Create and configure Inbound Anti-spam policy in Microsoft Office 365

In today’s digital world, information security has become a priority for all organizations. With this in mind, I’ve written this article highlighting the importance of the spam filter for businesses using Office 365.

An effective spam filter is more than just a tool for blocking unwanted e-mails. It’s an essential first line of defense against cyber threats, protecting organizations from identity theft, phishing attacks and malware.

This article explores how a well-configured spam filter can not only improve your organization’s security, but also increase productivity by reducing the number of unwanted emails your employees have to sort through every day.

I – Why it’s very important to Create/Configure Anti-spam Policy in Office 365 ? :

The anti-spam policy in Office 365 is very important for several reasons:

  • Spam protection : A large proportion of incoming e-mails are spam and are immediately blocked by this service.
  • Protection against identity theft : Messages go through several scans to detect identity theft.
  • Priority order : The priority order is important if the same recipient is included in more than one policy, as only the first such policy (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient.
  • Protection against advanced persistent threats (APT) : System administrators implementing Microsoft Office 365 should ensure that it is secure, by adding a spam filtering solution such as SpamTitan.
  • Optimizing protection : Although Microsoft’s Office 365 anti-spam solution performs well in its default configuration, it contains a number of settings that can be customized to optimize protection.

II – Prerequisites :

  • Microsoft 365 tenant.
  • Either the Organization Management role in Exchange Online or the Security Administrator role in Microsoft 365.

Every tenant in Microsoft 365 has three anti-spam policies by default. They are:

  • Inbound
  • Outbound
  • Connection filter

These policies can be edited but not deleted. You can also create custom inbound or outbound policies. In the following section, we will understand the workings of Inbound policiy.

III – Inbound anti-spam policy :

Emails sent to your users in Microsoft 365 are handled by the inbound anti-spam policy. This policy is present by default and cannot be disabled or deleted; however, you can edit it. All the users in your tenant are under the scope of this policy. If you wish to apply a different setting to specific users, you can create a new inbound anti-spam policy.

In this section, we create a new inbound anti-spam policy.

The first page of the policy creation wizard is the Name your policy page. Define the following settings:

  • Name: Add a descriptive and unique name for your policy.
  • Description: Enter a fitting description (optional).

Click Next to continue.

On the Users, groups, and domains page, add the internal recipients affected by the spam filter policy:

  • Users: mail users, contacts or mailboxes within your organization
  • Groups: Microsoft 365 groups, mail-enabled security groups or distribution groups
  • Domains: recipients in the accepted domains in your company

Note: Add an asterisk (*) in any box to view all available values.

Click Next to continue to the next step.

The third page is Bulk email threshold & spam properties. Configure the following settings:

  • Bulk email threshold: Set the Bulk Complaint Level (BCL) of messages that can trigger an action for the Bulk spam filtering verdict. The higher the number, the more bulk emails will get through to your inbox and vice versa. You can configure this value the way you see fit; however, Microsoft has the preset settings below:
  • Increase spam score and Mark as spam: Part of the Advanced Spam Filter (ASF) settings, this option is turned off by default.
  • Contains specific languages: This is off by default. When you select On from the dropdown, a box appears, and you can add the mailing language that you consider as spam.
  • From these countries: This is also turned off by default. If you want to set emails as spam from specific countries, simply choose On from the dropdown and add the countries.
  • Test mode: Also part of the ASF setting, this option is turned off by default.

Note: ASF is a more aggressive method for filtering spam emails. Microsoft recommends keeping the default values Off, as you may get a large number of false positives, which cannot be reported as such with the ASF setting turned on.

Increase spam score settings :

These settings are disabled by default. If you feel that your users are being targeted by these types of attacks, you can enable these conditions.

here are the details for each type of choice :

https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-asf-settings-about#increase-spam-score-settings

Emails that match these conditions are marked with an SCL value of 5 or 6.

In my case, I have enabled :

  • Image links to remote websites
  • Links to .biz or .info websites

Mark as spam Settings :

In this section, you can enable certain types of conditions to mark emails as spam. This will result in those emails being identified as high confidence spam with an SCL value 7,8 and 9. The only exceptions are backscatter and sender ID filtering hard fail. All these are aggressive settings, and you should enable them only if you are certain that such emails need to be blocked.

here are the details for each type of choice :

https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-asf-settings-about#mark-as-spam-settings

In my case, I have enabled :

  • JavaScript or VBScript in HTML
  • Web bugs in HTML
  • Sensitive words
  • SPF record: hard fail
  • Sender ID filtering hard fail
  • From these countries (I have blocked China, Russia and Japan because we recive most attacks from these countries)

Test mode

Emails matching any of the conditions set by you in this rule can be handled in different ways. One of these is test mode.

If you want to enable the rule immediately, choose None.

However, if the intention is to test the rule, you can choose to add the default header value to the message headers of these emails.

  • X-header text : This message was filtered by the custom spam filter option is added to the email’s header. Since this is testing mode, the policy won’t take any actions on the email, but only stamp the email’s header with this value.
  • BCC Message option results in emails being sent to the recipient mentioned in the BCC field. This is again going to result in no action on the email and is only for testing the potential effect of your new rule.

After selecting all options select Next.

Actions :

The Actions page is where you choose what happens to messages based on the spam filtering verdicts they receive. Before configuring the settings here, it is important to understand what each action means:

  • Move message to Junk Email folder: The email is delivered to the mailbox and then moved to the junk folder.
  • Add X-header: This adds an X-header to the message before it is delivered to the mailbox. You can choose the name of the X-header field in the Add this X-header text box.
  • Prepend subject line with text: The email is delivered to the mailbox then moved to Junk Email but you can add a text to the beginning of the subject line. Enter the text in the Prefix subject line with this text box.
  • Redirect message to email address: This forwards the email to other recipients instead of the intended user. You can specify the new recipient(s) in the Redirect to this email address box.
  • Delete message: The email and all its attachments are deleted automatically.
  • Quarantine message: The message is sent to quarantine. You can choose how long the email should remain there using the Retain spam in quarantine for this many days box. When you select this action, you should also set the quarantine policy in the Select quarantine policy box that appears.
  • No action: As the name suggests, no action is taken and the message is delivered normally.

Now that you know what each action does, you can configure these settings based on your requirements. Microsoft offers the following preset settings :

In my case, I used “Strict” Configuration as in the table :

Click Next to continue to the next step.

Allow & block list :

You can add in this section Allowed/Blocked Senders/Domains :

Click Next to continue to the next step.

Click Create to finish Antispam Policy Creation.

Here you can see New Policy is on the top of the list with highest priority (0) :

Conclusion :

In short, the anti-spam policy in Office 365 is essential for protecting users against spam, identity theft, advanced persistent threats and other forms of cyber-attack. It also offers the possibility of optimizing protection according to the specific needs of each user or organization.

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance