Exchange Anti-Spam Filtering Recommendations
We have compiled some recommendations for configuring anti-spam protection in Exchange server, based on our real-world experience. While recommendations are provided throughout the documentation, this page contains a summary of the most critical points, especially if you are configuring a new environment, or if you do not have any anti-spam filtering currently in place.
Improving the Effectiveness of Anti-Spam Filtering
The most basic steps in configuring anti-spam filtering in Exchange are:
Implement IP Block List Providers (Connection Filter)
In most environments, the filter which will have the most impact, especially if an anti-spam configuration is not already in place, would be configuration of one or more IP-based DNS Block Lists (DNSBLs), which are referred to as IP Block List Providers in Exchange. IP Block List Providers can be configured in the Connection Filter section. IP Block List Providers are the primary tool used by many hardware anti-spam appliances.
Choose Appropriate IP Block List Providers (Connection Filter)
You will need to select which IP Block List Providers to implement. Spamhaus is almost universally accepted and should be enabled in virtually every Exchange environment. The next service we would recommend after Spamhaus would be Spamcop. Other DNSBLs are useful but you need to be aware of their listing policies to avoid an excessive number of false positives.
Enable Sender Reputation
Sender reputation is very safe for nearly all environments. Open Proxy Detection should be enabled.
Enable Sender ID Validation
Sender ID Validation should be set to at least Stamp Status so that SPF validation failures can be monitored. You can decide if other actions are appropriate for SPF failures after monitoring the statuses which are appended to headers of incoming messages. Transport rules can be used to only reject SPF failures from some higher-risk senders, if desired.
Enable the URL Filter
The URL filter is effective providing that appropriate URI-based DNSBLs are used. The Spamhaus DBL is quite safe and effective and we recommend using it.
Enable Recipient Filter (with Edge Transport servers)
If you have Edge Transport servers, the Recipient Filter should be enabled and Recipient Validation should be enabled.
Turn on Anti-Spam in user mailboxes
Mailbox-level settings are useful as unwanted messages which do arrive will at least be filtered to the Junk Email folder. The Organization-wide SCL Junk Threshold should be configured in the General section. Anti-spam still needs to be enabled at the mailbox level for this setting to take effect (although it is enabled by default). If the Transport Rules are being used to set SCL values, SCL Junk Enabled may need to be set at the mailbox level to move messages to the Junk Email folder. Caution should be used with these settings in non-user mailboxes (such as room, shared, administrator and system mailboxes).
Ensure that Configuration is Valid and Enabled
Other than actually enabling the respective filters for External Mail, several sections of the anti-spam filters need to be enabled separately to take effect:
- Internal SMTP Servers must be configured correctly, as otherwise the settings which enable filters for internal or external mail will not work correctly.
- Sender Blocking needs to be enabled in Sender Reputation (Sender Filter) for all checks to actually reject mail, apart from Open Proxy Detection
- SCL Actions need to be enabled in Content Filter to perform any actions apart from stamping the SCL value in the message header (except Blocked Phrases)
- Recipient Filter requires the Block List to be enabled for Blocked Recipients to take effect
- Inspecting the mailbox-level settings is recommended (if practical in your environment) in case individual users have defined conflicting settings
- Anti-Spam Bypass on a mailbox will cause virtually all organization- and server-level anti-spam policies to be bypassed for messages sent to this mailbox. This setting is configurable only by Exchange administrators (it is not configurable in Outlook or Outlook Web App).
- Allow Lists should be specifically checked for entries which were added in error, or are too broad.
- Correct DNS Configuration is necessary for many IP Block List Providers and URL Block List Providers to work correctly.
Once the above basic setup has been completed, further configuration can be considered:
Enable Sender Score Filtering
The Sender Score filter is highly effective but care is required in tuning the Minimum Sender Score appropriately. Start with a value of 60 or lower and monitor the scores of incoming messages before adjusting it to a higher value.
Add Additional IP Block List Providers and URL Block List Providers
Other IP Block List Providers and URL Block List Providers we recommend considering are summarized on the respective configuration pages IP Allow & Block List Providers and URL Block List Providers.
Tuning Mailbox-Level Parameters
Setting a slightly higher SCL Junk Threshold is appropriate for users who receive a higher volume of mail.
Recommendations for Minimizing False-Positives
Achieving the optimum settings for your environment, where filtering is highly effective but false positives are minimized, will require monitoring of incoming mail once safe anti-spam measures are in place. The anti-spam settings provide a lot of scope for fine-tuning, which will be necessary when using some types of filters.
Care is advised in configuring the anti-spam filters, as many rejected messages will not be re-sent. They could be legitimate bulk emails (such as important system-generated notifications) or senders who don't understand or even read the non-delivery report (NDR). In some cases, and NDR will not even be received by the sender.
Take the time to understand filters and their implications
Do not just enable every single filter. Some settings may not be appropriate for your environment, and some IP-based DNSBL or URI-based DNSBL services will result in an unacceptable number of false positives.
Test the anti-spam configuration
Many aspects of the anti-spam configuration can be tested manually or by using third-party services. See the separate FAQ page for details and recommendations.
Use caution with Sender ID Validation
Rejecting mail based on SPF validation failures will result in false positives as some senders still don't implement SPF correctly. Whether they are so few that this is is acceptable in your environment or can be managed by adding a few exclusions can only be determined by analyzing SPF failures with Stamp Status enabled. We recommend filtering SPF failures to Junk (using a Transport Rule to set the SCL, as the Sender Validation filter itself doesn't provide this capability), but not outright blocking of SPF failures. Reject and Delete actions for Temp Error failures are never recommended.
Use extreme caution with the Content Filter
As SmartScreen definitions for the Content Filter are no longer updated, its usefulness is limited. We advise against using the Reject and Delete actions due to the high number of false-positives. Setting the SCL actions to low numbers is unlikely to provide an effective filtering strategy in the absence of other filters. The Content Filter can still be useful for filtering mail to junk and the Blocked Phrases list is useful in some scenarios. When other filters are configured appropriately, very little spam should reach the Content Filter in the first place.
Configure IP Block List Provider Return Codes
Return codes must be configured for all IP Block List Providers. Using Any Match is extremely dangerous and can result in all mail being blocked. We have provided example configurations to assist you in configuring the return codes for many popular IP Block List Providers.
Use IP Allow List Providers
Adding reputable IP Allow List Providers can be useful in minimizing false positives. IP Allow List Providers are recommended when adding additional IP Block List Providers who have more aggressive listing policies.
Review log files
Details of messages rejected by anti-spam filters will be recorded in Exchange logs. Separate logs are created by the URL Filter and Sender Score Filter. Using the logs may be necessary to determine why a message was processed in a particular way, particularly if you use a lot of Transport Rules.
Use the Search tool & check mailbox-level settings
If investigating possible issues with false positives, use the Search tool in QSS Exchange Anti-Spam Toolkit, which will search mailbox-level settings, as well as server- and organization-wide settings. Mailbox-level settings should be carefully checked in the event of user complaints about legitimate messages being filtered to junk, as incorrect user-level anti-spam settings are common.