Export (0) Print
Expand All

Configure the connection filter policy

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-09-17

Most of us have friends and business partners we trust. It can be frustrating to find email from them in your junk email folder, or even blocked entirely by a spam filter. If you want to make sure that email sent from people you trust isn’t blocked, you can use the connection filter policy to create an Allow list (or “safe sender list”) of IP addresses that you trust. You can also create a blocked senders list, which is a list of IP addresses, typically from known spammers, that you don’t ever want to receive email messages from.

The following video shows the configuration steps for the connection filter policy:

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

You create an IP Allow list or IP Block list by editing the connection filter policy in the Exchange admin center (EAC). The connection filter policy settings are applied to inbound messages only.

  1. In the Exchange admin center (EAC), navigate to Protection > Connection filter, and then double-click the default policy.

  2. Click the Connection filtering menu item and then create the lists you want: an IP Allow list, an IP Block list, or both.

    To create these lists, click Add Icon. In the subsequent dialog box, specify the IP address or address range, and then click ok. Repeat this process to add additional addresses. (You can also edit or remove IP addresses after they have been added.)

    NoteNote:
    • If you add an IP address to both lists, email sent from it is allowed.

    • IPV4 IP addresses must be specified in the format nnn.nnn.nnn.nnn where nnn is a number from 0 to 255. You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr where rr is a number from 24 to 32. To specify ranges outside of the 24 to 32 range, see Additional considerations when configuring IP Allow lists.

    • You can specify a maximum of 1273 entries, where an entry is either a single IP address or a CIDR range of IP addresses from /24 to /32.

    • If you’re sending TLS-encrypted messages, IPv6 addresses and address ranges are supported.

  3. Optionally, select the Enable safe list check box to prevent missing email from certain well-known senders. How? Microsoft subscribes to third-party sources of trusted senders. Using this safe list means that these trusted senders aren’t mistakenly marked as spam. We recommend selecting this option because it should reduce the number of false positives (good mail that’s classified as spam) you receive.

  4. Click save. A summary of your default policy settings appears in the right pane.

The following are additional considerations you may want to consider or that you should be aware of when configuring an IP Allow list.

To specify a CIDR IP address range from /1 to /23, you must create a Transport rule that operates on the IP address range that sets the spam confidence level (SCL) to Bypass spam filtering (meaning that all messages received from within this IP address range are set to “not spam” and no additional filtering is performed by the service). However, if any of these IP addresses appear on any of Microsoft’s proprietary block lists or on any of our third-party block lists, these messages will still be blocked. It is therefore strongly recommended that you use the /32 to /24 IP address range.

To create this Transport rule, perform the following steps.

  1. In the EAC, navigate to Mail flow > Rules.

  2. Click Add Icon and then select Create a new rule.

  3. Give the rule a name and then click More options.

  4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.

  5. In the specify IP addresses, specify the IP address range, click Add Add Icon, and then click ok.

  6. Under Do the following box, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select Bypass spam filtering, and click ok.

  7. If you’d like, you can make selections to audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. Manage Transport Rules contains more information about these selections.

  8. Click the save button to save the rule. It appears in your list of rules.

After you create and enforce the rule, spam filtering is bypassed for the IP address range you specified.

In general, we recommend that you add the IP addresses (or IP address ranges) for all your domains that you consider safe to the IP Allow list. However, if you don’t want your IP Allow List entry to apply to all your domains, you can create a Transport rule that excepts specific domains.

For example, let’s say you have three domains: ContosoA.com, ContosoB.com, and ContosoC.com, and you want to add the IP address (for simplicity’s sake, let’s use 1.2.3.4) and skip filtering only for domain ContosoB.com. You would create an IP Allow list for 1.2.3.4, which sets the spam confidence level (SCL) to -1 (meaning it is classified as non-spam) for all domains. You can then create a Transport rule that sets the SCL for all domains except ContosoB.com to 0. This results in the message being rescanned for all domains associated with the IP address except for ContosoB.com which is the domain listed as the exception in the rule. ContosoB.com still has an SCL of -1 which means skip filtering, whereas ContosoA.com and ContosoC.com have SCLs of 0, meaning they will be rescanned by the content filter.

To do this, perform the following steps:

  1. In the EAC, navigate to Mail flow > Rules.

  2. Click Add Icon and then select Create a new rule.

  3. Give the rule a name and then click More options.

  4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.

  5. In the specify IP addresses box, specify the IP address or IP address range you entered in the IP Allow list, click Add Add Icon, and then click ok.

  6. Under Do the following, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select 0, and click ok.

  7. Click add exception, and under Except if, select The sender and choose domain is.

  8. In the specify domain box, enter the domain for which you want to bypass spam filtering, such as contosob.com. Click Add Add Icon to move it to the list of phrases. Repeat this step if you want to add additional domains as exceptions, and click ok when you are finished.

  9. If you’d like, you can make selections to audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. Manage Transport Rules contains more information about these selections.

  10. Click the save button to save the rule. It appears in your list of rules.

After you create and enforce the rule, spam filtering for the IP address or IP address range you specified is bypassed only for the domain exception you entered.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft