Order and precedence of email protection

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email may be flagged by multiple forms of protection. For example, the built-in anti-phishing policies in EOP that are available to all Microsoft 365 customers, and the more robust anti-phishing policies that are available to Microsoft Defender for Office 365 customers. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there may be some confusion as to which policy is applied.

In general, a policy that's applied to a message is identified in the X-Forefront-Antispam-Report header in the CAT (Category) property. For more information, see Anti-spam message headers.

There are two major factors that determine which policy is applied to a message:

For example, consider the following anti-phishing policies in Microsoft Defender for Office 365 that apply to the same users, and a message that's identified as both user impersonation and spoofing:

Policy name Priority User impersonation Anti-spoofing
Policy A 1 On Off
Policy B 2 Off On
  1. The message is identified as spoofing, because spoofing (4) is evaluated before user impersonation (5).
  2. Policy A is applied first because it has a higher priority than Policy B.
  3. Based on the settings in Policy A, no action is taken on the message because anti-spoofing is turned off.
  4. The processing of anti-phishing policies stops for all included recipients, so Policy B is never applied to recipients who are also in Policy A.

Because the same users might be intentionally or unintentionally included in multiple policies of the same type, use the following design guidelines for custom policies:

  • Assign a higher priority to policies that apply to a small number of users, and a lower priority to policies that apply to a large number of users. Remember, the default policy is always applied last.
  • Configure your higher priority policies to have stricter or more specialized settings than lower priority policies.
  • Consider using fewer custom policies (only use custom policies for users who require stricter or more specialized settings).