Recipient filtering procedures on Edge Transport servers
Article
Recipient filtering is provided by the Recipient Filter agent. When recipient filtering is enabled on an Exchange server, it filters inbound messages that come from the Internet but aren't authenticated. These messages are handled as external messages. For more information about recipient filtering and the Recipient Filter agent, see Recipient filtering on Edge Transport servers.
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected. If you install the antispam agents on a Mailbox server, the Recipient Filter agent is enabled by default. However, it isn't configured to block any recipients. For more information, see Enable antispam functionality on Mailbox servers.
What do you need to know before you begin?
Estimated time to complete each procedure: less than 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server, but it isn't configured to block any recipients. For more information, see Enable antispam functionality on Mailbox servers.
The AddressBookEnabled parameter on the Set-AcceptedDomain cmdlet enables or disables recipient filtering for recipients in an accepted domain. By default, recipient filtering is enabled for authoritative domains, and disabled for internal relay domains and external relay domains. To view the status of the AddressBookEnabled parameter for the accepted domains in your organization, run the command: Get-AcceptedDomain | Format-List Name,AddressBookEnabled.
Use the Exchange Management Shell to enable or disable recipient filtering
To disable recipient filtering, run the following command:
Set-RecipientFilterConfig -Enabled $false
To enable recipient filtering, run the following command:
Set-RecipientFilterConfig -Enabled $true
Note
When you disable recipient filtering, the underlying Recipient Filter agent is still enabled. To disable the Recipient Filter agent, run the command: Disable-TransportAgent "Recipient Filter Agent".
How do you know this worked?
To verify that you've successfully enabled or disabled recipient filtering, run the following command to verify the Enabled property value:
Get-RecipientFilterConfig | Format-List Enabled
Use the Exchange Management Shell to enable or disable recipient filtering for external connections
By default, recipient filtering is enabled for external (unauthenticated) SMTP connections.
To disable recipient filtering for external connections, run the following command:
To verify that you've successfully enabled or disabled recipient filtering for external SMTP connections, run the following command to verify the ExternalMailEnabled property value:
Use the Exchange Management Shell to enable or disable recipient filtering for internal connections
As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. To reduce the chance that filters will mishandle legitimate email messages, you typically configure antispam agents to only run on messages from external sources.
To enable recipient filtering for internal (authenticated) SMTP connections, run the following command:
To verify that you've successfully enabled or disabled recipient filtering for internal SMTP connections, run the following command to verify the InternalMailEnabled property value:
To verify that you've successfully enabled or disabled the Recipient Block list, run the following command to verify the BlockListEnabled property value:
This example adds chris@contoso.com to the list of recipients, and removes michelle@contoso.com from the list of recipients in the Recipient Block list:
Note: Recipient Lookup on an Edge Transport server requires an Edge subscription. For more information, see Edge Subscriptions.
How do you know this worked?
To verify that you've successfully enabled or disabled Recipient Lookup, run the following command to verify the RecipientValidationEnabled property value:
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.