Create blocked sender lists in EOP

Important

Welcome to Microsoft Defender for Office 365, the new name for Office 365 Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP offers multiple ways of blocking email from unwanted senders. These options include Outlook Blocked Senders, blocked sender lists or blocked domain lists in anti-spam policies, Exchange mail flow rules (also known as transport rules), and the IP Block List (connection filtering). Collectively, you can think of these options as blocked sender lists.

The best method to block senders varies on the scope of impact. For a single user, the right solution could be Outlook Blocked Senders. For many users, one of the other options would be more appropriate. The following options are ranked by both impact scope and breadth. The list goes from narrow to broad, but read the specifics for full recommendations.

  1. Outlook Blocked Senders (the Blocked Senders list that's stored in each mailbox)

  2. Blocked sender lists or blocked domain lists (anti-spam policies)

  3. Mail flow rules

  4. The IP Block List (connection filtering)

Note

While you can use organization-wide block settings to address false negatives (missed spam), you should also submit those messages to Microsoft for analysis. Managing false negatives by using block lists significantly increases your administrative overhead. If you use block lists to deflect missed spam, you need to keep the topic Report messages and files to Microsoft at the ready.

In contrast, you also have several options to always allow email from specific sources using safe sender lists. For more information, see Create safe sender lists.

Email message basics

A standard SMTP email message consists of a message envelope and message content. The message envelope contains information that's required for transmitting and delivering the message between SMTP servers. The message content contains message header fields (collectively called the message header) and the message body. The message envelope is described in RFC 5321, and the message header is described in RFC 5322. Recipients never see the actual message envelope because it's generated by the message transmission process, and it isn't actually part of the message.

  • The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address that's used in the SMTP transmission of the message. This email address is typically recorded in the Return-Path header field in the message header (although it's possible for the sender to designate a different Return-Path email address). If the message can't be delivered, it's the recipient for the non-delivery report (also known as an NDR or bounce message).

  • The 5322.From (also known as the From address or P2 sender) is the email address in the From header field, and is the sender's email address that's displayed in email clients.

Frequently, the 5321.MailFrom and 5322.From addresses are the same (person-to-person communication). However, when email is sent on behalf of someone else, the addresses can be different.

Blocked sender lists and blocked domain lists in anti-spam policies in EOP inspect both the 5321.MailFrom and 5322.From addresses. Outlook Blocked Senders only uses the 5322.From address.

Use Outlook Blocked Senders

When only a small number of users received unwanted email, users or admins can add the sender email addresses to the Blocked Senders list in the mailbox. For instructions, see Configure junk email settings on Exchange Online mailboxes.

When messages are successfully blocked due to a user's Blocked Senders list, the X-Forefront-Antispam-Report header field will contain the value SFV:BLK.

Note

If the unwanted messages are newsletters from a reputable and recognizable source, unsubscribing from the email is another option to stop the user from receiving the messages.

Use blocked sender lists or blocked domain lists

When multiple users are affected, the scope is wider, so the next best option is blocked sender lists or blocked domain lists in anti-spam policies. Messages from senders on the lists are marked as Spam, and the action that you've configured for the Spam filter verdict is taken on the message. For more information, see Configure anti-spam policies.

The maximum limit for these lists is approximately 1000 entries.

Use mail flow rules

If you need to block messages that are sent to specific users or across the entire organization, you can use mail flow rules. Mail flow rules are more flexible than block sender lists or blocked sender domain lists because they can also look for keywords or other properties in the unwanted messages.

Regardless of the conditions or exceptions that you use to identify the messages, you configure the action to set the spam confidence level (SCL) of the message to 9, which marks the message a High confidence spam. For more information, see Use mail flow rules to set the SCL in messages.

Important

It's easy to create rules that are overly aggressive, so it's important that you identify only the messages you want to block using using very specific criteria. Also, be sure to enable auditing on the rule and test the results of the rule to ensure everything works as expected.

Use the IP Block List

When it's not possible to use one of the other options to block a sender, only then should you use the IP Block List in the connection filter policy. For more information, see Configure the connection filter policy. It's important to keep the number of blocked IPs to a minimum, so blocking entire IP address ranges is not recommended.

You should especially avoid adding IP address ranges that belong to consumer services (for example, outlook.com) or shared infrastructures, and also ensure that you review the list of blocked IP addresses as part of regular maintenance.