Configure anti-spam policies in EOP

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spam by EOP. EOP uses anti-spam policies (also known as spam filter policies or content filter policies) as part of your organization's overall defense against spam. For more information, see Anti-spam protection.

Admins can view, edit, and configure (but not delete) the default anti-spam policy. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

You can configure anti-spam policies in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

The basic elements of an anti-spam policy are:

  • The spam filter policy: Specifies the actions for spam filtering verdicts and the notification options.
  • The spam filter rule: Specifies the priority and recipient filters (who the policy applies to) for a spam filter policy.

The difference between these two elements isn't obvious when you manage anti-spam polices in the Security & Compliance Center:

  • When you create an anti-spam policy, you're actually creating a spam filter rule and the associated spam filter policy at the same time using the same name for both.
  • When you modify an anti-spam policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the spam filter rule. All other settings modify the associated spam filter policy.
  • When you remove an anti-spam policy, the spam filter rule and the associated spam filter policy are removed.

In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. For more information, see the Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-spam policies section later in this article.

Every organization has a built-in anti-spam policy named Default that has these properties:

  • The policy is applied to all recipients in the organization, even though there's no spam filter rule (recipient filters) associated with the policy.
  • The policy has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom policies that you create always have a higher priority.
  • The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.

To increase the effectiveness of spam filtering, you can create custom anti-spam policies with stricter settings that are applied to specific users or groups of users.

What do you need to know before you begin?

Use the Security & Compliance Center to create anti-spam policies

Creating a custom anti-spam policy in the Security & Compliance Center creates the spam filter rule and the associated spam filter policy at the same time using the same name for both.

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Create a policy.

  3. In the New spam filter policy fly out that opens, configure the following settings:

    • Name: Enter a unique, descriptive name for the policy. Don't use the following characters: \ % & * + / = ? { } | < > ( ) ; : , [ ] ".

      If you previously created anti-spam policies in the Exchange admin center (EAC) that contains these characters, you should rename the anti-spam policy in PowerShell. For instructions, see the Use PowerShell to modify spam filter rules section later in this article.

    • Description: Enter an optional description for the policy.

  4. (Optional) Expand the Spam and bulk actions section, and verify or configure the following settings:

    • Select the action to take for incoming spam and bulk email: Select or review the action to take on messages based on the following spam filtering verdicts:

      • Spam
      • High confidence spam
      • Phishing email
      • High confidence phishing email
      • Bulk email

      The available actions for spam filtering verdicts are described in the following table.

      • A check mark ( Check mark) indicates the action is available (not all actions are available for all spam filtering verdicts).
      • An asterisk ( * ) after the check mark indicates the default action for the spam filtering verdict.

    Action Spam High
    confidence
    spam
    Phishing
    email
    High
    confidence
    phishing
    email
    Bulk
    email
    Move message to Junk Email folder: The message is delivered to the mailbox and moved to the Junk Email folder.1 Check mark* Check mark* Check mark Check mark Check mark*
    Add X-header: Adds an X-header to the message header and delivers the message to the mailbox.

    You enter the X-header field name (not the value) later in the Add this X-header text box.

    For Spam and High confidence spam verdicts, the message is moved to the Junk Email folder.1,2

    Check mark Check mark Check mark Check mark*
    Prepend subject line with text: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.1,2

    You enter the text later in the Prefix subject line with this text box.

    Check mark Check mark Check mark Check mark
    Redirect message to email address: Sends the message to other recipients instead of the intended recipients.

    You specify the recipients later in the Redirect to this email address box.

    Check mark Check mark Check mark Check mark Check mark
    Delete message: Silently deletes the entire message, including all attachments. Check mark Check mark Check mark Check mark
    Quarantine message: Sends the message to quarantine instead of the intended recipients.

    You specify how long the message should be held in quarantine later in the Quarantine box.

    Check mark Check mark Check mark* Check mark Check mark
    No action Check mark

    1 In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see Configure junk email settings on Exchange Online mailboxes.

    In standalone EOP environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange to translate the EOP spam filtering verdict so the junk email rule can move the message to the Junk Email folder. For details, see Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.

