Implement anti-spam policies

Completed

Email messages are automatically protected against spam (junk email) by Exchange Online Protection (EOP) in Microsoft 365 organizations with mailboxes in Exchange Online or standalone EOP organizations without Exchange Online mailboxes. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from Microsoft's consumer platform, Outlook.com. Ongoing feedback from administrators and users helps ensure that the EOP technologies are continually trained and improved.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone EOP organizations without Exchange Online mailboxes, inbound messages go through spam filtering in EOP and are assigned a spam score. That score is mapped to an individual spam confidence level (SCL) value that's added to the message in an X-header. A higher SCL value indicates a message is more likely to be spam. EOP acts on the message based on the SCL value.

The following table describes what the SCL values mean and the default action that EOP takes on those messages:

SCL value Definition Default action
-1 The message skipped spam filtering. For example, the message is from a safe sender, was sent to a safe recipient, or is from an email source server on the IP allowlist. For more information, see Create safe sender lists in EOP. Deliver the message to recipient Inbox folders.
0, 1 Spam filtering determined the message wasn't spam. Deliver the message to recipient Inbox folders.
5, 6 Spam filtering marked the message as Spam. Default anti-spam policy, new anti-spam policies, and Standard preset security policy: Deliver the message to recipient Junk Email folders.

Strict preset security policy: Quarantine the message.
7, 8, 9 Spam filtering marked the message as High confidence spam. Default anti-spam policy and new anti-spam policies: Deliver the message to recipient Junk Email folders.

Standard and Strict preset security policies: Quarantine the message.

Did you notice in the table that SCL values of 2, 3, and 4 don't appear? Spam filtering never stamps messages with the SCL values 2, 3, or 4. The reason EOP intentionally avoids these three values is due to historical reasons and practical considerations. These values were initially reserved for specific scenarios that didn’t align with typical spam filtering:

  • SCL 2. Historically, SCL 2 was used for messages that had been marked as spam by a mail flow (transport) rule. However, this approach led to confusion because it wasn’t consistent with the overall spam filtering process. As a result, Microsoft decided to skip SCL 2 altogether.
  • SCL 3 and 4. These values were also reserved for specific purposes, such as messages that failed DMARC checks or were subject to human analysis. However, they weren’t widely used, and their absence didn’t impact the effectiveness of spam filtering.

In summary, Microsoft's decision to avoid SCL values 2, 3, and 4 simplifies the EOP system, maintains consistency, and ensures that spam filtering remains efficient.

In addition, spam filtering itself typically doesn't stamp messages with the SCL value 7, but other features might. For example:

  • Human message grading by an analyst.
  • DMARC failures.
  • Mail flow (transport) rules.

Similar to the SCL, the bulk complaint level (BCL) identifies bad bulk email (also known as gray mail). EOP assigns a BCL value to inbound messages from bulk senders. A higher BCL value indicates the message is more likely to exhibit undesirable spam-like behavior. You configure the BCL threshold in anti-spam policies. For more information about BCL, see Bulk complaint level (BCL) in EOP.

EOP uses the following spam filtering verdicts to classify messages:

  • Spam. The message received a spam-confidence level (SCL) of 5 or 6.
  • High confidence spam. The message received an SCL of 7, 8, or 9.
  • Phishing. If an email is identified as phishing, EOP might quarantine it to prevent users from interacting with potentially harmful content. Unlike high confidence phishing messages, users can’t release their own quarantined phishing messages, regardless of any settings configured by administrators.
  • High confidence phishing. As part of secure by default, messages that are identified as high confidence phishing are always quarantined, and users can't release their own quarantined high confidence phishing messages, regardless of any available settings that admins configure.
  • Bulk. The message source met or exceeded the configured bulk complaint level (BCL) threshold.

