Spam Filtering and Message Hygiene
Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu
All versions of the Microsoft cloud-based e-mail service use Forefront Online Protection for Exchange (FOPE) to combat spam and phishing. When messages are received at the gateway server for the cloud-based e-mail service, they are evaluated and assigned a spam confidence level (SCL) value. The SCL is a rating assigned to a message that indicates, based on the characteristics of a message, such as the content, message header, and so forth, the likelihood that the message is spam. The SCL that is assigned at the gateway server is added to the message metadata as it travels through the cloud-based e-mail service infrastructure.
The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam. The cloud-based e-mail service infrastructure has fixed SCL thresholds that define what action is taken at a specific SCL.
SCL threshold |
Action |
SCL is greater than 7. |
The message is deleted at the gateway server for the cloud-based e-mail service. |
SCL is between 4 and 6. |
The message is delivered to the cloud-based e-mail service, where it is delivered to the user's Junk E-Mail folder. |
SCL is less than 4. |
The message is delivered to the cloud-based e-mail service, where it is delivered to the user's Inbox. |
End users can configure lists of Safe Senders, whose e-mail should never be treated as spam, and Blocked Senders, whose e-mail should always be treated as spam.
User-managed spam filtering
By default, junk e-mail filtering is enabled on all mailboxes in the cloud-based e-mail service. Users can manage some spam settings for their own mailbox. For more information about how they can manage spam, see Junk E-Mail Settings.
If users have specified safe senders or are treating contacts as safe senders in their e-mail client, messages from safe senders with an SCL less than 7 are delivered to the user's Inbox. All messages with an SCL greater than 7 are deleted at the cloud-based e-mail service gateway server, even if your users have added the sender to their Safe Senders List.
Administrator-managed message hygiene with FOPE
Although all Microsoft cloud-based e-mail systems are protected by the FOPE infrastructure, the ability to manage message hygiene features with the FOPE Administration Center is limited to Microsoft Office 365 for enterprises and Live@edu administrators.
As a FOPE administrator, you can change the actions for the SCL thresholds in the FOPE Administration Center, where you can also configure other message hygiene-related settings, such as IP safelists, quarantine, and message scanning.
The following table describes the message hygiene features that you can manage in the FOPE Administration Center.
For more information about how to manage these features for Microsoft Office 365 for enterprises, see FOPE in Office 365 Feature Differences.
Area |
Description |
Anti-spam protection |
Connection filtering using the Microsoft DNS-based block list. |
Anti-spam protection |
Content filtering from the Microsoft spam analysis team for real time SPAM updates |
Anti-spam protection |
Safe sender support |
Antivirus |
Multiple antivirus engine scanning at the FOPE gateway |
Inbound mail control |
Safe listing, skip listing |
Inbound mail control |
TLS encryption configuration and enforcement |
Inbound mail control |
Connection, content, and policy filtering |
Outbound mail control |
Custom outbound SMTP routing |
Outbound mail control |
TLS encryption configuration and enforcement |
The spam filtering process
Here's how e-mail is processed when it reaches the cloud-based e-mail service gateway server and is analyzed by FOPE.
.gif "Flowchart of spam filtering process")
Two kinds of spam filtering are applied before e-mail is delivered to the cloud-based mailboxes:
- Connection filtering The volume of messages that are sent from a single IP address is monitored. Connections from a single IP address that sends large volumes of e-mail to one or more recipients in your domain may be suspected of sending spam.
- Content filtering The message subject and body are examined for keywords or phrases that might indicate that a message is spam.
Messages that meet filtering criteria can be blocked or delivered to the user's Junk E-Mail folder. You can also use organization-wide rules to control the flow of e-mail messages in your organization. For example, a rule might reject all e-mail that contains specific keywords or is from a specific source.
Emergency and broadcast messages
In emergency situations, your organization may need to send a broadcast message to all users in the cloud-based e-mail service. Some organizations use third-party emergency notification services to do this.
To ensure that these messages aren't treated as spam by FOPE and all your users receive these messages as quickly as possible, take the following precautions:
If you are sending broadcast messages to a large number of users at once, remember that only 100 messages are accepted per connection. If more than 100 messages are queued for delivery to the cloud-based e-mail service, the connection is dropped after 100 messages and your on-premises e-mail servers have to reestablish the connection to send the next batch of 100 messages. Therefore, you must devise an emergency broadcast message plan that lets you quickly send out e-mail to all users without exceeding the 100 messages per connection limit. The best way to do this is to use distribution groups or a dynamic distribution group to reduce the number of messages that are sent at one time. A group is treated as a single recipient for e-mail delivery restrictions. For more information, see Send Broadcast Messages to All Users.
If you are using a third-party emergency notification service to broadcast emergency messages to your users, contact your cloud-based e-mail service representative to verify that the service complies with Windows Live.