Learn how to configure Microsoft 365 Defender to avoid false positives in spam filtering and prevent internal emails from being marked as junk.
Microsoft 365 Defender is a comprehensive security solution that protects your organization from cyber threats. One of the features of Microsoft 365 Defender is the spam and phishing protection, which analyzes incoming emails and assigns them a spam confidence level (SCL). Emails with a high SCL are moved to the junk email folder or quarantined, depending on your settings.
Table of Contents
Problem
However, sometimes legitimate emails from your internal domain or trusted senders may be incorrectly classified as spam by Microsoft 365 Defender. This can cause inconvenience and confusion for your users, who may miss important messages or receive false alerts. In this article, we will show you how to prevent internal emails from being marked as junk in Microsoft 365 Defender, by using the following methods:
- Configuring the spam filter policy
- Creating a safe sender list
- Reporting false positives
Solution 1: Configuring the Spam Filter Policy
The spam filter policy is a set of rules that determines how Microsoft 365 Defender handles spam emails. You can customize the spam filter policy to suit your organization’s needs and preferences. To configure the spam filter policy, follow these steps:
- Sign in to the Microsoft 365 Defender portal.
- In the navigation pane, select Email & collaboration > Policies & rules > Threat policies > Policy > Anti-spam.
- Select the default policy or create a new one, and then click Edit policy.
- In the Spam and bulk actions section, you can adjust the SCL threshold for different actions, such as move to junk, quarantine, or delete. For example, you can lower the SCL threshold for moving emails to junk, so that only emails with a very high SCL are marked as junk.
- In the Advanced settings section, you can enable or disable various options, such as:
- Mark as spam bulk email: This option marks emails that are sent to a large number of recipients as spam, unless they are from a safe sender or domain.
- Mark as spam email with an empty subject or body: This option marks emails that have no subject or body as spam, unless they are from a safe sender or domain.
- Mark as spam email with a spoofed display name: This option marks emails that have a display name that does not match the sender’s email address as spam, unless they are from a safe sender or domain.
- Mark as spam email with authentication failures: This option marks emails that fail sender authentication checks, such as SPF, DKIM, or DMARC, as spam, unless they are from a safe sender or domain.
- Click Save to apply the changes.
Solution 2: Creating a Safe Sender List
A safe sender list is a list of email addresses or domains that you trust and want to receive emails from. Emails from safe senders are not marked as spam by Microsoft 365 Defender, regardless of their SCL. To create a safe sender list, follow these steps:
- Sign in to the Microsoft 365 Defender portal.
- In the navigation pane, select Email & collaboration > Policies & rules > Threat policies > Policy > Anti-spam.
- Select the default policy or create a new one, and then click Edit policy.
- In the Allow lists section, click Add to add a new entry to the list.
- Enter the email address or domain that you want to add to the safe sender list, and then click Add. You can add up to 1,024 entries to the list.
- Click Save to apply the changes.
Solution 3: Reporting False Positives
If you or your users receive an email that is incorrectly marked as junk by Microsoft 365 Defender, you can report it as a false positive to Microsoft. This will help Microsoft improve the accuracy of the spam filtering and reduce the chances of future false positives. To report a false positive, follow these steps:
- Open the email that was marked as junk by Microsoft 365 Defender.
- Click on the Report Message button in the Outlook ribbon, or the Report as not junk link in the Outlook web app.
- Select Not junk from the drop-down menu, and then click Report.
- The email will be moved to your inbox, and a copy of the email will be sent to Microsoft for analysis.
Frequently Asked Questions (FAQs)
Question: How can I view the SCL of an email?
Answer: You can view the SCL of an email by looking at the message header. The SCL is indicated by the X-Forefront-Antispam-Report header, which has a value of SFV:SPM for spam emails, and SFV:NSPM for non-spam emails. The SCL is also indicated by the X-Microsoft-Antispam header, which has a value of BCL:x, where x is a number from 0 to 9, representing the SCL.
Question: How can I prevent external emails from being marked as junk in Microsoft 365 Defender?
Answer: You can prevent external emails from being marked as junk in Microsoft 365 Defender by using the same methods as for internal emails, such as configuring the spam filter policy, creating a safe sender list, or reporting false positives. However, you should be careful when adding external senders or domains to the safe sender list, as this may expose you to phishing or malware attacks from malicious senders.
Question: How can I check if an email is quarantined by Microsoft 365 Defender?
Answer: You can check if an email is quarantined by Microsoft 365 Defender by using the quarantine portal. You can also receive quarantine notifications by email, if you enable this option in the spam filter policy.
Summary
In this article, we have shown you how to prevent internal emails from being marked as junk in Microsoft 365 Defender, by using the following methods:
- Configuring the spam filter policy
- Creating a safe sender list
- Reporting false positives
By using these methods, you can avoid false positives in spam filtering and ensure that you and your users receive important messages from your internal domain or trusted senders.
Disclaimer: This article is for informational purposes only and does not constitute professional advice. You should always consult with your IT department or a qualified expert before making any changes to your Microsoft 365 Defender settings. We are not responsible for any damages or losses that may result from following the instructions in this article.