Configure the connection filter policy

Most of us have friends and business partners we trust. It can be frustrating to find email from them in your junk email folder, or even blocked entirely by a spam filter. If you want to make sure that email sent from people you trust isn't blocked, you can use the connection filter policy to create an Allow list, also known as a safe sender list, of IP addresses that you trust. You can also create a blocked senders list, which is a list of IP addresses, typically from known spammers, that you don't ever want to receive email messages from.

For more spam settings that apply to the whole organization, take a look at How to help ensure that a message isn't marked as spam or Block email spam with the Office 365 spam filter to prevent false negative issues. These are helpful if you have administrator-level control and you want to prevent false positives or false negatives.

The following video shows the configuration steps for the connection filter policy:

What do you need to know before you begin?

  • Estimated time to complete: 15 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Anti-spam" entry in the Feature Permissions in Exchange Online topic.

  • To obtain the IP address of the sender whose messages you want to allow or block, you can check the Internet header of the message. Look for the CIP header as described in Anti-spam message headers. For information about how to view a message header in various email clients, see the Message Header Analyzer topic.

  • Email messages sent from an IP address on the IP Block list are rejected, not marked as spam, and no additional filtering occurs.

  • The following connection filter procedure can also be performed via remote PowerShell. Use the Get-HostedConnectionFilterPolicy cmdlet to review your settings, and the Set-HostedConnectionFilterPolicy to edit your connection filter policy settings. To learn how to use Windows PowerShell to connect to Exchange Online Protection, see Connect to Exchange Online Protection PowerShell. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Use the EAC to edit the default connection filter policy

You create an IP Allow list or IP Block list by editing the connection filter policy in the Exchange admin center (EAC). The connection filter policy settings are applied to inbound messages only.

  1. In the Exchange admin center (EAC), navigate to Protection > Connection filter, and then double-click the default policy.

  2. Click the Connection filtering menu item and then create the lists you want: an IP Allow list, an IP Block list, or both.

    To create these lists, click Add Icon. In the subsequent dialog box, specify the IP address or address range, and then click ok. Repeat this process to add additional addresses. (You can also edit or remove IP addresses after they have been added.)

    Note

    If you add an IP address to both lists, email sent from it is allowed. > IPV4 IP addresses must be specified in the format nnn.nnn.nnn.nnn where nnn is a number from 0 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr where rr is a number from 24 to 32. To specify ranges outside of the 24 to 32 range, see Additional considerations when configuring IP Allow lists. > You can specify a maximum of 1273 entries, where an entry is either a single IP address or a CIDR range of IP addresses from /24 to /32. > If you're sending TLS-encrypted messages, IPv6 addresses and address ranges are not supported.

  3. Optionally, select the Enable safe list check box to prevent missing email from certain well-known senders. How? Microsoft subscribes to third-party sources of trusted senders. Using this safe list means that these trusted senders aren't mistakenly marked as spam. We recommend selecting this option because it should reduce the number of false positives (good mail that's classified as spam) you receive.

  4. Click save. A summary of your default policy settings appears in the right pane.

Additional considerations when configuring IP Allow lists

The following are additional considerations you may want to consider or that you should be aware of when configuring an IP Allow list.

To specify a CIDR IP address range from /1 to /23, you must create a Transport rule that operates on the IP address range that sets the spam confidence level (SCL) to Bypass spam filtering (meaning that all messages received from within this IP address range are set to "not spam´┐Ż? and no additional filtering is performed by the service). However, if any of these IP addresses appear on any of Microsoft's proprietary block lists or on any of our third-party block lists, these messages will still be blocked. It is therefore strongly recommended that you use the /32 to /24 IP address range.

To create this Transport rule, perform the following steps.

  1. In the EAC, navigate to Mail flow > Rules.

  2. Click Add Icon and then select Create a new rule.

  3. Give the rule a name and then click More options.

  4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.

  5. In the specify IP addresses, specify the IP address range, click AddAdd Icon, and then click ok.

  6. Under Do the following box, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select Bypass spam filtering, and click ok.

  7. If you'd like, you can make selections to audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. Manage Transport Rules contains more information about these selections.

  8. Click the save button to save the rule. It appears in your list of rules.

After you create and enforce the rule, spam filtering is bypassed for the IP address range you specified.

Scoping an IP Allow list exception for a specific domain

In general, we recommend that you add the IP addresses (or IP address ranges) for all your domains that you consider safe to the IP Allow list. However, if you don't want your IP Allow List entry to apply to all your domains, you can create a Transport rule that excepts specific domains.

For example, let's say you have three domains: ContosoA.com, ContosoB.com, and ContosoC.com, and you want to add the IP address (for simplicity's sake, let's use 1.2.3.4) and skip filtering only for domain ContosoB.com. You would create an IP Allow list for 1.2.3.4, which sets the spam confidence level (SCL) to -1 (meaning it is classified as non-spam) for all domains. You can then create a Transport rule that sets the SCL for all domains except ContosoB.com to 0. This results in the message being rescanned for all domains associated with the IP address except for ContosoB.com which is the domain listed as the exception in the rule. ContosoB.com still has an SCL of -1 which means skip filtering, whereas ContosoA.com and ContosoC.com have SCLs of 0, meaning they will be rescanned by the content filter.

To do this, perform the following steps:

  1. In the EAC, navigate to Mail flow > Rules.

  2. Click Add Icon and then select Create a new rule.

  3. Give the rule a name and then click More options.

  4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.

  5. In the specify IP addresses box, specify the IP address or IP address range you entered in the IP Allow list, click AddAdd Icon, and then click ok.

  6. Under Do the following, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select 0, and click ok.

  7. Click add exception, and under Except if, select The sender and choose domain is.

  8. In the specify domain box, enter the domain for which you want to bypass spam filtering, such as contosob.com. Click AddAdd Icon to move it to the list of phrases. Repeat this step if you want to add additional domains as exceptions, and click ok when you are finished.

  9. If you'd like, you can make selections to audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. Manage Transport Rules contains more information about these selections.

  10. Click the save button to save the rule. It appears in your list of rules.

After you create and enforce the rule, spam filtering for the IP address or IP address range you specified is bypassed only for the domain exception you entered.

New to Office 365?

The short icon for LinkedIn Learning New to Office 365? Discover free video courses for Office 365 admins and IT pros, brought to you by LinkedIn Learning.

For more information

Safe sender and blocked sender lists in Exchange Online

Configure your spam filter policies

Configure the outbound spam policy

How to help ensure that a message isn't marked as spam

Block email spam with the Office 365 spam filter to prevent false negative issues