The anti-spam message headers can tell you why a message was marked as spam, or why it skipped spam filtering. For more information, see Anti-spam message headers. If you disagree with the spam filtering verdict, you can report the message to Microsoft as a false positive (good mail marked as bad) or a false negative (bad email allowed). For more information, see:

Anti-spam policies

Anti-spam policies control the configurable settings for spam filtering. In the default anti-spam policy and in custom anti-spam policies, you can configure the actions to take based on the SCL and BCL verdicts.

You can't completely turn off spam filtering in Microsoft 365, but you can use Exchange mail flow rules (also known as transport rules) to bypass most spam filtering on incoming messages. For example, you might route email through a non-Microsoft protection service or device before delivery to Microsoft 365. For more information, see Use mail flow rules to set the spam confidence level (SCL) in messages.

In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the EOP spam headers that are added to messages. For details, see Configure EOP to deliver spam to the Junk Email folder in hybrid environments.

The critical settings in anti-spam policies are described in the following subsections.

Recipient filters in anti-spam policies

Recipient filters use conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required in custom policies. Conditions and exceptions aren't available in the default policy (the default policy applies to all recipients). You can use the following recipient filters for conditions and exceptions:

  • Users. One or more mailboxes, mail users, or mail contacts in the organization.
  • Groups.
    • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
    • The specified Microsoft 365 Groups.
  • Domains. One or more of the configured accepted domains in Microsoft 365. The recipient's primary email address is in the specified domain.

You can use a condition or exception only once, but the condition or exception can contain multiple values:

  • Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>):

    • Conditions. If the recipient matches any of the specified values, the policy is applied to them.
    • Exceptions. If the recipient matches any of the specified values, the policy isn't applied to them.
  • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exception values, the policy isn't applied to them.

  • Different types of conditions use AND logic. The recipient must match all the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:

    • Users. holly@contoso.com
    • Groups. Executives

    The policy is applied to holly@contoso.com only if she's also a member of the Executives group. Otherwise, the policy isn't applied to her.

Bulk complaint threshold (BCL) in anti-spam policies

EOP assigns a bulk complaint level (BCL) value to inbound messages from bulk senders. By default, the PowerShell only setting MarkAsSpamBulkMail is On in anti-spam policies in Exchange Online PowerShell. This setting dramatically affects the results of a Bulk compliant level (BCL) met or exceeded filtering verdict:

  • MarkAsSpamBulkMail is On. A BCL that's greater than or equal to the threshold value is converted to an SCL 6 that corresponds to a filtering verdict of Spam. The action for the Bulk compliant level (BCL) met or exceeded filtering verdict is taken on the message.
  • MarkAsSpamBulkMail is Off. The message is stamped with the BCL, but no action is taken for a Bulk compliant level (BCL) met or exceeded filtering verdict. In effect, the BCL threshold and Bulk compliant level (BCL) met or exceeded filtering verdict action are irrelevant.

Spam properties in anti-spam policies

The Test mode settings, the Increase spam score settings, and most of the Mark as spam settings are part of Advanced Spam Filtering (ASF) in anti-spam policies. These settings aren't configured in the default anti-spam policy by default, or in the Standard or Strict preset security policies.

Additional reading. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in EOP.

The other settings that are available in this category are:

  • Contains specific languages. Messages in the specified languages are automatically identified as spam.
  • From these countries/regions*. Messages from the specified countries/regions are automatically identified as spam.

Note

These settings aren't configured in the default anti-spam policy by default, or in the Standard or Strict preset security policies.

Actions in anti-spam policies

In custom anti-spam policies and the default anti-spam policy, the available actions for spam filtering verdicts are described in the following table.

Note

A check mark ( ✔ ) indicates the action is available (not all actions are available for all verdicts). An asterisk ( * ) after the check mark indicates the default action for the spam filtering verdict.

Action Spam High
confidence
spam
Phishing High
confidence
phishing
Bulk
Move message to Junk Email folder: The message is delivered to the mailbox and moved to the Junk Email folder.¹ ✔* ✔* ² ✔*
Add X-header: Adds an X-header to the message header and delivers the message to the mailbox.

