How to reduce spam email in Office 365

Are you getting too much spam in Office 365? Do this.

We strongly recommend that you report False Negative messages by using the Report Message add-in to help us improve our filters. Additionally, you can forward the message as an attachment to junk@office365.microsoft.com or phish@office365.microsoft.com (if it was phish).

Tip

If you think the message is junk and it is in the Junk Email folder, that should not be a problem. If you don't want to see it at all in the mailbox, you should change the antispam policy to quarantine the message. More information on quarantining a message can be found in Quarantine email messages in Office 365.

Fixing allowed spam

We often see that customers get junk mail into their inbox because of incorrect configurations. The most common of which is configuring your domains in a mail flow rule (also known as a transport rule) to bypass filters or listing your domain(s) in the allowed/safe-senders list. This is not good because these messages skip spam filtering and could have otherwise been caught.

Solutions to other common causes of getting too much spam

In order to protect you from getting too much spam, Exchange Online Protection (EOP) requires that administrators complete a few tasks. If you are not the administrator for your Office 365 tenant and you are getting too much spam, then you may want to work with your administrator on these tasks. Otherwise, you can skip to the user section.

For admins

  • Point your DNS records to Office 365 In order for EOP to provide the best protection, your mail exchanger (MX) DNS record(s) for all domains must be pointed to Office 365 -- and only to Office 365. See Create DNS records for Office 365 when you manage your DNS records.

  • Enable the junk mail rule on all mailboxes By default, the spam filtering action is set to Move message to Junk Email folder. If this is the preferred and current spam policy action, then each mailbox must also have the junk mail rule enabled. To check this, you can run the Get-MailboxJunkEmailConfiguration cmdlet against one or more mailboxes. For example, you might check all mailboxes for this by running the following: Get-MailboxJunkEmailConfiguration -Identity * | Where {$_.Enabled -eq $false}

    When viewing the output, the Enable property should be set to True. If it is set to False, you can run Set-MailboxJunkEmailConfiguration to change it to True as follows: Set-MailboxJunkEmailConfiguration -Identity $values.UserPrincipalName -Enabled $true.

  • Create mail flow rules in on-premises Exchange Server If you are using Exchange Online Protection, but your mailboxes are located in on-premises Exchange Server, then you will need to create a couple of mail flow rules in on-premises Exchange Server. See the instructions for EOP-only.

  • Mark bulk email as spam Bulk email is email which users may have signed up for, but may still be undesirable. In the message header, find the BCL (Bulk Confidence Level) property in the X-Microsoft-Antispam header. If the BCL value is less than the threshold set in the spam filter, you may want to adjust the threshold to instead mark these types of bulk messages as spam. Different users have different tolerances and preferences for how bulk email is handled. You can create different policies or rules for different user preferences.

  • Immediately block a sender In the case where you need to immediately block a sender, you can block by email address, domain, or IP address. See Create block sender lists in Office 365. An entry in an end-user allow list can override a block set by the administrator.

  • Turn on the report message add-in for users We strongly recommend that you enable the report message add-in for you users. As an administrator, you may also be able to view the feedback your users are sending and use any patterns to adjust any settings that may be causing problems.

  • Enable DKIM to sign all your outbound messages to increase the security in your domain and tenant.

Tip

After you enable DKIM you must enable DMARC since this record will validate if DKIM and SPF are working correctly and, generally, spoofing emails don't have the signature, since O365 manages your private and public symmetric key.

For users

  • Enable the junk mail rule and check your allow list Check that the junk mail action rule is enabled and that the sender or sender's domain is not set to bypass in your personal allow list. The best way to access these settings is from Block or allow (junk email settings). While you are there, you may also choose to block the sender's email address or domain.

  • Report spam to Microsoft Report spam messages to Microsoft by using the Use the Report Message add-in. Additionally, you can send a message to junk@office365.microsoft.com and attach one or more messages to report.

    Important If you do not forward the messages as attachments, then the headers will be missing and we will be unable to improve the junk mail filtering in Office 365.

  • Unsubscribe from bulk email If the message was something that you signed up for (newsletters, product announcements, etc.) and contains an unsubscribe link from a reputable source, you may want to simply unsubscribe. Office 365 does not typically treat these messages as spam. You can also choose to block the sender, or ask your administrator to make a change that will cause all bulk mail to be treated as spam.