{"id":8118,"date":"2023-11-24T01:04:54","date_gmt":"2023-11-24T01:04:54","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/understanding-anti-spam-policies-in-microsoft-365-office-365\/"},"modified":"2025-05-31T13:44:35","modified_gmt":"2025-05-31T13:44:35","slug":"understanding-anti-spam-policies-in-microsoft-365-office-365","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/understanding-anti-spam-policies-in-microsoft-365-office-365\/","title":{"rendered":"Understanding Anti-Spam Policies in Microsoft 365 (Office 365)"},"content":{"rendered":"\n<div>It is astonishing that over 200 billion spam emails are sent out every single day. One way to tackle this problem in Microsoft 365, formerly Office 365, is to use anti-spam policies.<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n\n\n\n<p>To follow the steps in this post, you must have the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft 365 tenant<\/li>\n\n\n\n<li>Either the Organization Management role in Exchange Online or the Security Administrator role in Microsoft 365<\/li>\n<\/ul>\n\n\n\n<p>Every tenant in Microsoft 365 has three anti-spam policies by default. They are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inbound<\/li>\n\n\n\n<li>Outbound<\/li>\n\n\n\n<li>Connection filter<\/li>\n<\/ul>\n\n\n\n<p>These policies can be edited but not deleted. You can also create custom inbound or outbound policies. In the following section, we will understand the workings of each of these policies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Inbound anti-spam policy<\/h2>\n\n\n\n<p>Emails sent to your users in Microsoft 365 are handled by the <em>inbound anti-spam<\/em> policy. This policy is present by default and cannot be disabled or deleted; however, you can edit it. All the users in your tenant are under the scope of this policy. If you wish to apply a different setting to specific users, you can create a new <em>inbound anti-spam <\/em>policy. In this section, we create a new <em>inbound anti-spam <\/em>policy.<\/p>\n\n\n\n<p>You can access the Policies page through this<\/p>\n\n\n\n<p><a href=\"https:\/\/security.microsoft.com\/antispam\" target=\"_blank\" rel=\"nofollow noopener\">link<\/a>.<\/p>\n\n\n\n<p>Click <em>Create policy <\/em>and then select <em>Inbound<\/em>.<\/p>\n\n\n\n<p>On the following page, give this policy a name and add a description, if needed. Then click <em>Next<\/em>.<\/p>\n\n\n\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/image2-1.png\" target=\"_blank\" rel=\"nofollow noopener\">image2 1<\/a><\/div>\n\n\n\n<p>Provide a name and a description that makes it easy to understand the purpose of the policy<\/p>\n\n\n\n<p>You also need to decide the scope of this rule. This is shown on the next page, as shown in the screenshot below. These policies can be applied to individual users or distribution and security groups and domains. The recommended approach is to create a distribution group, add the required users to it, and select that group on this page. Here, we chose two users for the purpose of the demonstration.<\/p>\n\n\n\n<p>Exceptions can be handled by checking the box for <em>Exclude <\/em>these users, groups and domains.<\/p>\n\n\n\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/You-can-specify-the-users-groups-or-domains-to-whom-this-rule-would-apply.png.png\" target=\"_blank\" rel=\"nofollow noopener\">You can specify the users groups or domains to whom this rule would apply<\/a><\/div>\n\n\n\n<p>You can specify the users groups or domains to whom this rule would apply<\/p>\n\n\n\n<p>On the next page, we will take a look at all the settings.<\/p>\n\n\n\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/Anti-spam-settings-configuration-page.png\" target=\"_blank\" rel=\"nofollow noopener\">Anti spam settings configuration page<\/a><\/div>\n\n\n\n<p>Anti spam settings configuration page<\/p>\n\n\n\n<p>Here, we decide the level of control we want to exert on the users through this policy.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Bulk email threshold<\/h3>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><a href=\"http:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/bulk-complaint-level.png\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"597\" src=\"http:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/bulk-complaint-level.png\" alt=\"bulk complaint level\" class=\"wp-image-10876\" srcset=\"https:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/bulk-complaint-level.png 602w, https:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/bulk-complaint-level-300x298.png 300w, https:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/bulk-complaint-level-150x150.png 150w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Every email making contact with Exchange Online is given a <em>bulk complaint level (BCL)<\/em>. This number represents the likelihood of an email being distributed in mass quantities. A BCL of zero signifies the email is not from a mass distributor, while figures like 8 or 9 suggest they emanate from mass distributors and multiple grievances have been lodged. Visit this <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/anti-spam-bulk-complaint-level-bcl-about?view=o365-worldwide\" target=\"_blank\" rel=\"nofollow noopener\">link<\/a> to understand BCL in further detail.<\/p>\n\n\n\n<p>The standard BCL value in an <em>anti-spam<\/em> policy is set at 7. But this can be adjusted. It&#8217;s wise to maintain this figure at 7 to circumvent numerous false positives.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Spam properties<\/h3>\n\n\n\n<p>In this section, we provide the settings that lead to an increase in the value of the <em>spam score, <\/em>also known as the <em>spam confidence level (SCL). <\/em><\/p>\n\n\n\n<p>Configuring the spam properties<\/p>\n\n\n\n<p>These settings are disabled by default. If you feel that your users are being targeted by these types of attacks, you can enable these conditions. Emails that match these conditions are marked with an <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/anti-spam-spam-confidence-level-scl-about?view=o365-worldwide\" target=\"_blank\" rel=\"nofollow noopener\">SCL value<\/a> of 5 or 6.<\/p>\n\n\n\n<div>&nbsp;<\/div>\n\n\n\n<p>Meaning of each anti spam setting and its associated headers<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mark as spam<\/h3>\n\n\n\n<p>In this section, you can enable certain types of conditions to mark emails as spam. This will result in those emails being identified as <em>high confidence spam<\/em> with an SCL value of 9. The only exceptions are <em>backscatter <\/em>and <em>sender ID filtering hard fail.<\/em> All these are aggressive settings, and you should enable them only if you are certain that such emails need to be blocked.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Test mode<\/h3>\n\n\n\n<p>Emails matching any of the conditions set by you in this rule can be handled in different ways. One of these is <em>test mode<\/em>.<\/p>\n\n\n\n<p>If you want to enable the rule immediately, choose <em>None<\/em>. However, if the intention is to test the rule, you can choose to add the default header value to the <a href=\"https:\/\/support.microsoft.com\/en-au\/office\/view-internet-message-headers-in-outlook-cd039382-dc6e-4264-ac74-c048563d212c\" target=\"_blank\" rel=\"nofollow noopener\">message headers<\/a> of these emails. The value <em>X-CustomSpam: This message was filtered by the custom spam filter option <\/em>is added to the email&#8217;s header. Since this is testing mode, the policy won&#8217;t take any actions on the email, but only stamp the email&#8217;s header with this value.<\/p>\n\n\n\n<p>The <em>BCC Message <\/em>option results in emails being sent to the recipient mentioned in the BCC field. This is again going to result in no action on the email and is only for testing the potential effect of your new rule.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Actions<\/h3>\n\n\n\n<p>You decide on the action that Microsoft 365 will take on emails matching the conditions you set in the previous sections. Emails can be marked as spam, high-confidence spam, phishing, high-confidence phishing, or as bulk senders. For each of these conclusions, we can select different actions, such as moving such emails to the user&#8217;s junk folder, moving them to the quarantine section, deleting or redirecting them, adding a header value, and even adding a statement to the subject of the email. These options are explained <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/anti-spam-protection-about?view=o365-worldwide\" target=\"_blank\" rel=\"nofollow noopener\">here<\/a>.<\/p>\n\n\n\n<p>The last section on this page has two more settings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Safety tips<\/h3>\n\n\n\n<p>It is recommended that this be enabled, as users are then warned about emails being spam in Outlook. This reduces the chances of a user interacting with such emails.<\/p>\n\n\n\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/Safety-tips-for-Outlook-clients.png\" target=\"_blank\" rel=\"nofollow noopener\">Safety tips for Outlook clients<\/a><\/p>\n\n\n\n<p>Safety tips for Outlook clients<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Zero-hour auto purge (ZAP)<\/h3>\n\n\n\n<p>Zero-hour auto purge (ZAP) is a feature in Exchange Online that acts on emails that have already been delivered to the users&#8217; mailboxes. If the emails are detected as spam or phishing, then they are handled, depending on the actions chosen for spam or phishing emails. ZAP can be enabled or disabled for either phishing or spam emails, or for both.<\/p>\n\n\n\n<p>Click <em>Next.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Allow and block list<\/h3>\n\n\n\n<p>On the next page, you have the option to add users or domains to the <em>allowed<\/em> list if you desire them to bypass your tenant&#8217;s security checks. Alternatively, you may add them to the <em>blocked<\/em> list if you wish to prevent those emails from being delivered.<\/p>\n\n\n\n<div><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/You-can-add-users-or-domains-here-to-be-either-allowed-or-blocked.png\" target=\"_blank\" rel=\"nofollow noopener\">You can add users or domains here to be either allowed or blocked<\/a><\/div>\n\n\n\n<p>You can add users or domains here to be either allowed or blocked<\/p>\n\n\n\n<p>Click <em>Next.<\/em><\/p>\n\n\n\n<p>On the final page, review all the settings, and click <em>Create <\/em>if you are satisfied with them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Outbound anti-spam policy<\/h2>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><a href=\"http:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/Outbound-anti-spam-policy.png\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"605\" src=\"http:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/Outbound-anti-spam-policy.png\" alt=\"Outbound anti-spam policy\" class=\"wp-image-10877\" srcset=\"https:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/Outbound-anti-spam-policy.png 602w, https:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/Outbound-anti-spam-policy-300x300.png 300w, https:\/\/cheapwindowsvps.com\/blog\/wp-content\/uploads\/2023\/11\/Outbound-anti-spam-policy-150x150.png 150w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Emails sent from your tenant to the internet also require spam checking. If a mailbox from your tenant is misused to send malicious emails, your domain could get blacklisted or emails might get blocked by other organizations. This issue can be addressed by outbound anti-spam policies, which are invaluable in cases where spam or malicious emails are sent by internal users. This section will guide you through the settings required to create a new outbound anti-spam policy.