Sender filtering procedures

 

Applies to: Exchange Server 2016

Topic Last Modified: 2016-03-02

Learn how to enable, disable, and configure sender filtering in Exchange 2016, and how to verify the sender filtering settings.

Sender filtering filters inbound messages by comparing a list of blocked senders to the value of the MAIL FROM command in SMTP connections. For more information about sender filtering and the Sender Filter agent, see Sender filtering.

You can configure many aspects of sender filtering. For example:

  • Enable or disable sender filtering on inbound messages from internal (authenticated) and external (unauthenticated) sources (it's enabled by default for messages from external sources).

  • Configure blocked senders and blocked domains.

  • Specify whether to block messages with blank senders.

  • Configure the action that sender filtering takes on messages that contain blocked senders or domains.

  • Estimated time to complete each procedure: 5 minutes

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antispam features" entry in the Antispam and antimalware permissions topic.

  • You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

  • By default, antispam features aren't enabled in the Transport service on a Mailbox server. Typically, you only enable the antispam features on a Mailbox server if your Exchange organization doesn't do any prior antispam filtering before accepting incoming messages. For more information, see Enable antispam functionality on Mailbox servers.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

To disable sender filtering, run the following command:

Set-SenderFilterConfig -Enabled $false

To enable sender filtering, run the following command:

Set-SenderFilterConfig -Enabled $true
noteNote:
When you disable sender filtering, the underlying Sender Filter agent is still enabled. To disable the Sender Filter agent, run the command: Disable-TransportAgent "Sender Filter Agent".

To verify that you have successfully enabled or disabled sender filtering, run the following command to verify the Enabled property value:

Get-SenderFilterConfig | Format-List Enabled

By default, sender filtering is enabled for external (unauthenticated) SMTP connections.

To disable sender filtering for external connections, run the following command:

Set-SenderFilterConfig -ExternalMailEnabled $false

To enable sender filtering for external connections, run the following command:

Set-SenderFilterConfig -ExternalMailEnabled $true

To verify that you have successfully enabled or disabled sender filtering for external SMTP connections, run the following command to verify the ExternalMailEnabled property value:

Get-SenderFilterConfig | Format-List ExternalMailEnabled

As a best practice, you don't need to apply antispam filters to messages from trusted partners or from inside your organization. To reduce the chance that filters will mishandle legitimate email messages, you typically configure antispam agents to only run on messages from external sources.

To enable sender filtering for internal (authenticated) SMTP connections, run the following command:

Set-SenderFilterConfig -InternalMailEnabled $true

To disable sender filtering for internal connections, run the following command:

Set-SenderFilterConfig -InternalMailEnabled $false

To verify that you have successfully enabled or disabled sender filtering for internal SMTP connections, run the following command to verify the InternalMailEnabled property value:

Get-SenderFilterConfig | Format-List InternalMailEnabled

You can specify blocked senders and domains that replace the existing values, or you can add or remove specific blocked senders and domains without affecting the other existing values.

To replace the existing values, use the following syntax:

Set-SenderFilterConfig -BlockedSenders <sender1,sender2...> -BlockedDomains <domain1,domain2...> -BlockedDomainsAndSubdomains <domain1,domain2...>

This example configures the Sender Filter agent to block messages from kim@contoso.com and john@contoso.com, messages from the fabrikam.com domain, and messages from northwindtraders.com and all its subdomains.

Set-SenderFilterConfig -BlockedSenders kim@contoso.com,john@contoso.com -BlockedDomains fabrikam.com -BlockedDomainsAndSubdomains northwindtraders.com

To add or remove entries without modifying other existing values, use the following syntax:

Set-SenderFilterConfig -BlockedSenders @{Add="<sender1>","<sender2>"...; Remove="<sender1>","<sender2>"...} -BlockedDomains @{Add="<domain1>","<domain2>"...; Remove="<domain1>","<domain2>"...} -BlockedDomainsAndSubdomains @{Add="<domain1>","<domain2>"...; Remove="<domain1>","<domain2>"...}

This example configures the Sender Filter agent with the following information:

  • Add chris@contoso.com and michelle@contoso.com to the list of existing senders who are blocked.

  • Remove tailspintoys.com from the list of existing sender domains that are blocked.

  • Add blueyonderairlines.com to the list of existing sender domains and subdomains that are blocked.

Set-SenderFilterConfig -BlockedSenders @{Add="chris@contoso.com","michelle@contoso.com"} -BlockedDomains @{Remove="tailspintoys.com"} -BlockedDomainsAndSubdomains @{Add="blueyonderairlines.com"}

To verify that you have successfully configured blocked senders, run the following command to verify the property values:

Get-SenderFilterConfig | Format-List Blocked*

To enable or disable blocking messages that have blank senders, use the following syntax:

Set-SenderFilterConfig -BlankSenderBlockingenabled <$true | $false>

This example configures the Sender Filter agent to block messages that don't specify a sender in the MAIL FROM: SMTP command:

Set-SenderFilterConfig -BlankSenderBlockingEnabled $true

To verify that you have successfully enabled or disabled blocking messages with blank senders, run the following command to verify the property value:

Get-SenderFilterConfig | Format-List BlankSenderBlockingEnabled

Typically, you want to reject messages from blocked senders or domains, and this is the default action. However, you can configure sender filtering to allow these message into your organization for further analysis by other antispam agents.

To configure the action that sender filtering takes on messages from blocked senders or domains, use the following syntax:

Set-SenderFilterConfig -Action <Reject | StampStatus>

This example configures the Sender Filter agent to allow messages from blocked senders or domains. The Sender Filter agent updates the message to indicate that it came from a blocked sender. This information is used in the calculation of the message's spam confidence level (SCL).

Set-SenderFilterConfig -Action StampStatus

This example configures the Sender Filter agent to reject messages from blocked senders or domains. The Sender Filter agent rejects the SMTP request with a 554 5.1.0 Sender Denied SMTP session error and closes the connection.

Set-SenderFilterConfig -Action Reject

To verify that you have successfully configured the action for sender filtering, run the following command to verify the Action property value:

Get-SenderFilterConfig | Format-List Action

SafeList aggregation adds blocked senders that are defined by your users in Microsoft Outlook or Outlook on the web to the Blocked Senders list that's used by the Sender Filter agent. For more information, see Safelist aggregation.

To configure the action that sender filtering takes on messages that contain blocked senders that are defined by SafeList aggregation, use the following syntax:

Set-SenderFilterConfig -RecipientBlockedSenderAction <Delete | Reject>

This example configures the Sender Filter agent to silently drop messages that contain blocked senders that are defined by SafeList aggregation.

Set-SenderFilterConfig -RecipientBlockedSenderAction Delete

This example configures the Sender Filter agent to reject messages that contain blocked senders that are defined by SafeList aggregation with a non-delivery report (also known as an NDR, delivery status notification, DSN or bounce message).

Set-SenderFilterConfig -Action Reject

To verify that you have successfully configured the action for sender filtering for blocked senders from SafeList aggregation, run the following command to verify the RecipientBlockedSenderAction property value:

Get-SenderFilterConfig | Format-List RecipientBlockedSenderAction
 
Show: