Use mail flow rules to set the spam confidence level (SCL) in messages in EOP
The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP uses anti-spam policies (also known as spam filter policies or content filter policies) to scan inbound messages for spam. For more information, see Configure anti-spam policies in EOP.
If you want to mark specific messages as spam before they're even scanned by spam filtering, or mark messages so they'll skip spam filtering, you can create mail flow rules (also known as transport rules) to identify the messages and set the spam confidence level (SCL). For more information about the SCL, see Spam confidence level (SCL) in EOP.
What do you need to know before you begin?
You need to be assigned permissions in Exchange Online or Exchange Online Protection before you can do the procedures in this article. Specifically, you need the Transport Rules role, which is assigned to the Organization Management, Compliance Management (global admins), and Records Management role groups by default.
For more information, see the following topics:
For more information about mail flow rules in Exchange Online and Exchange Online Protection, see Mail flow rules (transport rules) in Exchange Online
Use the EAC to create a mail flow rule that sets the SCL of a message
In the EAC, go to Mail flow > Rules.
Click Add and then select Create a new rule.
In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule.
Click More Options.
Apply this rule if: Select one or more conditions to identify messages. For more information, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
Do the following: Select Modify the message properties > set the spam confidence level (SCL). In the Specify SCL dialog that appears, configure one of the following values:
Bypass spam filtering: The messages will skip spam filtering.
Be very careful about allowing messages to skip spam filtering. Attackers can use this vulnerability to send phishing and other malicious messages into your organization. The mail flow rules requires more than just the sender's email address or domain. For more information, see Create safe sender lists in EOP.
0 to 4: The message is sent through spam filtering for additional processing.
5 or 6: The message is marked as Spam. The action that you've configured for Spam filtering verdicts in your anti-spam policies is applied to the message (the default value is Move message to Junk Email folder).
7 to 9: The message is marked as High confidence spam. The action that you've configured for High confidence spam filtering verdicts in your anti-spam policies is applied to the message (the default value is Move message to Junk Email folder).
Specify any additional properties that you want for the rule. When you're finished, click Save.
How do you know this worked?
To verify that this procedure is working correctly, send an email message to someone inside your organization, and verify that the action performed on the message is as expected. For example, if you set the spam confidence level (SCL) to Bypass spam filtering, then the message should be sent to the specified recipient's inbox. However, if you set the spam confidence level (SCL) to 9, and the High confidence spam action for your applicable anti-spam policies is to move the message to the Junk Email folder, then the message should be sent to the specified recipient's Junk Email folder.