Anti-spam protection FAQ (2023)

For inbound messages: The majority of spam is deleted via connection filtering, which is based on the IP address of the source email server. Anti-spam policies (also known as spam filter policies or content filter policies) inspect and classify messages as spam, bulk, or phishing. By default, messages that are classified as spam or bulk are delivered to the recipient's Junk Email folder, while messages classified as phishing are quarantined. You can modify the default anti-spam policy (applies to all recipients), or you can create custom anti-spam policies with stricter settings for specific groups of users (for example, you can quarantine spam that's sent to executives). For more information, see Configure anti-spam policies and Recommended anti-spam policy settings.

For outbound messages: The message is either routed through the high-risk delivery pool or is returned to the sender in a non-delivery report (also known as an NDR or bounce message). For more information about outbound spam protection, see Outbound spam controls.

A zero-day spam variant is a first generation, previously unknown variant of spam that's never been captured or analyzed, so our anti-spam filters don't yet have any information available for detecting it. After a zero-day spam sample is captured and analyzed by our spam analysts, if it meets the spam classification criteria, our anti-spam filters are updated to detect it, and it's no longer considered "zero-day."

After you sign up for the service and add your domain, spam filtering is automatically enabled. By default, spam filtering is tuned to protect you without needing any additional configuration (aside from the previously noted exception for standalone EOP standalone customers in hybrid environments). As an admin, you can edit the default spam filtering settings to best meet the needs of your organization. For greater granularity, you can also create anti-spam policies and outbound anti-spam policies that are applied to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies.

For more information, see the following topics:

Recommended settings for EOP and Microsoft Defender for Office 365 security

Configure connection filtering in EOP

Configure anti-spam policies in EOP

Configure the outbound spam policy

Yes. For more information about bulk email, see What's the difference between junk email and bulk email?

Spam and non-spam messages can be submitted to Microsoft for analysis in several ways. For more information, see Report messages and files to Microsoft.

Yes, for example you can get a spam detection report in the Microsoft 365 admin center. This report shows spam volume as a count of unique messages. For more information about reporting, see the following links:

Exchange Online customers: Monitoring, Reporting, and Message Tracing in Exchange Online

Standalone EOP customers: Reporting and message trace in Exchange Online Protection

If more than half of the mail that is sent from a user through the service within a certain time frame (for example, per hour), is determined to be spam by EOP, the user will be blocked from sending messages. In most cases, if an outbound message is determined to be spam, it is routed through the high-risk delivery pool, which reduces the probability of the normal outbound-IP pool being added to a block list.

You can send a notification to a specified email address when a sender is blocked sending outbound spam. For more information about this setting, see Configure the outbound spam policy.

Yes. Although we recommend that you point your MX record to Microsoft, we realize that there are legitimate business reasons to route your email to somewhere other than Microsoft first.

• Inbound: Change your MX records to point to the third-party provider, and then redirect the messages to EOP for additional processing. For more information, see Enhanced Filtering for connectors in Exchange Online.

• Outbound: Configure smart host routing from Microsoft 365 to the destination third-party provider.

Yes. For more information, see Protect your privacy on the internet

The guidelines presented below are best practices for sending outbound email messages.

• The source email domain should resolve in DNS.

  For example, if the sender is user@fabrikam, the domain fabrikam resolves to the IP address 192.0.43.10.

  If a sending domain has no A-record and no MX record in DNS, the service will route the message through its higher risk delivery pool regardless of whether or not the content of the message is spam. For more information about the higher risk delivery pool, see High-risk delivery pool for outbound messages.

• Outbound email server should have a reverse DNS (PTR) entry.

  For example, if the email source IP address is 192.0.43.10, the reverse DNS entry would be 43-10.any.icann.org.`

  (Video) Anti Spam Policies - Microsoft Defender for Office 365 | Configure Inbound & Outbound Spam policies.

• The HELO/EHLO and MAIL FROM commands should be consistent and be present in the form of a domain name rather than an IP address.