You enter the X-header field name (not the value) in the field titled: Add this X-header text.

For Spam and High confidence spam verdicts, the message is moved to the Junk Email folder.¹ ³
Prepend subject line with text: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.¹ ³

You enter the text in the field titled: Prefix subject line with this text.
Redirect message to email address: Sends the message to other recipients instead of the intended recipients.

You specify the recipients in the field titled: Redirect to this email address.
Delete message: Silently deletes the entire message, including all attachments.
Quarantine message: Sends the message to quarantine instead of the intended recipients.

You select or use the default quarantine policy for the spam filtering verdict in the field titled: Select quarantine policy.⁴ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications.

You specify how long the messages are held in quarantine in the field titled: Retain spam in quarantine for this many days.
✔* ✔* ⁵
No action
  1. EOP uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule in the mailbox. The Enabled parameter on the Set-MailboxJunkEmailConfiguration cmdlet in Exchange Online PowerShell effects mail flow in cloud mailboxes. For more information, see Configure junk email settings on Exchange Online mailboxes.
  2. For High confidence phishing, the Move message to Junk Email folder action is effectively deprecated. Although you might be able to select the Move message to Junk Email folder action, high confidence phishing messages are always quarantined (equivalent to selecting Quarantine message).
  3. You can this use value as a condition in mail flow rules to filter or route the message.
  4. If the spam filtering verdict quarantines messages by default (Quarantine message is already selected when you get to the page), the default quarantine policy name is shown in the Select quarantine policy field. If you change the action of a spam filtering verdict to Quarantine message, the Select quarantine policy field is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see EOP anti-spam policy settings.
  5. Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined high confidence phishing messages.

Quarantine policies in anti-spam policies

If the verdict in the anti-spam policy is configured to quarantines messages, quarantine policies define what users are able to do to those quarantined messages, and whether users receive quarantine notifications.

Additional reading. For more information, see Anatomy of a quarantine policy.

Allowlists and blocklists in anti-spam policies

Anti-spam policies contain the following lists to allow or block specific senders or domains:

  • The allowed senders list
  • The allowed domains list
  • The blocked senders list
  • The blocked domains list

These settings aren't configured in the default anti-spam policy by default, or in the Standard or Strict preset security policies. The functionality of these lists has been largely replaced by:

  • Block entries for domains and email addresses in the Create block entries for domains and email addresses. The main reason to use the blocked senders list or the blocked domains list in anti-spam policies: block entries in the Tenant Allow/Block List also prevent users in the organization from sending email to those email addresses or domains.
  • Reporting good email to Microsoft from the Submissions page in the Microsoft Defender portal (where you can select the Allow emails with similar attributes setting, which creates the required temporary entries in the Tenant Allow/Block List).

Important

Messages from entries in the allowed senders list or the allowed domains list bypass most email protection (except malware and high confidence phishing) and email authentication checks (SPF, DKIM and DMARC). Entries in the allowed senders list or the allowed domains list create a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. These lists are best used for temporary testing only. Additionally, organizations should never add common domains (for example, microsoft.com or office.com) to the allowed domains list. Attackers can easily send spoofed messages from these common domains into your organization.

Priority of anti-spam policies

If they're turned on, the Standard and Strict preset security policies are applied before any custom anti-spam policies or the default policy (Strict is always first). If you create multiple custom anti-spam policies, you can specify the order in which they're applied. Policy processing stops after the first policy is applied (the highest priority policy for that recipient).

Additional reading. For more information about the order of precedence and how multiple policies are evaluated, see Order and precedence of email protection and Order of precedence for preset security policies and other policies.

Default anti-spam policy

Every organization has a built-in anti-spam policy named Default that has the following properties:

  • The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.
  • The policy is automatically applied to all recipients in the organization, and you can't turn it off.
  • The policy is always applied last (the Priority value is Lowest and you can't change it).