Content filtering evaluates incoming messages to determine if a message is legitimate or spam. For more information about content filtering and the Content Filter agent, see Content filtering.
You can configure many aspects of content filtering. For example:
Enable or disable content filtering on messages from internal (authenticated) and external (unauthenticated) sources (it's enabled by default for incoming messages from external sources).
Configure exceptions to content filtering for specific senders, recipients, and source domains.
Configure allowed phrases and blocked phrases to look for in messages.
Configure the spam confidence level (SCL) thresholds that tell what content filtering should do to messages (delete, reject, or quarantine)
What do you need to know before you begin?
Estimated time to complete each procedure: less than 5 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam feature" entry in the Antispam and antimalware permissions topic.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.
Use the Exchange Management Shell to enable or disable content filtering
To disable content filtering, run the following command:
Set-ContentFilterConfig -Enabled $false
To enable content filtering, run the following command:
Set-ContentFilterConfig -Enabled $true
Note
When you disable content filtering, the underlying Content Filter agent is still enabled. To disable the Content Filter agent, run the command: Disable-TransportAgent "Content Filter Agent".
How do you know this worked?
To verify that you have successfully enabled or disabled content filtering, run the following command to verify the Enabled property value:
Get-ContentFilterConfig | Format-List Enabled
Use the Exchange Management Shell to enable or disable content filtering for external messages
By default, content filtering functionality is enabled for external messages.
To disable content filtering for external messages, run the following command:
To verify that you have successfully enabled or disabled content filtering for external messages, run the following command to verify the ExternalMailEnabled property value:
Use the Exchange Management Shell to enable or disable content filtering for internal messages
As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. There's always a chance that the filters will detect false positives. To reduce the chance that filters will mishandle legitimate email messages, you should typically configure antispam agents to only run on messages from untrusted and unknown sources.
To enable content filtering for internal messages, run the following command:
To verify that you have successfully enabled or disabled content filtering for internal messages, run the following command to verify the InternalMailEnabled property value:
Use the Exchange Management Shell to configure recipient and sender exceptions for content filtering
You can specify recipient and sender exceptions that replace the existing values, or you can add or remove specific sender and recipient exceptions without affecting the other existing values.
To replace the existing values, use the following syntax:
The Delete action takes precedence over the Reject action, and the Reject action takes precedence over the Quarantine action. Therefore, the SCL threshold for the Delete action should be greater than the SCL threshold for the Reject action, which in turn should be greater than the SCL threshold for the Quarantine action. Only the Reject action is enabled by default, and it has the SCL threshold value 7.
To verify that you have successfully configured the SCL thresholds, run the following command to verify the property values:
Get-ContentFilterConfig | Format-List SCL*
Use the Exchange Management Shell to configure the rejection response for content filtering
When the Reject action is enabled, you can customize the rejection response that's sent to the message sender. The rejection response can't exceed 240 characters.
To configure a custom rejection response, use the following syntax:
This example configures the Content Filter agent to send a customized rejection response.
Set-ContentFilterConfig -RejectionResponse "Your message was rejected because it appears to be SPAM."
How do you know this worked?
To verify that you have successfully configured the rejection response, run the following command to verify the property values:
Get-ContentFilterConfig | Format-List *Reject*
Use the Exchange Management Shell to enable or disable Outlook Email Postmarking
Outlook Email Postmarking validation is a computational proof that Microsoft Outlook applies to outgoing messages to help messaging systems distinguish legitimate email from junk email (reduce false positives). Postmarking was first introduced in Outlook 2007, and is enabled in Outlook by default.
To disable Outlook Email Postmarking, run the following command:
To verify that you have successfully configured Outlook Email Postmarking, run the following command to verify the OutlookEmailPostmarkValidationEnabled property value:
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.