Content filtering procedures

Content filtering evaluates incoming messages to determine if a message is legitimate or spam. For more information about content filtering and the Content Filter agent, see Content filtering.

You can configure many aspects of content filtering. For example:

  • Enable or disable content filtering on messages from internal (authenticated) and external (unauthenticated) sources (it's enabled by default for incoming messages from external sources).

  • Configure exceptions to content filtering for specific senders, recipients, and source domains.

  • Configure allowed phrases and blocked phrases to look for in messages.

  • Configure the spam confidence level (SCL) thresholds that tell what content filtering should do to messages (delete, reject, or quarantine)

What do you need to know before you begin?

  • Estimated time to complete each procedure: less than 5 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam feature" entry in the Antispam and antimalware permissions topic.

  • You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

  • By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Use the Exchange Management Shell to enable or disable content filtering

To disable content filtering, run the following command:

Set-ContentFilterConfig -Enabled $false

To enable content filtering, run the following command:

Set-ContentFilterConfig -Enabled $true

Note

When you disable content filtering, the underlying Content Filter agent is still enabled. To disable the Content Filter agent, run the command: Disable-TransportAgent "Content Filter Agent".

How do you know this worked?

To verify that you have successfully enabled or disabled content filtering, run the following command to verify the Enabled property value:

Get-ContentFilterConfig | Format-List Enabled

Use the Exchange Management Shell to enable or disable content filtering for external messages

By default, content filtering functionality is enabled for external messages.

To disable content filtering for external messages, run the following command:

Set-ContentFilterConfig -ExternalMailEnabled $false

To enable content filtering for external messages, run the following command:

Set-ContentFilterConfig -ExternalMailEnabled $true

How do you know this worked?

To verify that you have successfully enabled or disabled content filtering for external messages, run the following command to verify the ExternalMailEnabled property value:

Get-ContentFilterConfig | Format-List ExternalMailEnabled

Use the Exchange Management Shell to enable or disable content filtering for internal messages

As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. There's always a chance that the filters will detect false positives. To reduce the chance that filters will mishandle legitimate email messages, you should typically configure antispam agents to only run on messages from untrusted and unknown sources.

To enable content filtering for internal messages, run the following command:

Set-ContentFilterConfig -InternalMailEnabled $true

To disable content filtering for internal messages, run the following command:

Set-ContentFilterConfig -InternalMailEnabled $false

How do you know this worked?

To verify that you have successfully enabled or disabled content filtering for internal messages, run the following command to verify the InternalMailEnabled property value:

Get-ContentFilterConfig | Format-List InternalMailEnabled

Use the Exchange Management Shell to configure recipient and sender exceptions for content filtering

You can specify recipient and sender exceptions that replace the existing values, or you can add or remove specific sender and recipient exceptions without affecting the other existing values.

To replace the existing values, use the following syntax:

Set-ContentFilterConfig -BypassedRecipients <recipient1,recipient2...> -BypassedSenders <sender1,sender2...> -BypassedSenderDomains <domain1,domain2...>

This example configures the following exceptions in content filtering:

  • The recipients laura@contoso.com and julia@contoso.com aren't checked by content filtering.

  • The senders steve@fabrikam.com and cindy@fabrikam.com aren't checked by content filtering.

  • All senders in the domain nwtraders.com and all subdomains aren't checked by content filtering.

Set-ContentFilterConfig -BypassedRecipients laura@contoso.com,julia@contoso.com -BypassedSenders steve@fabrikam.com,cindy@fabrikam.com -BypassedSenderDomains *.nwtraders.com

To add or remove entries without modifying other existing values, use the following syntax:

Set-ContentFilterConfig -BypassedRecipients @{Add="<recipient1>","<recipient2>"...; Remove="<recipient1>","<recipient2>"...} -BypassedSenders @{Add="<sender1>","<sender2>"...; Remove="<sender1>","<sender2>"...} -BypassedSenderDomains @{Add="<domain1>","<domain2>"...; Remove="<domain1>","<domain2>"...}

This example configures the following exceptions in content filtering:

  • Add tiffany@contoso.com and chris@contoso.com to the list of existing recipients who aren't checked by content filtering.

  • Add joe@fabrikam.com and michelle@fabrikam.com to the list of existing senders who aren't checked by content filtering.

  • Add blueyonderairlines.com to the list of existing domains whose senders aren't checked by content filtering.

  • Remove the domain woodgrovebank.com and all subdomains from the list of existing domains whose senders aren't checked by content filtering.