<\/p>\n\n\n\n<p>To reach the anti-spam policy page, follow this <a href=\"https:\/\/security.microsoft.com\/antispam\" target=\"_blank\" rel=\"nofollow noopener\">link<\/a>. Click on the &#8216;Create policy&#8217; button, then choose &#8216;Outbound&#8217;.<\/p>\n\n\n\n<p>Once you navigate to the next page, assign a name and description to this policy.<\/p>\n\n\n\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/Provide-a-name-and-a-description-for-the-new-policy-to-make-it-easy-to-understand-the-policys-purpose-.png\" target=\"_blank\" rel=\"nofollow noopener\">Provide a name and a description for the new policy to make it easy to understand the policy&#8217;s purpose<\/a><\/p>\n\n\n\n<p>On the following page, choose the users for whom this rule will take effect. This is explained in the previous section.<\/p>\n\n\n\n<p>The next page is to configure the protection settings. The first section sets message limits.<\/p>\n\n\n\n<p><a href=\"https:\/\/4sysops.com\/wp-content\/uploads\/2023\/11\/Here-we-decide-the-limits-of-sending-emails-to-external-and-internal-recipients.png\" target=\"_blank\" rel=\"nofollow noopener\">Here we decide the limits of sending emails to external and internal recipients<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">External message limit<\/h3>\n\n\n\n<p>This governs the highest number of external recipients to whom users can send emails in an hour. For applications with the need to send bulk emails to external recipients, without changing the standard rule, a fresh <em>anti-spam<\/em> policy can be configured. It is crucial to input the maximum number of external recipients in this section for that particular application mailbox.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Internal message limit<\/h3>\n\n\n\n<p>The maximum number of internal recipients that users can email is determined by this field. This, too, <a href=\"https:\/\/cheapwindowsvps.com\/&#039;\">serves to limit the potential harm<\/a> a compromised mailbox could inflict.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Daily message limit<\/h3>\n\n\n\n<p>Mailboxes can also be restricted from emailing a specific number of users. This rule combines both internal and external recipients.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Restrictions placed on users who reach the message limit<\/h3>\n\n\n\n<p>You can choose the action you wish to take if a user exceeds the limits. Mailboxes can be stopped from sending emails for a day or even indefinitely. The third option is not to take any action; however, an <a href=\"https:\/\/admin.exchange.microsoft.com\/\" target=\"_blank\" rel=\"nofollow noopener\">alert<\/a> can be generated. This was used to test the policy. If a user does breach the limits, the mailbox will be blocked. You can review this <a href=\"https:\/\/security.microsoft.com\/restrictedusers\" target=\"_blank\" rel=\"nofollow noopener\">here<\/a>.<\/p>\n\n\n\n<p>Automatic forwarding rules: The automatic forwarding of emails to external recipients can pose risks. One can manage this through this rule.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>On<\/b>\u2014Automatic forwarding is permitted. However, enabling this isn&#8217;t advisable as it could result in mass emails being sent from your domain.<\/li>\n\n\n\n<li><b>Off<\/b>\u2014This rule disables the automatic forwarding of emails to external recipients. This is the preferred practice. It prevents compromised mailboxes from being utilised to send spam or harmful emails from your domain.<\/li>\n\n\n\n<li><b>Automatic system controlled<\/b>\u2014Automatic external forwarding is <i>off.<\/i> Microsoft adopts this setting to implement blocks on external email forwarding across all domains in Microsoft 365.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Notifications<\/h3>\n\n\n\n<p><b>Send a copy of suspicious outbound email that exceed these limits to these users and groups<\/b>\u2014One can select specific users or groups to be included in the <i>BCC <\/i>field of suspicious outbound emails. Note that this only applies to the default <i>anti-spam <\/i>policy and not to custom policies like this one.<\/p>\n\n\n\n<p><strong>Notify these users and groups if a sender is blocked due to sending outbound spam<\/strong>\u2014Notifies email admins about user accounts restricted from sending emails. This enables administrators to respond promptly to potential account breaches. The alert policy <em>User restricted from sending email <\/em>informs the<em> global admins about a user account being blocked.<\/em> It is proposed that alert policies be used.<\/p>\n\n\n\n<p>The last page is to review all the settings and then click <em>Create.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is astonishing that over 200 billion spam emails are sent out every single day. One way to tackle this problem in Microsoft 365, formerly Office 365, is to use anti-spam policies. Prerequisites To follow the steps in this post, you must have the following: Every tenant in Microsoft 365 has three anti-spam policies by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8119,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92,126,125,124],"tags":[],"class_list":["post-8118","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","category-cloud-computing","category-email","category-office-365"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=8118"}],"version-history":[{"count":3,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8118\/revisions"}],"predecessor-version":[{"id":10880,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/8118\/revisions\/10880"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/8119"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=8118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=8118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=8118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}