Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments

Important

This topic is only for standalone EOP customers in hybrid environments. This topic does not apply to Microsoft 365 customers with Exchange Online mailboxes.

If you're a standalone Exchange Online Protection (EOP) customer in a hybrid environment, you need to configure your on-premises Exchange organization to recognize and translate the spam filtering verdicts of EOP, so the junk email rule in the on-premises mailbox can move messages to the Junk Email folder.

Specifically, you need to create mail flow rules (also known as transport rules) in your on-premises Exchange organization with conditions that find messages with any of the following EOP anti-spam headers and values, and actions that set the spam confidence level (SCL) of those messages to 6:

  • X-Forefront-Antispam-Report: SFV:SPM (message marked as spam by spam filtering)

  • X-Forefront-Antispam-Report: SFV:SKS (message marked as spam by mail flow rules in EOP before spam filtering)

  • X-Forefront-Antispam-Report: SFV:SKB (message marked as spam by spam filtering due to the sender's email address or email domain being in the blocked sender list or the blocked domain list in EOP)

For more information about these header values, see Anti-spam message headers.

This topic describes how to create these mail flow rules the Exchange admin center (EAC) and in the Exchange Management Shell (Exchange PowerShell) in the on-premises Exchange organization.

Tip

Instead of delivering the messages to the on-premises user's Junk Email folder, you can configure anti-spam policies in EOP to quarantine spam messages in EOP. For more information, see Configure anti-spam policies in EOP.

What do you need to know before you begin?

Use the EAC to create mail flow rules that set the SCL of EOP spam messages

  1. In the EAC, go to Mail flow > Rules.

  2. Click Add Add icon and select Create a new rule in the drop-down that appears.

  3. In the New rule page that opens, configure the following settings:

    • Name: Enter a unique, descriptive name for the rule. For example:

      • EOP SFV:SPM to SCL 6

      • EOP SFV:SKS to SCL 6

      • EOP SFV:SKB to SCL 6

    • Click More Options.

    • Apply this rule if: Select A message header > includes any of these words.

      In the Enter text header includes Enter words sentence that appears, do the following steps:

      • Click Enter text. In the Specify header name dialog that appears, enter X-Forefront-Antispam-Report and then click OK.

      • Click Enter words. In the Specify words or phrases dialog that appears, enter one of the EOP spam header values (SFV:SPM, SFV:SKS, or SFV:SKB), click Add Add icon, and then click OK.

    • Do the following: Select Modify the message properties > Set the spam confidence level (SCL).

      In the Specify SCL dialog that appears, select 6 (the default value is 5).

    When you're finished, click Save

Repeat these steps for the remaining EOP spam verdict values (SFV:SPM, SFV:SKS, or SFV:SKB).

Use the Exchange Management Shell to create mail flow rules that set the SCL of EOP spam messages

Use the following syntax to create the three mail flow rules:

New-TransportRule -Name "<RuleName>" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "<EOPSpamFilteringVerdict>" -SetSCL 6

For example:

New-TransportRule -Name "EOP SFV:SPM to SCL 6" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM" -SetSCL 6
New-TransportRule -Name "EOP SFV:SKS to SCL 6" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS" -SetSCL 6
New-TransportRule -Name "EOP SFV:SKB to SCL 6" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKB" -SetSCL 6

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've successfully configured standalone EOP to deliver spam to the Junk Email folder in hybrid environment, do any of the following steps:

  • In the EAC, go to Mail flow > Rules, select the rule, and then click Edit Edit icon to verify the settings.

  • In the Exchange Management Shell, replace <RuleName> with the name of the mail flow rule, and rul the following command to verify the settings:

    Get-TransportRule -Identity "<RuleName>" | Format-List
    
  • In an external email system that doesn't scan outbound messages for spam, send a Generic Test for Unsolicited Bulk Email (GTUBE) message to an affected recipient, and confirm that it's delivered to their Junk Email folder. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings.

    To send a GTUBE message, include the following text in the body of an email message on a single line, without any spaces or line breaks:

    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X