applies to
- Online Protection Exchange
- Microsoft Defender for Office 365 Plan 1 and Plan 2
- Microsoft 365 Defender
In Microsoft 365 organizations with Exchange Online mailboxes, the organization’s anti-spam settings are controlled by Exchange Online Protection (EOP). For more information, see anti-spam protection in eop.
but there are also specific anti-spam settings that administrators can configure on individual mailboxes on the online exchange:
-
move messages to spam folder based on anti-spam policies – when configuring an anti-spam policy with the action move message to mail folder spam for a spam filter verdict, the message is moved to the spam folder after the message is delivered to the mailbox. For more information about spam filtering verdicts in antispam policies, see Configuring Antispam Policies in EOP. similarly, if the zero hour auto purge (zap) determines that a delivered message is spam or phishing, the message is moved to the spam folder to move message to spam folder spam filtering verdict actions. For more information on zap, see the zero-hour auto purge (zap) on the online exchange.
Spam settings that users configure themselves in outlook or outlook on the web: The safe list collection is the safe senders list, the safe recipients list, and the safe list. of blocked senders in each mailbox. the entries in these lists determine whether the message is moved to the inbox or the spam folder. Users can configure the safelist collection for their own mailbox in Outlook or Outlook on the web (formerly known as Outlook Web App). administrators can configure the safelist collection on any user’s mailbox.
eop can move messages to the spam folder based on the spam filter verdict action move message to spam folder or the blocked senders list in mailbox, and prevent messages from being delivered to the spam folder (based on the mailbox’s safe senders list).
Administrators can use exchange online powershell to configure safe list collection entries on mailboxes (the Safe Senders List, Safe Recipients List, and Blocked Senders List).
what do you need to know before you start?
-
You can only use exchange online powershell to perform the procedures in this article. to connect to exchange powershell online, see connect to exchange powershell online.
You must have permissions assigned to Exchange Online before you can perform the procedures in this article. specifically, you need the mail recipients role (which is assigned to organization administration, recipient management, and mail recipients). mail custom role groups by default) or the User Options role (which is assigned to the organization management and strong>helpdesk by default). to add users to role groups in exchange online, see modify role groups in exchange online. Note that users with default permissions can perform these same procedures on their own mailbox, as long as they have access to trade powershell online.
In hybrid environments where eop protects local exchange mailboxes, you must configure mail flow rules (also known as transport rules) on the local exchange. these mail flow rules translate the eop spam filter verdict so that the spam rule in the mailbox can move the message to the spam folder. For more information, see configure eop to send spam to the spam folder in hybrid environments.
safe senders for shared mailboxes are not synced with azure ad and eop by design.
use exchange online powershell to configure safelist collection on a mailbox
The collection of safe lists in a mailbox includes the safe senders list, the safe recipients list, and the blocked senders list. By default, users can configure the safelist collection in their own mailbox in Outlook or in Outlook on the web. administrators can use the corresponding parameters in the set-mailboxjunkemailconfiguration cmdlet to configure safelist collection on a user’s mailbox. these parameters are described in the following table.
* notes:
- In the online exchange, domain entries in the safe senders list or the trustedsendersanddomains parameter are not recognized, so only use email addresses. in standalone eop with dirsync, domain entries are not synced by default, but you can enable sync for domains. for more information, see kb3019657.
- You cannot directly modify the trust recipient list using the set-mailboxjunkemailconfiguration cmdlet (the trustrecipientsanddomains parameter does not work). modifies the safe senders list and those changes are synced with the safe recipients list.
To configure the safelist collection on a mailbox, use the following syntax:
To enter multiple values and overwrite any existing entries for the Blocked Senders and Domains and Trusted Senders and Domains parameters, use the following syntax: “<value1>”,”<value2>”…. to add or remove one or more values without affecting other existing entries, use the following syntax: @{add=”<value1>”,”<value2>”… ; remove=”<value3>”,”<value4>…}
This example configures the following settings for the safelist collection in ori epstein’s mailbox:
- add the value [email protected] to the blocked senders list.
- remove the value [email protected] from the safe senders list and the safe recipients list.
- set contacts in the contacts folder to be treated as trusted senders.
This example removes the domain contoso.com from the blocked senders list on all user mailboxes in the organization.
for detailed syntax and parameters, see set-mailboxjunkemailconfiguration.
how do you know this worked?
To verify that you have successfully configured safelist collection on a mailbox, use any of the following:
-
replace <mailboxidentity> with the name, alias, or email address of the mailbox and run the following command to verify the property values:
if the list of values is too long, use this syntax:
about setting spam in outlook
To enable, disable, and configure client-side spam filter settings that are available in Outlook, use Group Policy. For more information, see the Administrative Templates (admx/adml) files and the Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 and how to implement anti-spam settings such as the spam list. from safe senders, using group policy.
when outlook junk email filter is set to default no automatic filtering on startup > garbage > spam options > options, outlook does not attempt to classify messages as spam, but still uses the safe list collection (the safe senders list, the safe recipients list, and the blocked senders list) to move messages to spam folder after delivery. for more information on these settings, see the spam filter overview.
when the outlook spam filter is set to low or high, the outlook spam filter uses its own smart screen filter technology to identify and move spam to spam. binder. this spam classification is independent of the spam confidence level (scl) determined by eop. in fact, outlook ignores eop’s scl (unless eop marks the message to bypass spam filtering) and uses its own criteria to determine if the message is spam. Of course, it’s possible that the eop and outlook spam verdict is the same. For more information about these settings, see Change the protection level in the spam filter.
The outlook spam filter can then use the mailbox’s safe list collection and its own spam classification to move messages to the spam folder.
both outlook and outlook on the web support safelist collection. the safelist collection is saved to the exchange online mailbox, so changes to the safelist collection in outlook appear in outlook on the web and vice versa.
limits for spam settings
The collection of safe lists (the Safe Senders List, the Safe Recipients List, and the Blocked Senders List) that is stored in the user’s mailbox is also synchronized with eop. with dirsync, the safelist collection is synced with azure ad.
-
the collection of safelists in the user’s mailbox is limited to 510 kb, which includes all lists, plus additional spam filter settings. If a user exceeds this limit, they will receive an outlook error similar to this:
cannot/cannot be added to the server’s spam lists. is over the size allowed on the server. the spam filter on the server will be disabled until your spam lists have been reduced to the size allowed by the server.
For more information on this limit and how to change it, see kb2669081.
the synced safelist collection in eop has the following sync limits:
- 1024 total entries in the safe senders list, safe recipients list, and external contacts if trust my contacts’ email is enabled.
- 500 total entries in the blocked senders list and blocked domains list.
When the limit of 1024 entries is reached, the following happens:
-
the list stops accepting entries in powershell and outlook on the web, but does not show any errors.
outlook users can continue to add more than 1024 entries until they reach the outlook limit of 510kb. outlook can use these additional entries, as long as an eop filter doesn’t block the message before sending it to the mailbox (mail flow rules, anti-phishing, etc.).
with dirsync, entries are synced to azure ad in the following order:
- mail contacts if trust email from my contacts is enabled.
- safe senders list and safe recipients list are combined, deleted duplicated and sorted alphabetically whenever a change is made to the first 1024 entries.
The first 1024 entries are used and the relevant information is stamped into the message headers.
Entries greater than 1024 that did not sync with azure ad are processed by outlook (not outlook on the web) and no information is stamped in message headers.
As you can see, enabling the trust email from my contacts setting reduces the number of safe senders and recipients that can be synced. If you are concerned about this, we recommend that you use group policy to disable this feature:
- filename: outlk16.opax
- policy setting: trust email from contacts
-
-