    2 You can this use value as a condition in mail flow rules to filter or route the message.

    • Select the threshold: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the Bulk email spam filtering verdict (greater than the specified value, not greater than or equal to). A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see Bulk complaint level (BCL) in EOP and What's the difference between junk email and bulk email?.

      By default, the PowerShell only setting MarkAsSpamBulkMail is On in anti-spam policies. This setting dramatically affects the results of a Bulk email filtering verdict:

      • MarkAsSpamBulkMail is On: A BCL that's greater than the threshold is converted to an SCL 6 that corresponds to a filtering verdict of Spam, and the action for the Bulk email filtering verdict is taken on the message.

      • MarkAsSpamBulkMail is Off: The message is stamped with the BCL, but no action is taken for a Bulk email filtering verdict. In effect, the BCL threshold and Bulk email filtering verdict action are irrelevant.

    • Quarantine: Specifies how long to keep the message in quarantine if you selected Quarantine message as the action for a spam filtering verdict. After the time period expires, the message is deleted. The default value is 30 days. A valid value is from 1 to 30 days. For information about quarantine, see the following topics:

    • Add this X-header text: This box is required and available only if you selected Add X-header as the action for a spam filtering verdict. The value you specify is the header field name that's added to the message header. The header field value is always This message appears to be spam.

      The maximum length is 255 characters, and the value can't contain spaces or colons (:).

      For example, if you enter the value X-This-is-my-custom-header, the X-header that's added to the message is X-This-is-my-custom-header: This message appears to be spam.

      If you enter a value that contains spaces or colons (:), the value you enter is ignored, and the default X-header is added to the message (X-This-Is-Spam: This message appears to be spam.).

    • Prepend subject line with this text: This box is required and available only if you selected Prepend subject line with text as the action for a spam filtering verdict. Enter the text to add to the beginning of the message's subject line.

    • Redirect to this email address: This box is required and available only if you selected the Redirect message to email address as the action for a spam filtering verdict. Enter the email address where you want to deliver the message. You can enter multiple values separated by semicolons (;).

    • Safety Tips: By default, Safety Tips are enabled, but you can disable them by clearing the On checkbox. For more information about Safety Tips, see Safety tips in email messages.

    Zero-hour auto purge settings: ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. For more information about ZAP, see Zero-hour auto purge - protection against spam and malware.

    • Spam ZAP: By default, ZAP is enabled for spam detections, but you can disable it by clearing the On checkbox.

    • Phish ZAP: By default, ZAP is enabled for phishing detections, but you can disable it by clearing the On checkbox.

  5. (Optional) Expand the Allow lists section to configure message senders by email address or email domain that are allowed to skip spam filtering:

    Caution

    • Think very carefully before you add domains here. For more information, see Create safe sender lists in EOP

    • Never add accepted domains (domains that you own) or common domains (for example, microsoft.com or office.com) to the allowed domains list. This would allow attackers to send email that bypasses spam filtering into your organization.

    • Allow sender: Click Edit. In the Allowed sender list flyout that appears:

      a. Enter the sender's email address. You can specify multiple email addresses separated by semicolons (;).

      b. Click Add icon to add the senders.

      Repeat these steps as many times as necessary.

      The senders you added appear in the Allowed Sender section on the flyout. To delete a sender, click Remove icon.

      When you're finished, click Save.

    • Allow domain: Click Edit. In the Allowed domain list flyout that appears do these steps:

      a. Enter the domain. You can specify multiple domains separated by semicolons (;).

      b. Click Add icon to add the domains.

      Repeat these steps as many times as necessary.

      The domains you added appear in the Allowed Domain section on the flyout. To delete a domain, click Remove icon.

      When you're finished, click Save.

  6. (Optional) Expand the Block lists section to configure message senders by email address or email domain that will always be marked as high confidence spam:

    Note

    Manually blocking domains isn't dangerous, but it can increase your administrative workload. For more information, see Create block sender lists in EOP.

    • Block sender: Click Edit. In the Blocked sender list flyout that appears do these steps:

      a. Enter the sender's email address. You can specify multiple email addresses separated by semicolons (;). Wildcards (*) aren't allowed.

      b. Click Add icon to add the senders.

      Repeat these steps as many times as necessary.

      The senders you added appear in the Blocked Sender section on the flyout. To delete a sender, click Remove button.

      When you're finished, click Save.

    • Block domain: Click Edit. In the Blocked domain list flyout that appears:

      a. Enter the domain. You can specify multiple domains separated by semicolons (;). Wildcards (*) aren't allowed.

      b. Click Add icon to add the domains.

      Repeat these steps as many times as necessary.

      The domains you added appear in the Blocked Domain list on the flyout. To delete a domain, click Remove button.

      When you're finished, click Save.

  7. (Optional) Expand the International spam section to configure the email languages or source countries that are blocked by spam filtering:

    • Filter email messages written in the following languages: This setting is disabled by default (Status: OFF). Click Edit. In the International spam settings flyout that appears, configure the following settings:

      • Filter email messages written in the following languages: Select the checkbox to enable this setting. Clear the checkbox to disable this setting.

      • Click in the box and start typing the name of the language. A filtered list of supported languages will appear, along with the corresponding ISO 639-2 language code. When you find the language you're looking for, select it. Repeat this step as many times as necessary.

        The list of languages you selected appears on the flyout. To delete a language, click Remove button.

      When you're finished, click Save.

    • Filter email messages sent from the following countries or regions: This setting is disabled by default (Status: OFF). To enable it, click Edit. In the International spam settings flyout that appears, configure the following settings:

      • Filter email messages sent from the following countries or regions: Select the checkbox to enable this setting. Clear the checkbox to disable this setting.

      • Click in the box and start typing the name of the country or region. A filtered list of supported countries will appear, along with the corresponding ISO 3166-1 two-letter country code. When you find the country or region you're looking for, select it. Repeat this step as many times as necessary.

        The list of countries you selected appears on the flyout. To delete a country or region, click Remove button.

      When you're finished, click Save.

  8. The optional Spam properties section contains Advanced Spam Filter (ASF) settings that are turned off by default. ASF settings are in the process of being deprecated, and their functionality is being incorporated into other parts of the filtering stack. We recommend that you leave all of these ASF settings turned off in your anti-spam policies.

    For details about these settings, see Advanced Spam Filter settings in EOP.

  9. (Required) Expand the Applied to section to identify the internal recipients that the policy applies to.

    You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

    It's easiest to click Add a condition three times to see all of the available conditions. You can click Remove button to remove conditions that you don't want to configure.

    • The recipient domain is: Specifies recipients in one or more of the configured accepted domains in your organization. Click in the Add a tag box to see and select a domain. Click again the Add a tag box to select additional domains if more than one domain is available.

    • Recipient is: Specifies one or more mailboxes, mail users, or mail contacts in your organization. Click in the Add a tag and start typing to filter the list. Click again the Add a tag box to select additional recipients.

    • Recipient is a member of: Specifies one or more groups in your organization. Click in the Add a tag and start typing to filter the list. Click again the Add a tag box to select additional recipients.

    • Except if: To add exceptions for the rule, click Add a condition three times to see all of the available exceptions. The settings and behavior are exactly like the conditions.

  10. When you're finished, click Save.

Use the Security & Compliance Center to view anti-spam policies

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Expand icon to expand an anti-spam policy:

    • The default policy named Default spam filter policy.

    • A custom policy that you created where the value in the Type column is Custom anti-spam policy.

  3. The important policy settings are displayed in the expanded policy details that appear. To see more details, click Edit policy.

Use the Security & Compliance Center to modify anti-spam policies

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Expand icon to expand an anti-spam policy:

    • The default policy named Default spam filter policy.

    • A custom policy that you created where the value in the Type column is Custom anti-spam policy.

  3. Click Edit policy.

For custom anti-spam policies, the available settings in the flyout that appears are identical to those described in the Use the Security & Compliance Center to create anti-spam policies section.

For the default anti-spam policy named Default spam filter policy, the Applied to section isn't available (the policy applies to everyone), and you can't rename the policy.

To enable or disable a policy, set the policy priority order, or configure the end-user quarantine notifications, see the following sections.

Enable or disable anti-spam policies

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Expand icon to expand a custom policy that you created (the value in the Type column is Custom anti-spam policy).

  3. In the expanded policy details that appear, notice the value in the On column.

    Move the toggle to the left to disable the policy: Toggle off

    Move the toggle to the right to enable the policy: Toggle on

You can't disable the default anti-spam policy.

Set the priority of custom anti-spam policies

By default, anti-spam policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.

For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

Custom anti-spam policies are displayed in the order they're processed (the first policy has the Priority value 0). The default anti-spam policy named Default spam filter policy has the priority value Lowest, and you can't change it.

Note: In the Security & Compliance Center, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules).

To change the priority of a policy, move the policy up or down in the list (you can't directly modify the Priority number in the Security & Compliance Center).

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, find the policies where the value in the Type column is Custom anti-spam policy. Notice the values in the Priority column:

    • The custom anti-spam policy with the highest priority has the value Down Arrow icon 0.

    • The custom anti-spam policy with the lowest priority has the value Up Arrow icon n (for example, Up Arrow icon 3).

    • If you have three or more custom anti-spam policies, the policies between the highest and lowest priority have values Up Arrow iconDown Arrow icon n (for example, Up Arrow iconDown Arrow icon 2).

  3. Click Up Arrow icon or Down Arrow icon to move the custom anti-spam policy up or down in the priority list.

Configure end-user spam notifications

When a spam filtering verdict quarantines a message, you can configure end-user spam notifications to let recipients know what happened to messages that were sent to them. For more information about these notifications, see End-user spam notifications in EOP.

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Expand icon to expand an anti-spam policy:

    • The default policy named Default spam filter policy.

    • A custom policy that you created where the value in the Type column is Custom anti-spam policy.

  3. In the expanded policy details that appear, click Configure end-user spam notifications.

  4. In the <Policy Name> dialog that opens, configure the following settings:

    • Enable end-user spam notifications: Select the checkbox to enable notifications. Clear the checkbox to disable notifications.

    • Send end-user spam notifications every (days): Select how frequently notifications are sent. The default value is 3 days. You can enter 1 to 15 days.

      There are 3 cycles of end-user spam notification within a 24 hour period that start at the following times: 01:00 UTC, 08:00 UTC, and 16:00 UTC.

      Note

      If we missed a notification during a previous cycle, a subsequent cycle will push the notification. This may give the appearance of multiple notifications within the same day.

    • Notification language: Click the drop down an select an available language from the list. The default value is Default, which means English.

    When you're finished, click Save.

Use the Security & Compliance Center to remove anti-spam policies

  1. In the Security & Compliance Center, go to Threat management > Policy > Anti-spam.

  2. On the Anti-spam settings page, click Expand icon to expand the custom policy that you want to delete (the Type column is Custom anti-spam policy).

  3. In the expanded policy details that appear, click Delete policy.

  4. Click Yes in the warning dialog that appears.

You can't remove the default policy.

Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-spam policies

As previously described, an anti-spam policy consists of a spam filter policy and a spam filter rule.

In Exchange Online PowerShell or standalone EOP PowerShell, the difference between spam filter policies and spam filter rules is apparent. You manage spam filter policies by using the *-HostedContentFilterPolicy cmdlets, and you manage spam filter rules by using the *-HostedContentFilterRule cmdlets.

  • In PowerShell, you create the spam filter policy first, then you create the spam filter rule that identifies the policy that the rule applies to.
  • In PowerShell, you modify the settings in the spam filter policy and the spam filter rule separately.
  • When you remove a spam filter policy from PowerShell, the corresponding spam filter rule isn't automatically removed, and vice versa.

The following anti-spam policy settings are only available in PowerShell:

  • The MarkAsSpamBulkMail parameter that's On by default. The effects of this setting were explained in the Use the Security & Compliance Center to create anti-spam policies section earlier in this article.

