Microsoft Support is excited to start a blog series that will demystify how Microsoft 365 email protection works. We are a team of engineers with years of experience supporting Exchange and security, and we are often asked how the protections work, what protections are applied to a particular message, or how organizations should manage disagreements with the filtering verdicts.
Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. This blog describes the different threat protections that Microsoft Defender for Office 365 offers and reviews how Exchange Online Protection works to protect your organization against all types of email threats, and then dives into part one, how bulk (grey) email filtering works.
Click here to view additional posts in this series. Would you like us to cover more topics? Let us know in the comments.
Exchange Online Protection
Exchange Online Protection (EOP) is a cloud-based filtering service that helps protect your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.
Microsoft Defender for Office 365
Microsoft Defender for Office 365 helps organizations secure their enterprise with a comprehensive slate of capabilities across prevention, detection, investigation and hunting, response and remediation, awareness and training, and secure posture.
While EOP offers a certain level of protection, Microsoft Defender for Office 365 complements it with an advanced set of features. This is how the entire protection stack looks:
To learn more about what keeps your organization protected from email-based threats see Step-by-step threat protection in Microsoft Defender for Office 365.
Bulk (grey) email filtering
Bulk or grey email typically refers to email campaigns that are sent to many recipients. It is often used in marketing or advertising. Some recipients want it and have subscribed to it, whereas others do not, and consider it to be spam. This makes handling these types of messages tricky.
In this article, you’ll learn how bulk filtering works, the bulk controls in Microsoft 365 Defender Anti-spam policies, and the best practices for sending and receiving bulk messages in Office 365.
Message Headers
Message headers contain valuable information about what happens during email filtering. To analyze headers, see the following resources:
- Anti-spam message headers documentation
- Message Header Analyzer website
- (Free) Message Header Analyzer Outlook add-on
- (Defender for Office 365) Email Entity page
Bulk Complaint Level (BCL)
Every incoming message is evaluated for a Bulk Complaint Level (BCL). The value of the BCL will be between 0 and 9. Higher scores indicate the message is more likely to generate a higher number of complaints.
Spam Confidence Level (SCL)
Every incoming message goes through spam filtering and is assigned a spam score. Like BCL, the Spam Confidence Level (SCL) values are 0-9, with higher scores indicating the message is more likely to be spam, and there’s a special spam score (“-1”) when spam filtering is bypassed due to user or company overrides.
If users are either receiving bulk mail that they do not want to receive, or not receiving bulk mail that they want to receive, the first step is to look at the BCL value in the X-Microsoft-Antispam message header. This value will help you determine whether Microsoft marked the email as bulk, and whether the default bulk settings need a change. The good news is, with filtering policies, you can apply a policy to a limited set of users, groups, or domains.
Microsoft 365 Defender configurations
Microsoft 365 Defender (https://security.microsoft.com) is your one-stop-shop for all things security in Microsoft 365. Here, you can evaluate your organization’s security score, look at email protection reports, and set up alerts and policies for the different protection components of EOP and Microsoft Defender for Office 365. Bulk email threshold is configured in the Anti-spam inbound policy in the Microsoft 365 Defender portal.
:light_bulb: Tip: You may want to bookmark the direct link for quick access to this page: https://security.microsoft.com/antispam.
A recommended default setting is provided with the threshold value of “7”, which will only filter out bulk emails that generated a high number of complaints.
To fine-tune the Bulk Email Threshold, track the BCL value in the X-Microsoft-Antispam header on messages. Also track which users are more sensitive to bulk detections. This information will give you an idea of what the bulk slider needs to be set to, and for which users. For example, a BCL value of 5 is recommended in Strict protection policies.
You could create custom Anti-spam policies for each group if you have some users that want to receive bulk, and others that do not. You could scope Anti-Spam policies to include users, groups, and domains. They could also exclude users, groups, and domains.
Tip: Multiple values in the same condition use OR logic (for example, <user1> OR <user2>). Different conditions use AND logic (for example, <user1> AND <member of group 1>).
September 2022 Update: Our public documentation has been updated with additional recommendations on tuning bulk email using threat protection reporting and Advanced Hunting.
Actions
Every filtering policy allows you to choose the action when policy conditions are met. For bulk, the options if the BCL is above the threshold are:
For example, if a company sends marketing emails with bad opt-in or opt-out practices and does not provide an option to unsubscribe from their mailing list, those campaigns are often unsolicited, and get a BCL of 8, because they might generate a high number of complaints. When the message exceeds the default threshold of 7, the X-Forefront-Antispam-Report header will include categorization of CAT:BULK, and the entire message will be marked as spam with a Spam Confidence Level SCL:9.
Send bulk messages to Office 365
If you often conduct bulk email campaigns to Microsoft 365 users and want to ensure that your emails arrive in a safe and timely manner, follow the best practices in bulk emailing. Make sure to clearly indicate who’s sending the message, include an unsubscribe option, use double opt-in for message registration, ensure content is transparent and traceable, and remove invalid addresses from your databases.
Send bulk messages from Office 365
Microsoft does not recommend sending bulk messages from Office 365, as organizations are often blocked for exceeding the allowed limit (see Exchange Online limits). Instead, send bulk email through on-premises email servers or use a third-party bulk email provider, which normally has a vested interest in working with customers to ensure good email sending practices. To learn more about outbound spam controls, see Outbound spam protection in EOP.
Unsubscribe from bulk messages
Many times, users who have subscribed to bulk mail no longer want to receive these messages. In these situations, users can check for an Unsubscribe option in the bulk email message. Senders usually include a link to unsubscribe at the bottom of the message.
Important resources
What's the difference between junk email and bulk email? - Office 365 | Microsoft Docs
Bulk complaint level values - Office 365 | Microsoft Docs
Spam confidence level - Office 365 | Microsoft Docs
Outbound spam protection - Office 365 | Microsoft Docs
Exchange Online limits - Service Descriptions | Microsoft Docs
Troubleshooting mail sent to Microsoft 365 - Office 365 | Microsoft Docs
Anti-spam message headers documentation
Message Header Analyzer website
(Free) Message Header Analyzer Outlook add-on
(Defender for Office 365) Email Entity page
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.