Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online
In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, anti-spam policies (also known as spam filter policies or content filter policies) scan inbound messages for spam. For more information, see Configure anti-spam policies in EOP.
You can use mail flow rules (also known as transport rules) to affect spam filtering by setting the spam confidence level (SCL) on messages. For example:
- Identify messages that should be marked as spam or high confidence spam before they're even scanned by spam filtering.
- Identify messages that should skip spam filtering.
For more information about the SCL, see Spam confidence level (SCL) in EOP.
What do you need to know before you begin?
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Exchange Online permissions: You need the Transport Rules role, which is assigned to the Compliance Management, Records Management, and Organization Management role groups by default.
Microsoft Entra permissions: Membership in the Exchange Administrator or Global Administrator* roles.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
To open the EAC in Exchange Online, see Exchange admin center in Exchange Online. To open the EAC in standalone EOP, see Exchange admin center in standalone EOP.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.
For more information about mail flow rules in Exchange Online and standalone EOP, see the following articles:
Use the EAC to create a mail flow rule that sets the SCL of a message
In the EAC at https://admin.exchange.microsoft.com, go to Mail flow > Rules. Or, to go directly to the Rules page, use https://admin.exchange.microsoft.com/#/transportrules.
On the Rules page, select Add a rule > Create a new rule to start the new rule wizard.
On the Set rule conditions page, configure the following settings:
- Name: Enter a unique, descriptive name for the rule.
- Apply this rule if: Select one or more conditions to identify messages. For more information, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
- Do the following: Select Modify the message properties > set the spam confidence level (SCL). In the Specify SCL flyout that opens, select one of the following values:
Bypass spam filtering: Messages that meet the conditions of the rule skip spam filtering. Other Microsoft 365 email protection features aren't affected (for example, messages are always scanned for malware by EOP).
Remember, creating transport rule to bypass spam filtering doesn't allow the delivery of high confidence phishing messages (HPHISH) and messages that are found to contain malware. You can use the Tenant Allow Block List (TABL) to temporarily override a HPHISH verdict (false positive) when we identified an email as high confidence phishing. To do so, you must do an admin submission. If the MX record for the recipient domain doesn't point to Microsoft 365 (mail is routed through a third-party service or device first), a rule with Bypass spam filtering allows messages detected as high confidence phishing by Microsoft 365 anti-spam filtering to be delivered to the Inbox.
Important
Don't use mail flow rules to bypass spam filtering for SecOps mailboxes or phishing simulation messages. Instead, use the advanced delivery policy. For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.
Be very careful about allowing messages to skip spam filtering. The mail flow rule should use more conditions than just the sender's email address or domain. For more information, see Create safe sender lists in EOP.
0 to 4: The message is sent through spam filtering for more processing.
5 or 6: The message is marked as Spam. The action that's configured for the Spam verdict in the anti-spam policy that detected the message determines what happens to the message (move to the Junk Email folder or quarantine).
7 to 9: The message is marked as High confidence spam. The action that's configured for the High confidence spam verdict in the anti-spam policy that detected the message determines what happens to the message (move to the Junk Email folder or quarantine).
- Except if: Configure any exceptions to the rule as required.
When you're finished on the Select rule conditions page, select Next.
0 to 4: The message is sent through spam filtering for more processing.
5 or 6: The message is marked as Spam. The action that you've configured for Spam filtering verdicts in your anti-spam policies is applied to the message (the default value is Move message to Junk Email folder).
7 to 9: The message is marked as High confidence spam. The action that you've configured for High confidence spam filtering verdicts in your anti-spam policies is applied to the message (the default value is Move message to Junk Email folder).
When you're finished on the Set rule conditions page, select Next.
On the Set rule settings page, review or configure the settings, and then select Next.
On the Review and finish page, review the settings, and then select Finish.
How do you know this procedure worked?
To verify that you've correctly set the SCL in messages, send an email message to someone inside your organization, and verify that the action performed on the message is as expected. For example, if set the spam confidence level (SCL) is set to Bypass spam filtering, then the message should be sent to the specified recipient's Inbox. However, if set the spam confidence level (SCL) is set to 9, and the High confidence spam action for your applicable anti-spam policies is to move the message to the Junk Email folder, then the message should be sent to the specified recipient's Junk Email folder.