  • The following settings for end-user spam quarantine notifications:

    • The DownloadLink parameter that shows or hides the link to the Junk Email Reporting Tool for Outlook.

    • The EndUserSpamNotificationCustomSubject parameter that you can use to customize the subject line of the notification.

Use PowerShell to create anti-spam policies

Creating an anti-spam policy in PowerShell is a two-step process:

  1. Create the spam filter policy.
  2. Create the spam filter rule that specifies the spam filter policy that the rule applies to.

Notes:

  • You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy.

  • You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:

    • Create the new policy as disabled (Enabled $false on the New-HostedContentFilterRule cmdlet).
    • Set the priority of the policy during creation (Priority <Number>) on the New-HostedContentFilterRule cmdlet).
  • A new spam filter policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a spam filter rule.

Step 1: Use PowerShell to create a spam filter policy

To create a spam filter policy, use this syntax:

New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] <Additional Settings>

This example creates a spam filter policy named Contoso Executives with the following settings:

  • Quarantine messages when the spam filtering verdict is spam or high confidence spam.

  • BCL 6 triggers the action for a bulk email spam filtering verdict.

New-HostedContentFilterPolicy -Name "Contoso Executives" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 6

Note

New-HostedContentFilterPolicy and Set-HostedContentFilterPolicy contain an older ZapEnabled parameter, as well as newer PhishZapEnabled and SpamZapEnabled parameters. The ZapEnabled parameter was deprecated in February 2020. The PhishZapEnabled and SpamZapEnabled parameters used to inherit their values from the ZapEnabled parameter. But, if you use the PhishZapEnabled and SpamZapEnabled parameters in a command or you use the Spam ZAP or Phish ZAP settings in the anti-spam policy in the Security & Compliance Center, the value of the ZapEnabled parameter is ignored. In other words, don't use the ZapEnabled parameter; use the PhishZapEnabled and SpamZapEnabled parameters instead.

For detailed syntax and parameter information, see New-HostedContentFilterPolicy.

Step 2: Use PowerShell to create a spam filter rule

To create a spam filter rule, use this syntax:

New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"]

This example creates a new spam filter rule named Contoso Executives with these settings:

  • The spam filter policy named Contoso Executives is associated with the rule.

  • The rule applies to members of the group named Contoso Executives Group.

New-HostedContentFilterRule -Name "Contoso Executives" -HostedContentFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso Executives Group"

For detailed syntax and parameter information, see New-HostedContentFilterRule.

Use PowerShell to view spam filter policies

To return a summary list of all spam filter policies, run this command:

Get-HostedContentFilterPolicy

To return detailed information about a specific spam filter policy, use the this syntax:

Get-HostedContentFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>]

This example returns all the property values for the spam filter policy named Executives.

Get-HostedContentFilterPolicy -Identity "Executives" | Format-List

For detailed syntax and parameter information, see Get-HostedContentFilterPolicy.

Use PowerShell to view spam filter rules

To view existing spam filter rules, use the following syntax:

Get-HostedContentFilterRule [-Identity "<RuleIdentity>] [-State <Enabled | Disabled]

To return a summary list of all spam filter rules, run this command:

Get-HostedContentFilterRule

To filter the list by enabled or disabled rules, run the following commands:

Get-HostedContentFilterRule -State Disabled
Get-HostedContentFilterRule -State Enabled

To return detailed information about a specific spam filter rule, use this syntax:

Get-HostedContentFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]

This example returns all the property values for the spam filter rule named Contoso Executives.

Get-HostedContentFilterRule -Identity "Contoso Executives" | Format-List

For detailed syntax and parameter information, see Get-HostedContentFilterRule.

Use PowerShell to modify spam filter policies

Other than the following items, the same settings are available when you modify a spam filter policy in PowerShell as when you create the policy as described in the Step 1: Use PowerShell to create a spam filter policy section earlier in this article.

  • The MakeDefault switch that turns the specified policy into the default policy (applied to everyone, always Lowest priority, and you can't delete it) is only available when you modify a spam filter policy in PowerShell.

