Configure Exchange antispam settings on mailboxes
In Exchange Server, you can configure specific antispam settings on individual mailboxes that are different than the antispam settings that are applied to the rest of the mailboxes in your organization. The antispam settings that are available on mailboxes are basically unchanged from Exchange 2010.
What do you need to know before you begin?
Estimated time to complete each procedure: 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic, and the "Antispam" entry in the Recipients Permissions topic.
By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.
Use the Exchange Management Shell to enable or disable the junk email rule in a mailbox
By default, the junk email rule (a hidden Inbox rule named Junk E-mail Rule) is enabled in every mailbox, and controls the following Exchange antispam features:
Message delivery to the Junk Email folder based on the SCL Junk Email folder threshold: When a message is assigned a spam confidence level (SCL) value by Exchange, and the SCL value is greater than the SCL Junk Email folder threshold value that's configured for the Exchange organization (the default value is 4) or directly on the mailbox (the default value is not configured), the junk email filter rule moves the message to the Junk Email folder.
Message delivery to the Junk Email folder based on the safelist collection on the mailbox: The entries in the Safe Senders list, Safe Recipients list, and Block Senders list that are configured on the mailbox determine whether the junk email rule delivers the message to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailbox in Microsoft Outlook or Outlook on the web. Administrators can configure the safelist collection for a mailbox by using the Set-MailboxJunkEmailConfiguration cmdlet.
When the junk email rule is enabled in the mailbox, Exchange is able to deliver messages to the Junk Email folder (based on the Blocked Senders list or SCL Junk Email folder threshold), and prevent messages from being delivered to the Junk Email folder (based on the Safe Senders list). This value corresponds to the Outlook on the web setting: Automatically filter junk email.
When the junk email rule is disabled on the mailbox, Exchange can't deliver messages to the Junk Email folder based on the SCL Junk Email folder threshold or the safelist collection on the mailbox. This value corresponds to the Outlook on the web setting: Don't move email to my Junk Email folder.
To enable or disable the junk email rule on a mailbox, use the following syntax:
Set-MailboxJunkEmailConfiguration <MailboxIdentity> -Enabled <$true | $false>
This example disables the junk email rule on Ori Epstein's mailbox.
Set-MailboxJunkEmailConfiguration "Ori Epstein" -Enabled $false
This example disables the junk email rule on all user mailboxes in the Organizational Unit named North America in the consoto.com domain.
Get-Mailbox -RecipientTypeDetails UserMailbox -OrganizationalUnit "contoso.com/North America" | Set-MailboxJunkEmailConfiguration -Enabled $false
This example disables the junk email rule on all user mailboxes in the mailbox database named MDB 01.
Get-Mailbox -RecipientTypeDetails UserMailbox -Database "MDB 01" | Set-MailboxJunkEmailConfiguration -Enabled $false
This example disables the junk email rule on all user mailboxes in the organization.
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited; $All | foreach {Set-MailboxJunkEmailConfiguration $_.Name -Enabled $false}
For more information, see Set-MailboxJunkEmailConfiguration.
Notes:
You can only use the Set-MailboxJunkEmailConfiguration cmdlet to disable the junk email rule on a mailbox that's been opened in Outlook (in Cached Exchange mode) or Outlook on the web. If the mailbox hasn't been opened, you'll receive the error:
The Junk Email configuration couldn't be set. The user needs to sign in to Outlook Web App before they can modify their Safe Senders and Recipients or Blocked Senders lists.
If you want to suppress this error for bulk operations, you can add-ErrorAction SlientlyContinue
to the Set-MailboxJunkEmailConfiguration command.Disabling the junk email rule on the mailbox prevents the rule from moving messages to the Junk Email folder. However, the Outlook Junk Email Filter can also determine whether a message is spam, and is able to use the safelist collection to move messages to the Inbox or the Junk Email folder. For more information, see the About junk email settings in Outlook section in this topic.
How do you know this worked?
To verify that you have successfully enabled or disabled the junk email rule on a mailbox, use any of the following procedures:
Replace <MailboxIdentity> with the identity of the mailbox, and run the following command to verify the Enabled property value:
Get-MailboxJunkEmailConfiguration <MailboxIdentity> | Format-List Enabled
For bulk operations, use the same filter that identified the mailboxes, and replace the Set-MailboxJunkEmailConfiguration command with
Get-MailboxJunkEmailConfiguration | Format-Table -Auto Identity,Enabled
. For example:Get-Mailbox -RecipientTypeDetails UserMailbox -OrganizationalUnit "contoso.com/North America" | Get-MailboxJunkEmailConfiguration | Format-Table -Auto Identity,Enabled
Replace <MailboxIdentity> with the identity of the mailbox, and run the following command to verify the Enabled property value of the junk email rule.
Get-InboxRule "Junk E-mail Rule" -Mailbox <MailboxIdentity> -IncludeHidden
Use the Exchange Management Shell to configure the safelist collection on a mailbox
The safelist collection on a mailbox includes the Safe Senders list, the Safe Recipients list, and the Blocked Senders list. By default, users can configure the safelist collection on their own mailbox in Outlook or Outlook on the web. Administrators can use the corresponding parameters on the Set-MailboxJunkEmailConfiguration cmdlet to configure the safelist collection on a user's mailbox. These parameters are described in the following table.
Parameter on Set-MailboxJunkEmailConfiguration | Outlook Web App setting |
---|---|
BlockedSendersAndDomains | Move email from these senders or domains to my Junk Email folder |
ContactsTrusted | Trust email from my contacts |
TrustedListsOnly | Don't trust email unless it comes from someone in my Safe Senders and Recipients list |
TrustedSendersAndDomains TrustedRecipientsAndDomains |
Don't move email from these senders or domains to my Junk Email folder |
To configure the safelist collection on a mailbox, use the following syntax:
Set-MailboxJunkEmailConfiguration <MailboxIdentity> -BlockedSendersAndDomains <EmailAddressesOrDomains | $null> -ContactsTrusted <$true | $false> -TrustedListsOnly <$true | $false> -TrustedSendersAndDomains <EmailAddressesOrDomains | $null>
To enter multiple values and overwrite any existing entries for the BlockedSendersAndDomains and TrustedSendersAndDomains parameters, use the following syntax: "<EmailAddressOrDomain1>","<EmailAddressOrDomain2>"...
. To add or remove one or more values without affecting other existing entries, use the following syntax: @{Add="<EmailAddressOrDomain1>","<EmailAddressOrDomain2>"... ; Remove="<EmailAddressOrDomain3>","<EmailAddressOrDomain4>...}
This example configures the following settings for the safelist collection on Ori Epstein's mailbox:
Adds the value shopping@fabrikam.com to the Blocked Senders list.
Removes the value chris@fourthcoffee.com from the Safe Senders list and the Safe Recipients list.
Configures contacts in the Contacts folder to be treated as trusted senders.
Set-MailboxJunkEmailConfiguration "Ori Epstein" -BlockedSendersAndDomains @{Add="shopping@fabrikam.com"} -TrustedSendersAndDomains @{Remove="chris@fourthcoffee.com"} -ContactsTrusted $true
This example empties the Blocked Senders list for all user mailboxes in the Organizational Unit named North America in the contoso.com domain.
Get-Mailbox -RecipientTypeDetails UserMailbox -OrganizationalUnit "contoso.com/North America" | Set-MailboxJunkEmailConfiguration -BlockedSendersAndDomains $null
This example adds michelle@tailspintoys.com to the Safe Senders list and Safe Recipients list on all user mailboxes in the mailbox database named MDB 01.
Get-Mailbox -RecipientTypeDetails UserMailbox -Database "MDB 01" | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Add="michelle@tailspintoys.com"}
This example removes the domain contoso.com from the Blocked Senders list in all user mailboxes in the organization.
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited; $All | foreach {Set-MailboxJunkEmailConfiguration $_.Name -BlockedSendersAndDomains @{Remove="contoso.com"}}
For more information, see Set-MailboxJunkEmailConfiguration.
Notes:
You can only use the Set-MailboxJunkEmailConfiguration cmdlet to configure the safelist collection on a mailbox that's been opened in Outlook (in Cached Exchange mode) or Outlook on the web. If the mailbox hasn't been opened, you'll receive the error:
The Junk Email configuration couldn't be set. The user needs to sign in to Outlook Web App before they can modify their Safe Senders and Recipients or Blocked Senders lists.
If you want to suppress this error for bulk operations, you can add-ErrorAction SlientlyContinue
to the Set-MailboxJunkEmailConfiguration command.Disabling the junk email rule in the mailbox prevents the rule from moving messages to the Junk Email folder or keeping messages out of the Junk Email folder based on the safelist collection. However, even with the junk email rule disabled, you can still configure the safelist collection, and the Outlook Junk Email Filter is able to use the safelist collection to move messages to the Inbox or the Junk Email folder. For more information, see the About junk email settings in Outlook section in this topic.
The safelist aggregation feature of the Content Filter agent is able to share the safelist collection of mailboxes with the built-in Exchange antispam agents. For more information, see Safelist aggregation.
You can't directly modify the Safe Recipients list by using the Set-MailboxJunkEmailConfiguration cmdlet. You modify the Safe Senders list, and those changes are synchronized to the Safe Recipients list.
The Outlook Junk Email Filter has additional safelist collection settings (for example, Automatically add people I email to the Safe Senders list, and separate configuration of the Safe Senders list and Safe Recipients list). For more information, see Use Junk Email Filters to control which messages you see.
How do you know this worked?
To verify that you have successfully configured the safelist collection on a mailbox, use any of following procedures:
Replace <MailboxIdentity> with the identity of the mailbox, and run the following command to verify the property values:
Get-MailboxJunkEmailConfiguration <MailboxIdentity> | Format-List trusted*,contacts*,blocked*
If the list of email addresses is too long, use this syntax:
(Get-MailboxJunkEmailConfiguration <MailboxIdentity>).BlockedSendersAndDomains
For bulk operations, specify the filter that you used to configure the safelist collection, and replace the Set-MailboxJunkEmailConfiguration command with
Get-MailboxJunkEmailConfiguration | Format-List Identity,trusted*,contacts*,blocked*
. For example:Get-Mailbox -RecipientTypeDetails UserMailbox -OrganizationalUnit "contoso.com/North America" | Get-MailboxJunkEmailConfiguration | Format-List Identity,trusted*,contacts*,blocked*
Use the Exchange Management Shell to control the availability of junk email settings in Outlook on the web
Administrators can control whether users are allowed to enable or disable the junk email rule, or configure the safelist collection on their own mailboxes in Outlook on the web. This setting doesn't enable or disable the junk email rule in the mailbox; it controls the availability of the junk email settings in Outlook on the web for the mailbox.
To use Outlook on the web mailbox policies to allow or prevent users from configuring the junk email settings on their own mailbox, use the following syntax:
Set-OwaMailboxPolicy <OWAMailboxPolicyIdentity> -JunkEmailEnabled <$true | $false>
This example prevents all mailboxes that are assigned the Outlook on the web mailbox policy named Default from configuring their junk email settings in Outlook on the web.
Set-OwaMailboxPolicy Default -JunkEmailEnabled $false
For more information, see Set-OwaMailboxPolicy.
To use Outlook on the web virtual directories to allow or prevent users from configuring the junk email settings on their own mailbox in Outlook on the web, use the following syntax:
Set-OwaVirtualDirectory <OWAVirtualDirectoryIdentity> -JunkEmailEnabled <$true | $false>
This example prevents all users that connect to the Outlook on the web virtual directory named owa (Default Web Site) on the server named Mailbox01 from configuring their junk email settings.
Set-OwaVirtualDirectory "Mailbox01\owa (Default Web Site)" -JunkEmailEnabled $false
Note: To apply changes to the Outlook on the web virtual directories, you need to restart Internet Information Services (IIS) by running the commands Stop-Service WAS -Force
and Start-Service W3SVC
.
For more information, see Set-OwaVirtualDirectory.
How do you know this worked?
To verify that you have successfully configured the availability of junk email settings in Outlook on the web, use either of the following procedures:
For Outlook on the web mailbox policies, run the following command to verify the JunkEmailEnabled property value:
Get-OwaMailboxPolicy | Format-Table -Auto Name,JunkEmailEnabled
For Outlook on the web virtual directories, run the following command to verify the JunkEmailEnabled property value:
Get-OwaVirtualDirectory | Format-Table -Auto Name,JunkEmailEnabled
Use the Exchange Management Shell to configure the SCL thresholds on a mailbox
The SCL thresholds are a feature of the Content Filter agent that allows you to escalate the actions that are taken on messages based on their SCL value. For more information, see Exchange spam confidence level (SCL) thresholds.
When you configure an SCL threshold on a mailbox (the value is not blank), the setting on the mailbox overrides the corresponding SCL threshold setting on the Content Filter agent or on the Exchange organization. The SCL thresholds that are available on the mailbox are described in the following table:
SCL threshold** | SCL value comparison operator | Action | Available on the Content Filter agent? | Comments |
---|---|---|---|---|
Delete | Greater than or equal to | Silently deletes the message (no NDR). | Yes | If this threshold is enabled, the SCL value should be greater than all others. |
Reject | Greater than or equal to | Rejects the message with an NDR. | Yes | The SCL value should be less than the delete value, but greater than the quarantine or Junk Email folder values. By default, this threshold is enabled on the Content Filter agent, and has the default value 7. |
Quarantine | Greater than or equal to | Redirects the message to the spam quarantine mailbox. For more information about the configuring the spam quarantine mailbox, see Configure a spam quarantine mailbox. | Yes | If this threshold is enabled, the SCL value should be less than the delete or reject values, but greater than the Junk Email folder value. |
Junk Email folder | Greater than | Delivers the message to the Junk Email folder in the mailbox. This action is controlled by the junk email rule that's enabled by default in every mailbox. For more information, see the Use the Exchange Management Shell to enable or disable the junk email rule in a mailbox section in this topic. |
No You enable or disable the SCL threshold on the mailbox. You configure the SCL threshold value on the Exchange organization, or on the mailbox. |
The SCL value should be less than all others. By default, this threshold is enabled on the Exchange organization, and has the default value 4. Because the junk email rule is enabled by default in all mailboxes, messages that arrive in the mailbox with an SCL value of 5 or higher are moved to the Junk Email folder. |
To configure the SCL threshold settings on a mailbox, use the following syntax.
Set-Mailbox <MailboxIdentity> -SCLDeleteEnabled <$true | $false | $null> -SCLDeleteThreshold <0-9 | $null> -SCLRejectEnabled <$true | $false | $null> -SCLRejectThreshold <0-9 | $null> -SCLQuarantineEnabled <$true | $false | $null> -SCLQuarantineThreshold <0-9 | $null> -SCLJunkEnabled <$true | $false | $null> -SCLJunkThreshold <0-9 | $null>
This example disables the SCL Junk email threshold on mailbox of the user named Jeff Phillips.
Set-Mailbox "Jeff Phillips" -SCLJunkEnabled $false
This example disables the SCL Junk email threshold on all user mailboxes in the Organizational Unit named North America in the consoto.com domain.
Get-Mailbox -RecipientTypeDetails UserMailbox -OrganizationalUnit "contoso.com/North America" | Set-Mailbox -SCLJunkEnabled $false
This example disables the SCL Junk email threshold on all user mailboxes in the mailbox database named MDB 01.
Get-Mailbox -RecipientTypeDetails UserMailbox -Database "MDB 01" | Set-Mailbox -SCLJunkEnabled $false
This example disables the SCL Junk email threshold on all user mailboxes in the organization.
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited; $All | foreach {Set-Mailbox $_.Name -SCLJunkEnabled $false}
Notes:
To remove the specific SCL thresholds on the mailbox so the SCL threshold is controlled by the Content Filter agent (delete, reject, or quarantine) or the Exchange organization (Junk Email folder), use the value
$null
.If you disable the SCL Junk Email folder threshold on the mailbox (SCLJunkEnabled is
$false
), but the junk email rule is still enabled in the mailbox, Exchange can still deliver messages to the Junk Email folder based on the Blocked Senders list of the mailbox. Furthermore, even if you disable the Junk E-mail Rule on the mailbox, Outlook (in Cached Exchange mode) can still move messages to the Junk Email folder based on its own determination of whether the message is spam or the Blocked Senders list.
How do you know this worked?
To verify that you have successfully configured the SCL thresholds on a mailbox, use any of the following procedures:
For a single mailbox, replace <MailboxIdentity> with the identity of the mailbox, and run the following command to verify the property values:
Get-Mailbox <MailboxIdentity> | Format-List SCL*
For bulk operations, specify the filter that you used to configure the SCL thresholds, and replace the Set-Mailbox command with
Format-List Name,SCL*
. For example:Get-Mailbox -RecipientTypeDetails UserMailbox -OrganizationalUnit "contoso.com/North America" | Format-List Name.SCL*
Use the Exchange Management Shell to configure the SCL Junk Email folder threshold value for all mailboxes in your organization
The SCL Junk Email folder threshold that's configured on the Exchange organization causes the junk email rule to deliver messages to the Junk Email folder of a mailbox when all of the following conditions are true:
The message is assigned an SCL value by Exchange (typically, by the Content Filter agent).
The junk email rule in the mailbox is enabled. It's enabled by default, but it isn't fully functional until the mailbox has been opened in Outlook (in Cached Exchange mode) or Outlook on the web.
An SCL Junk Email folder threshold isn't configured on the mailbox (by default, it's not configured).
The SCL value of the message is greater than the SCL Junk Email folder threshold that's configured for the Exchange organization. The default value is 4, which means that messages with an SCL value of 5 or higher are moved to the Junk Email folder by the junk email rule.
To configure the SCL Junk Email folder threshold for all mailboxes in your organization, use the following syntax:
Set-OrganizationConfig -SCLJunkThreshold <0-9>
This example sets the organization's SCL Junk Email folder threshold value to 5, which means messages with an SCL value of 6 or higher are moved to the Junk Email folder by the junk email rule..
Set-OrganizationConfig -SCLJunkThreshold 5
Notes:
You can override the SCL Junk Email folder threshold value on a mailbox by configuring an SCL Junk Email folder threshold on the mailbox. For more information, see the Use the Exchange Management Shell to configure the SCL thresholds on a mailbox section in this topic.
If you disable the junk email rule in the mailbox, the value of the SCL Junk Email folder threshold for the Exchange organization (or on the mailbox) is meaningless, because the junk email rule is required for Exchange to deliver messages to the Junk Email folder. For more information, see the Use the Exchange Management Shell to enable or disable the junk email rule in a mailbox section in this topic.
How do you know this worked?
To verify that you have successfully configured the SCL Junk Email folder threshold value for all mailboxes in your organization, run the following command to verify the SCLJunkThreshold property value:
Get-OrganizationConfig | Format-List SCLJunkThreshold
Use the Exchange Management Shell to configure a mailbox to bypass Exchange antispam filtering
You can configure messages that are sent to specific mailboxes to bypass all Exchange antispam filters. You can use this setting when Exchange antispam filters are enabled in your organization, but you want to exempt messages that are sent to specific mailboxes from antispam filtering. You can configure this setting for mailboxes with a very low tolerance for false positives (for example, sales or support mailboxes where you can't risk blocking any legitimate messages).
To configure a mailbox to bypass antispam filtering, use the following syntax:
Set-Mailbox <MailboxIdentity> -AntispamBypassEnabled <$true | $false>
This example exempts messages that are sent to the mailbox named Customer Support from Exchange antispam filtering.
Set-Mailbox "Customer Support" -AntispamBypassEnabled $true
How do you know this worked?
To verify that you have successfully configured a mailbox to bypass antispam filtering, use the following procedures:
Replace <MailboxIdentity> with the identity of the mailbox, and run the following command to verify the AntispamBypassEnabled property value:
Get-Mailbox <MailboxIdentity> | Format-List AntispamBypassEnabled
To find all mailboxes in your organization that are configured to bypass antispam filtering, run the following command:
Get-Mailbox -ResultSize Unlimited | where {$_.AntispamBypassEnabled -eq $true} | Format-Table Name,AntispamBypassEnabled
About junk email settings in Outlook
To enable, disable, and configure the client-side Junk Email Filter settings that are available in Outlook, use Group Policy. For more information, see Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 and How to deploy junk email settings, such as the Safe Senders list, by using Group Policy.
When the Outlook Junk Email Filter is set to No automatic filtering in Junk > Junk E-Mail Options > Options, Outlook doesn't attempt to classify messages as spam, but still uses the safelist collection (the Safe Senders list, Safe Recipients list, and Blocked Senders list) to move messages to the Junk Email folder.
When the Outlook Junk Email Filter is set to Low or High, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder. This spam classification is separate from the SCL Junk Email threshold that's configured on the Exchange organization or on the mailbox. In fact, Outlook ignores the SCL value that's set on a message by Exchange (for all SCL values other than -1), and uses its own criteria to determine whether the message is spam (although the spam verdict from Exchange and Outlook might be the same).
Note
In November, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time. For more information, see Deprecating support for SmartScreen in Outlook and Exchange.
So, the Outlook Junk Email Filter is able to use the mailbox's safelist collection and its own spam classification to move messages to the Junk Email folder, even if the junk email rule and/or the SCL Junk Email threshold are disabled in the mailbox. The difference is whether the junk email rule on the server or the Junk Email Filter in the Outlook client moves the message to the Junk Email folder.
Outlook and Outlook on the web both support the safelist collection. The safelist collection is saved in the Exchange mailbox, so changes to the safelist collection in Outlook appear in Outlook on the web, and vice-versa. The safelist aggregation feature of the Content Filter agent shares these lists with the built-in Exchange antispam agents. For more information, see Safelist aggregation.