Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online

In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, anti-spam policies (also known as spam filter policies or content filter policies) scan inbound messages for spam. For more information, see Configure anti-spam policies in EOP.

You can use mail flow rules (also known as transport rules) to affect spam filtering by setting the spam confidence level (SCL) on messages. For example:

  • Identify messages that should be marked as spam or high confidence spam before they're even scanned by spam filtering.
  • Identify messages that should skip spam filtering.

For more information about the SCL, see Spam confidence level (SCL) in EOP.

What do you need to know before you begin?

Use the EAC to create a mail flow rule that sets the SCL of a message

  1. In the EAC at https://admin.exchange.microsoft.com, go to Mail flow > Rules. Or, to go directly to the Rules page, use https://admin.exchange.microsoft.com/#/transportrules.

  2. On the Rules page, select Add a rule Add icon. > Create a new rule.

  3. The new rule wizard opens. On the Set rule conditions page, configure the following settings:

    • Name: Enter a unique, descriptive name for the rule.
    • Apply this rule if: Select one or more conditions to identify messages. For more information, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
    • Do the following: Select Modify the message properties > set the spam confidence level (SCL). In the Specify SCL flyout that opens, select one of the following values:
      • Bypass spam filtering: Messages that meet the conditions of the rule skip spam filtering. Other Microsoft 365 email protection features aren't affected (for example, messages are always scanned for malware by EOP).

        Remember, creating transport rule to bypass spam filtering won't bypass High Confidence Phish emails (HPHISH) and messages with Malware. You can use the Tenant Allow Block List (TABL) to temporarily override a HPHISH verdict in false positive scenarios when an email was classified as High Confidence Phish (HPHISH) by one of our machine learning models. To do so, you must do an admin submission. If the MX record for the recipient domain doesn't point to Microsoft 365 (mail is routed through a third-party service or device first), a rule with Bypass spam filtering allows messages detected as High Confidence Phish by Microsoft 365 anti-spam filtering to be delivered to the Inbox.

        Important

        Don't use mail flow rules to bypass spam filtering for SecOps mailboxes or phishing simulation messages. Instead, use the advanced delivery policy. For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.

        Be very careful about allowing messages to skip spam filtering. The mail flow rule should use more conditions than just the sender's email address or domain. For more information, see Create safe sender lists in EOP.

      • 0 to 4: The message is sent through spam filtering for more processing.

      • 5 or 6: The message is marked as Spam. The action that's configured for the Spam verdict in the anti-spam policy that detected the message determines what happens to the message (move to the Junk Email folder or quarantine).

      • 7 to 9: The message is marked as High confidence spam. The action that's configured for the High confidence spam verdict in the anti-spam policy that detected the message determines what happens to the message (move to the Junk Email folder or quarantine).

    • Except if: Configure any exceptions to the rule as required.

    When you're finished on the Select rule conditions page, select Next.

    • 0 to 4: The message is sent through spam filtering for more processing.

    • 5 or 6: The message is marked as Spam. The action that you've configured for Spam filtering verdicts in your anti-spam policies is applied to the message (the default value is Move message to Junk Email folder).

    • 7 to 9: The message is marked as High confidence spam. The action that you've configured for High confidence spam filtering verdicts in your anti-spam policies is applied to the message (the default value is Move message to Junk Email folder).

  4. Specify any other properties that you want for the rule. When you're finished, select Save.

How do you know this worked?

To verify that you've correctly set the SCL in messages, send an email message to someone inside your organization, and verify that the action performed on the message is as expected. For example, if set the spam confidence level (SCL) is set to Bypass spam filtering, then the message should be sent to the specified recipient's Inbox. However, if set the spam confidence level (SCL) is set to 9, and the High confidence spam action for your applicable anti-spam policies is to move the message to the Junk Email folder, then the message should be sent to the specified recipient's Junk Email folder.