  • You can't rename a spam filter policy (the Set-HostedContentFilterPolicy cmdlet has no Name parameter). When you rename an anti-spam policy in the Security & Compliance Center, you're only renaming the spam filter rule.

To modify a spam filter policy, use this syntax:

Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings>

For detailed syntax and parameter information, see Set-HostedContentFilterPolicy.

Use PowerShell to modify spam filter rules

The only setting that isn't available when you modify a spam filter rule in PowerShell is the Enabled parameter that allows you to create a disabled rule. To enable or disable existing spam filter rules, see the next section.

Otherwise, no additional settings are available when you modify a spam filter rule in PowerShell. The same settings are available when you create a rule as described in the Step 2: Use PowerShell to create a spam filter rule section earlier in this article.

To modify a spam filter rule, use this syntax:

Set-HostedContentFilterRule -Identity "<RuleName>" <Settings>

This example renames the existing spam filter rule named {Fabrikam Spam Filter} that might cause problems in the Security & Compliance Center.

Set-HostedContentFilterRule -Identity "{Fabrikam Spam Filter}" -Name "Fabrikam Spam Filter"

For detailed syntax and parameter information, see Set-HostedContentFilterRule.

Use PowerShell to enable or disable spam filter rules

Enabling or disabling a spam filter rule in PowerShell enables or disables the whole anti-spam policy (the spam filter rule and the assigned spam filter policy). You can't enable or disable the default anti-spam policy (it's always always applied to all recipients).

To enable or disable a spam filter rule in PowerShell, use this syntax:

<Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity "<RuleName>"

This example disables the spam filter rule named Marketing Department.

Disable-HostedContentFilterRule -Identity "Marketing Department"

This example enables same rule.

Enable-HostedContentFilterRule -Identity "Marketing Department"

For detailed syntax and parameter information, see Enable-HostedContentFilterRule and Disable-HostedContentFilterRule.

Use PowerShell to set the priority of spam filter rules

The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five custom rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4.

To set the priority of a spam filter rule in PowerShell, use the following syntax:

Set-HostedContentFilterRule -Identity "<RuleName>" -Priority <Number>

This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).

Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2

Notes:

  • To set the priority of a new rule when you create it, use the Priority parameter on the New-HostedContentFilterRule cmdlet instead.

  • The default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value Lowest.

Use PowerShell to remove spam filter policies

When you use PowerShell to remove a spam filter policy, the corresponding spam filter rule isn't removed.

To remove a spam filter policy in PowerShell, use this syntax:

Remove-HostedContentFilterPolicy -Identity "<PolicyName>"

This example removes the spam filter policy named Marketing Department.

Remove-HostedContentFilterPolicy -Identity "Marketing Department"

For detailed syntax and parameter information, see Remove-HostedContentFilterPolicy.

Use PowerShell to remove spam filter rules

When you use PowerShell to remove a spam filter rule, the corresponding spam filter policy isn't removed.

To remove a spam filter rule in PowerShell, use this syntax:

Remove-HostedContentFilterRule -Identity "<PolicyName>"

This example removes the spam filter rule named Marketing Department.

Remove-HostedContentFilterRule -Identity "Marketing Department"

For detailed syntax and parameter information, see Remove-HostedContentFilterRule.

How do you know these procedures worked?

Send a GTUBE message to test your spam policy settings

Note

These steps will only work if the email organization that you're sending the GTUBE message from doesn't scan for outbound spam. If it does, the test message can't be sent.

Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test message to verify your organization's anti-spam settings. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings.

Include the following GTUBE text in an email message on a single line, without any spaces or line breaks:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Allow/Block Lists

There will be times when our filters will miss the message or it takes time for our systems to catch up to it. In this cases, the anti-spam policy has an Allow and a Block list available to override the current verdict. This option should only be used sparingly since lists can become unmanageable and temporarily since our filtering stack should be doing what it is supposed to be doing.

Tip

There may be situations where your organization may not agree with the verdict the service provides. In this case, you may want to keep the Allow or Block listing permanent. However, if you are going to put a domain on the Allow list for extended periods of time, you should tell the sender to make sure that their domain is authenticated and set to DMARC reject if it is not.