Set-ContentFilterConfig -BypassedRecipients @{Add="tiffany@contoso.com","chris@contoso.com"} -BypassedSenders @{Add="joe@fabrikam.com","michelle@fabrikam.com"} -BypassedSenderDomains @{Add="blueyonderairlines.com"; Remove="*.woodgrovebank.com"}

How do you know this worked?

To verify that you have successfully configured the recipient and sender exceptions, run the following command to verify the property values:

Get-ContentFilterConfig | Format-List Bypassed*

Use the Exchange Management Shell to configure allowed and blocked phrases for content filtering

To add allowed and blocked words and phrases, use the following syntax:

Add-ContentFilterPhrase -Influence GoodWord -Phrase <Phrase> -Influence BadWord -Phrase <Phrase>

This example allows all messages that contain the phrase "customer feedback".

Add-ContentFilterPhrase -Influence GoodWord -Phrase "customer feedback"

This example blocks all messages that contain the phrase "stock tip".

Add-ContentFilterPhrase -Influence BadWord -Phrase "stock tip"

To remove allowed or blocked phrases, use the following syntax:

Remove-ContentFilterPhrase -Phrase <Phrase>

This example removes the phrase "stock tip":

Remove-ContentFilterPhrase -Phrase "stock tip"

How do you know this worked?

To verify that you have successfully configured the allowed and block phrases, run the following command to verify the property values:

Get-ContentFilterPhrase | Format-Table -Auto Influence,Phrase

Use the Exchange Management Shell to configure SCL thresholds for content filtering

To configure the spam confidence level (SCL) thresholds and actions, use the following syntax:

Set-ContentFilterConfig -SCLDeleteEnabled <$true | $false> -SCLDeleteThreshold <Value> -SCLRejectEnabled <$true | $false> -SCLRejectThreshold <Value> -SCLQuarantineEnabled <$true | $false> -SCLQuarantineThreshold <Value>

Notes:

  • The Delete action takes precedence over the Reject action, and the Reject action takes precedence over the Quarantine action. Therefore, the SCL threshold for the Delete action should be greater than the SCL threshold for the Reject action, which in turn should be greater than the SCL threshold for the Quarantine action. Only the Reject action is enabled by default, and it has the SCL threshold value 7.

  • The Quarantine action requires a spam quarantine mailbox. For more information, see Configure a spam quarantine mailbox.

This example configures the following values for the SCL thresholds:

  • The Delete action is enabled and the corresponding SCL threshold is set to 9.

  • The Reject action is enabled and the corresponding SCL threshold is set to 8.

  • The Quarantine action is enabled and the corresponding SCL threshold is set to 7.

Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9 -SCLRejectEnabled $true -SCLRejectThreshold 8 -SCLQuarantineEnabled $true -SCLQuarantineThreshold 7

How do you know this worked?

To verify that you have successfully configured the SCL thresholds, run the following command to verify the property values:

Get-ContentFilterConfig | Format-List SCL*

Use the Exchange Management Shell to configure the rejection response for content filtering

When the Reject action is enabled, you can customize the rejection response that's sent to the message sender. The rejection response can't exceed 240 characters.

To configure a custom rejection response, use the following syntax:

Set-ContentFilterConfig -RejectionResponse "<Custom Text>"

This example configures the Content Filter agent to send a customized rejection response.

Set-ContentFilterConfig -RejectionResponse "Your message was rejected because it appears to be SPAM."

How do you know this worked?

To verify that you have successfully configured the rejection response, run the following command to verify the property values:

Get-ContentFilterConfig | Format-List *Reject*

Use the Exchange Management Shell to enable or disable Outlook Email Postmarking

Outlook Email Postmarking validation is a computational proof that Microsoft Outlook applies to outgoing messages to help messaging systems distinguish legitimate email from junk email (reduce false positives). Postmarking was first introduced in Outlook 2007, and is enabled in Outlook by default.

To disable Outlook Email Postmarking, run the following command:

Set-ContentFilterConfig -OutlookEmailPostmarkValidationEnabled $false

To enable Outlook Email Postmarking, run the following command:

Set-ContentFilterConfig -OutlookEmailPostmarkValidationEnabled $true

How do you know this worked?

To verify that you have successfully configured Outlook Email Postmarking, run the following command to verify the OutlookEmailPostmarkValidationEnabled property value:

Get-ContentFilterConfig | Format-List OutlookEmailPostmarkValidationEnabled