Examine outbound spam filtering


Some Microsoft 365 organizations have mailboxes in Exchange Online. Others have standalone Exchange Online Protection (EOP) without Exchange Online mailboxes. In either case, EOP automatically protects email messages against spam (junk email).

Microsoft's email safety roadmap involves an unmatched cross-product approach. Microsoft's email platforms apply EOP anti-spam and anti-phishing technology. This design provides organizations with the latest anti-spam and anti-phishing tools and innovations throughout their networks. The goal for EOP is to offer a comprehensive and usable email service that helps detect and protect users from junk email, fraudulent email threats (phishing), and malware.

As email use continues to grow, so too does email abuse. Unmonitored junk email can clog inboxes and networks, affect user satisfaction, and hamper the effectiveness of legitimate email communications. To protect organizations from these harmful effects, Microsoft continues to invest in anti-spam technologies. In other words, spam protection starts by containing and filtering junk email.

The following anti-spam technologies are useful when you want to allow or block messages based on the message envelope (for example, the sender's domain or the source IP address of the message). To allow or block messages based on payload (for example, URLs in the message or attached files), then you should use the Tenant Allow/Block List portal in the Microsoft Defender portal.

Anti-spam technologies in EOP

To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from Microsoft's consumer platform, Outlook.com. Ongoing feedback from EOP users in the junk email classification program helps ensure that Microsoft continually trains and improves its EOP technology.

The anti-spam settings in EOP consist of the following technologies:

  • Connection filtering. Identifies good and bad email source servers early in the inbound email connection. It does so through the IP allowlist, IP blocklist, and the safe list (a dynamic but noneditable list of trusted senders that Microsoft maintains). Organizations can configure these settings in the connection filter policy. Learn more at Configure connection filtering.

  • Spam filtering (content filtering). EOP uses the following spam filtering verdicts to classify messages:

    • Spam
    • High confidence spam
    • Bulk email
    • Phishing email
    • High confidence phishing email

    Organizations can configure the actions to take based on these verdicts. They can then configure what users can do to quarantined messages. They can also determine whether users receive quarantine notifications by using quarantine policies.

    By default, spam filtering sends messages marked as spam to the recipient's Junk Email folder. Organizations with EOP in a hybrid environment must configure the following rules in its on-premises Exchange organization to recognize and translate the spam filtering verdicts of EOP. Doing so allows the junk email rule in on-premises mailboxes to correctly move messages from the Inbox to the Junk Email folder. For details, see Configure EOP to deliver spam to the Junk Email folder in hybrid environments.

    • Outbound spam filtering. EOP also checks to make sure that your users don't send spam, either in outbound message content or by exceeding outbound message limits. For more information, see Configure outbound spam filtering in Microsoft 365.
    • Spoof intelligence. The anti-spoofing technology in Exchange Online Protection (EOP) specifically examines forgery of the From header in the message body. This protection is expanded by implementing spoof intelligence in the Microsoft Defender portal. A previous unit in this training module examined anti-spoofing technology in EOP.

Manage errors in spam filtering

It's possible the following errors can occur in spam filtering:

  • Identifying good messages as spam (also known as false positives).
  • Delivering spam to a user's Inbox (also known as false negatives).

The following sections include suggestions that organizations can use to find out how these errors occurred and help prevent them from happening in the future.

Organizations can apply the following best practices to either scenario:

  • Always report misclassified messages to Microsoft. For more information, see Report messages and files to Microsoft.
  • Examine the anti-spam message headers. These values explain why EOP marked a message as spam, or why the message bypassed spam filtering. For more information, see Anti-spam message headers.
  • Point your MX record to Microsoft 365. In order for EOP to provide the best protection, we always recommend that you have email delivered to Microsoft 365 first. For instructions, see Create DNS records at any DNS hosting provider for Microsoft 365. If the MX record points to some other location (for example, a third-party anti-spam solution or appliance), it's difficult for EOP to provide accurate spam filtering. In this scenario, you need to configure Enhanced Filtering for connectors (also known as skip listing). For instructions, see Enhanced Filtering for Connectors in Exchange Online.
  • Use email authentication. If you own an email domain, you can use DNS to help ensure that messages from senders in that domain are legitimate. To help prevent spam and unwanted spoofing in EOP, use the following email authentication methods (the prior training unit introduced these methods):
    • SPF
    • DKIM
    • DMARC
  • Verify your bulk email settings. The bulk complaint level (BCL) threshold that you configure in anti-spam policies determines whether the system marks your bulk email (also known as gray mail) as spam. The PowerShell-only setting MarkAsSpamBulkMail that's on by default also contributes to the results. For more information, see Configure anti-spam policies in Microsoft 365.

Prevent the delivery of spam to the Inbox

Organizations can apply the following best practices to prevent the delivery of spam to a user's Inbox:

  • Verify your organization settings. Watch out for settings that allow messages to skip spam filtering (for example, if you add your own domain to the allowed domains list in anti-spam policies). For our recommended settings, see Recommended settings for EOP and Microsoft Defender for Office 365 security and Create safe sender lists.
  • Use the available blocked sender lists. For information, see Create blocked sender lists.
  • Unsubscribe from bulk email. If the message was something the user signed up for (newsletters, product announcements, etc.) and contains an unsubscribe link from a reputable source, consider asking them to unsubscribe.
  • In standalone EOP environments, create mail flow rules in on-premises Exchange for EOP spam filtering verdicts. In hybrid environments where EOP protects on-premises Exchange mailboxes, you must configure mail flow rules (also known as transport rules) in on-premises Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk email rule in the mailbox can move the message to the Junk Email folder. For details, see Configure EOP to deliver spam to the Junk Email folder in hybrid environments.

Prevent good email from identifying as spam

Organizations can apply the following best practices to help prevent Outlook from identifying good email as spam:

  • Verify the user's Outlook Junk Email Filter settings:
    • Verify the Outlook 'Safe Lists Only' setting is disabled. When organizations enable this setting, Outlook only delivers messages from senders in the user's Safe Senders list or Safe Recipients list to the Inbox. Outlook automatically moves email from everyone else to the Junk Email folder.
    • Verify the Outlook Junk Email Filter is disabled. When organizations set the Outlook Junk Email Filter to its default value of No automatic filtering, Outlook doesn't attempt to classify messages as spam. When organizations set the value to Low or High, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder. As a result, you could get false positives.


Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook in November 2016. The existing SmartScreen spam definitions remained in place, but their effectiveness has likely degraded over time.

  • Use the available safe sender lists. For information, see Create safe sender lists.
  • Verify users are within the sending and receiving limits. See Receiving and sending limits in the Exchange Online service description.
  • In standalone EOP environments, use directory synchronization. If you use standalone EOP to help protect your on-premises Exchange organization, you should sync user settings with the service by using directory synchronization. This practice ensures that EOP respects your users' Safe Senders lists. For more information, see Use directory synchronization to manage mail users.