  The HELO/EHLO command should be configured to match the reverse DNS of the sending IP address so that the domain remains the same across the various parts of the message headers.

• Ensure that proper SPF records are set up in DNS.

  SPF records are a mechanism for validating that mail sent from a domain really is coming from that domain and is not spoofed. For more information about SPF records, see the following links:

  Set up SPF to help prevent spoofing

  Domains FAQ

• Signing email with DKIM, sign with relaxed canonicalization.

  If a sender wants to sign their messages using Domain Keys Identified Mail (DKIM) and they want to send outbound mail through the service, they should sign using the relaxed header canonicalization algorithm. Signing with strict header canonicalization may invalidate the signature when it passes through the service.

• Domain owners should have accurate information in the WHOIS database.

  This identifies the owners of the domain and how to contact them by entering the stable parent company, point of contact, and name servers.

• For bulk mailers, the From: name should reflect who is sending the message, while the subject line of the message should be a brief summary on what the message is about.

  The message body should have a clear indication of the offering, service, or product. For example, if a sender is sending out a bulk mailing for the Contoso company, the following is what the email From and Subject should resemble:

  From: marketing@contoso.com
  Subject: New updated catalog for the Christmas season!

  The following is an example of what not to do because it is not descriptive:

  From: user@hotmail.com
  Subject: Catalogs

• If sending a bulk mailing to many recipients and the message is in newsletter format, there should be a way of unsubscribing at the bottom of the message.

  The unsubscribe option should resemble the following:

  This message was sent to example@contoso.com by sender@fabrikam.com. Update Profile/Email Address | Instant removal with SafeUnsubscribe™ | Privacy Policy

  (Video) A Guide to Anti Spam Software

• If sending bulk email, list acquisition should be performed using double opt-in. If you are a bulk mailer, double opt-in is an industry best practice.

  Double opt-in is the practice of requiring a user to take two actions to sign up for marketing mail:

  1. Once when the user clicks on a previously unchecked check box where they opt-in to receive further offers or email messages from the marketer.

  2. A second time when the marketer sends a confirmation email to the user's provided email address asking them to click on a time-sensitive link that will complete their confirmation.

  Using double opt-in builds a good reputation for bulk email senders.

• Bulk senders should create transparent content for which they can be held accountable:

  1. Verbiage requesting that recipients add the sender to the address book should clearly state that such action is not a guarantee of delivery.

  2. When constructing redirects in the body of the message, use a consistent link style.

  3. Don't send large images or attachments, or messages that are solely composed of an image.

  4. When employing tracking pixels (web bugs or beacons), clearly state their presence in your public privacy or P3P settings.

• Format outbound bounce messages.

  When generating delivery status notification messages (also known as non-delivery reports, NDRs, or bounce messages), senders should follow the format of a bounce as specified in RFC 3464.

• Remove bounced email addresses for non-existent users.

  If you receive an NDR indicating that an email address is no longer in use, remove the non-existent email alias from your list. Email addresses change over time, and people sometimes discard them.

• Use Hotmail's Smart Network Data Services (SNDS) program.

  Hotmail uses a program called Smart Network Data Services that allows senders to check complaints submitted by end users. The SNDS is the primary portal for troubleshooting delivery problems to Hotmail.

If you use a third-party protection service or device to scan email before it's delivered to Microsoft 365, you can use a mail flow rule (also known as a transport rule) to bypass most spam filtering for incoming messages. For instructions, see Use mail flow rules to set the spam confidence level (SCL) in messages.

If you use a mail flow rule to bypass spam filtering, high confidence phishing messages are still filtered. Other features in EOP are not affected (for example, messages are always scanned for malware).

If you use a third-party protection service or device to scan email before it's delivered to Microsoft 365, you should also enable Enhanced Filtering for Connectors (also known as skip listing) so detection, reporting, and investigation features in Microsoft 365 are able to correctly identify messages sources. For more information, see Enhanced Filtering for Connectors.

If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't use mail flow rules. For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.