lists in EOP

• Applies to:

  ✅ Exchange Online Protection, ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2, ✅ Microsoft Defender XDR

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP offers multiple ways of blocking email from unwanted senders. Collectively, you can think of these options as blocked sender lists.

The available blocked sender lists are described in the following list in order from most recommended to least recommended:

1. Block entries for domains and email addresses (including spoofed senders) in the Tenant Allow/Block List.
2. Outlook Blocked Senders (the Blocked Senders list that's stored in each mailbox).
3. Blocked sender lists or blocked domain lists (anti-spam policies).
4. Mail flow rules (also known as transport rules).
5. The IP Block List (connection filtering).

The rest of this article contains specifics about each method.

Note

Always submit messages in your blocked sender lists to Microsoft for analysis. For instructions, see Report questionable email to Microsoft. If the messages or message sources are determined to be harmful, Microsoft can automatically block the messages, and you won't need to manually maintain the entry in blocked sender lists.

Instead of blocking email, you also have several options to allow email from specific sources using safe sender lists. For more information, see Create safe sender lists.

Email message basics

A standard SMTP email message consists of a message envelope and message content. The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. The message content contains message header fields (collectively called the message header) and the message body. The message envelope is described in RFC 5321, and the message header is described in RFC 5322. Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message.

• The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the Return-Path header field in the message header (although it's possible for the sender to designate a different Return-Path email address). If the message can't be delivered, it's the recipient for the non-delivery report (also known as an NDR or bounce message).

• The 5322.From address (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients.

Frequently, the 5321.MailFrom and 5322.From addresses are the same (person-to-person communication). However, when email is sent on behalf of someone else, the addresses can be different.

Blocked sender lists and blocked domain lists in anti-spam policies in EOP inspect only the 5322.From addresses. This behavior is similar to Outlook Blocked Senders that use the 5322.From address.

Use block entries in the Tenant Allow/Block List

Our number one recommended option for blocking mail from specific senders or domains is the Tenant Allow/Block List. For instructions, see Create block entries for domains and email addresses and Create block entries for spoofed senders.

Email messages from these senders are marked as high confidence spam (SCL = 9). What happens to the messages is determined by the anti-spam policy that detected the message for the recipient. In the default anti-spam policy and new custom policies, messages that are marked as high confidence spam are delivered to the Junk Email folder by default. In Standard and Strict preset security policies, high confidence spam messages are quarantined.

As an added benefit, users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): 550 5.7.703 Your message can't be delivered because messages to XXX, YYY are blocked by your organization using Tenant Allow Block List. The entire message is blocked for all internal and external recipients of the message, even if only one recipient email address or domain is defined in a block entry.

Only if you can't use the Tenant Allow/Block List for some reason should you consider using a different method to block senders.

Use Outlook Blocked Senders

When only a small number of users received unwanted email, users or admins can add the sender email addresses to the Blocked Senders list in the mailbox. For instructions, see Configure junk email settings on Exchange Online mailboxes.

When messages are successfully blocked due to a user's Blocked Senders list, the X-Forefront-Antispam-Report header field will contain the value SFV:BLK.

Note

If the unwanted messages are newsletters from a reputable and recognizable source, unsubscribing from the email is another option to stop the user from receiving the messages.

Use blocked sender lists or blocked domain lists

When multiple users are affected, the scope is wider, so the next best option is blocked sender lists or blocked domain lists in anti-spam policies. Messages from senders on the lists are marked as High confidence spam, and the action that you've configured for the High Confidence Spam filter verdict is taken on the messages. For more information, see Configure anti-spam policies.

The maximum limit for these lists is approximately 1000 entries.

Use mail flow rules

Mail flow rules can also look for keywords or other properties in the unwanted messages.

Regardless of the conditions or exceptions that you use to identify the messages, you configure the action to set the spam confidence level (SCL) of the message to 9, which marks the message as High confidence spam. For more information, see Use mail flow rules to set the SCL in messages.

Important

It's easy to create rules that are overly aggressive, so it's important that you identify only the messages you want to block using very specific criteria. Also, be sure to monitor the usage of the rule to ensure everything works as expected.

Use the IP Block List

When it's not possible to use one of the other options to block a sender, only then should you use the IP Block List in the connection filter policy. For more information, see Configure the connection filter policy. It's important to keep the number of blocked IPs to a minimum, so blocking entire IP address ranges is not recommended.

You should especially avoid adding IP address ranges that belong to consumer services (for example, outlook.com) or shared infrastructures, and also ensure that you review the list of blocked IP addresses as part of regular maintenance.