Office 365 Email Spam Filter: How to Configure It

Introduction

Configuring the Office 365 email spam filter is one of the most important steps any small or mid-sized business can take to protect its inbox and keep operations running smoothly. Without proper configuration, your team risks missing critical messages buried under junk mail, or worse, falling victim to phishing attacks that slip past default settings. Microsoft provides a robust set of tools through Exchange Online Protection and Microsoft Defender for Office 365 that give administrators granular control over what reaches their users. This guide walks you through everything you need to know to set up and optimize your spam filtering effectively.

Understanding Microsoft's Built-In Email Protection Layer

Exchange Online Protection, commonly referred to as EOP, is the cloud-based filtering service that sits in front of every Microsoft 365 mailbox. It processes all inbound and outbound email, scanning for spam, malware, phishing attempts, and policy violations before a single message ever lands in a user's inbox. EOP is included with every Microsoft 365 business subscription, meaning you don't need a separate product to get baseline protection — it's always running in the background whether you've configured it or not. The challenge is that default settings are designed to be broadly permissive, which means they won't catch everything your specific organization needs to block.

For businesses that need stronger defenses, Microsoft Defender for Office 365 (formerly Advanced Threat Protection) builds on top of EOP with features like Safe Links, Safe Attachments, and anti-phishing policies powered by machine learning. This tiered approach means that even organizations on basic Microsoft 365 plans have meaningful spam protection, while those on Business Premium or enterprise plans can unlock significantly more sophisticated filtering. Understanding which tier your organization sits on is the first step before diving into configuration, because the options available in the Microsoft 365 Defender portal will vary depending on your subscription level.

How the Filtering Pipeline Actually Processes Your Mail

When an email arrives at your Microsoft 365 tenant, it doesn't simply land in the inbox — it travels through a multi-stage filtering pipeline that evaluates it against dozens of signals simultaneously. First, the system checks the sending server's IP reputation against Microsoft's constantly updated threat intelligence databases. If the IP passes that check, the message moves on to content filtering, where algorithms analyze the subject line, body text, links, and attachments for patterns associated with spam, phishing, and malware. Each message is assigned a Spam Confidence Level, or SCL, which is a numerical score ranging from -1 to 9 that determines how the system ultimately routes the message — to the inbox, the junk folder, or outright quarantine.

Administrators can influence this pipeline at multiple points by creating custom anti-spam policies, adjusting SCL thresholds, configuring allow and block lists, and setting up quarantine policies that determine what users can and cannot release on their own. The office 365 email spam filter also evaluates outbound mail, which is critical for preventing your domain from being blacklisted if a compromised account starts sending bulk spam. Understanding that filtering works in both directions — and that outbound reputation matters just as much as inbound protection — helps administrators build a more complete security posture rather than focusing solely on what comes in.

Step-by-Step Guide

1. Access the Microsoft 365 Defender Portal: Open your browser and navigate to security.microsoft.com, then sign in with a global administrator or security administrator account. This portal is the central hub for all email security policies and replaces the older Exchange Admin Center for most spam filter configuration tasks.
2. Locate the Anti-Spam Policies Section: In the left navigation menu, expand the Email and Collaboration section, click Policies and Rules, then select Threat Policies, and finally choose Anti-spam. You will see a list of default policies already in place, including the Default Anti-Spam Inbound Policy that applies to all users unless a more specific policy overrides it.
3. Edit or Create a Custom Anti-Spam Policy: Click on the default inbound policy to review its current settings, or click Create Policy and select Inbound to build a new policy targeted at a specific group of users. Custom policies are useful when different departments — such as your finance team or executives — need stricter or more permissive filtering thresholds than the rest of the organization.
4. Configure Spam Thresholds and Actions: Within the policy editor, find the Bulk Email Threshold setting and adjust it based on your tolerance for marketing and newsletter-type messages — a lower number means more aggressive filtering. Set the actions for each spam verdict (Spam, High Confidence Spam, Phishing, High Confidence Phishing, Bulk) to determine whether matching messages are moved to Junk, sent to quarantine, or deleted outright.
5. Set Up Allow and Block Lists: In the policy settings, use the Allowed Senders and Allowed Domains lists to whitelist trusted contacts whose messages should never be filtered, and use the Blocked Senders and Blocked Domains lists to permanently reject mail from known bad actors. Use these lists conservatively — over-whitelisting domains is one of the most common ways phishing emails bypass the office 365 email spam filter entirely.
6. Configure Quarantine Policies and Notifications: Navigate back to Threat Policies and click Quarantine Policies to control what end users can do with their quarantined messages — whether they can view, release, or request release of held mail. Set up quarantine notifications (formerly called end-user spam notifications) so users receive periodic digests of what's being held, reducing helpdesk tickets from people wondering where their expected emails went.
7. Enable and Review Anti-Phishing Policies: Still under Threat Policies, open Anti-phishing and edit the default policy or create a new one to enable impersonation protection for your key executives and domains, turn on mailbox intelligence, and configure spoof intelligence settings. After your policies are live, return regularly to the Threat Protection Status report under Reports to review what's being caught, adjust thresholds, and ensure legitimate mail isn't being incorrectly flagged.

Comparing Microsoft 365 Spam Protection Tiers

Best Practices

• Enable DMARC, DKIM, and SPF: Publishing these DNS authentication records for your domain dramatically reduces the chance of spoofed emails passing through the filter and reaching your users.
• Avoid Over-Whitelisting Domains: Adding entire domains like gmail.com or outlook.com to your allowed senders list bypasses spam scoring for all mail from those domains, creating a significant security gap that attackers routinely exploit.
• Review Quarantine Reports Weekly: Regularly auditing what the office 365 email spam filter is holding helps you catch false positives before they impact business relationships and gives you data to fine-tune your thresholds over time.
• Apply Stricter Policies to High-Risk Users: Executives, finance staff, and HR personnel are prime phishing targets, so assign them to custom anti-spam and anti-phishing policies with tighter controls than the organization-wide defaults.
• Train Employees to Report Suspicious Email: Deploy the Microsoft Report Message add-in so users can flag junk and phishing emails directly from Outlook, which feeds data back into Microsoft's threat intelligence and improves filtering accuracy across your tenant.

Frequently Asked Questions

Why Are Legitimate Emails Going to Junk Even After Configuration?

False positives happen when a sender's email infrastructure has a poor reputation, their messages contain patterns that resemble spam, or they haven't properly configured SPF and DKIM on their sending domain. The fastest fix is to add the specific sender's email address to your allowed senders list in your anti-spam policy rather than whitelisting their entire domain. You can also ask the sender to check whether their domain is listed on any public blocklists and work with their email provider to remediate the issue. Reviewing the message headers in Outlook will show you the SCL score and which filter rule triggered, giving you more precise information to work with.

What Is the Difference Between Junk Mail and Quarantine?

Messages routed to the Junk Email folder are delivered directly to the recipient's mailbox but sorted into a separate folder, meaning the user can see and retrieve them without any administrator involvement. Quarantined messages, on the other hand, are held in a centralized repository managed by Microsoft and are not visible in the user's mailbox unless they receive a quarantine notification or an administrator reviews the queue. Administrators can configure quarantine policies to give users varying levels of access — from read-only visibility to full self-service release — depending on the organization's security requirements. High-confidence phishing messages are typically quarantined by default and cannot be released by end users without administrator approval.

Can Users Manage Their Own Spam Settings in Microsoft 365?

End users have limited but meaningful control over their spam experience through Outlook's built-in Junk Email settings, where they can add addresses to their personal safe senders and blocked senders lists. These user-level lists interact with the organization-wide anti-spam policies set by administrators, though administrator-defined block lists always take precedence over user-defined safe sender lists. If you've enabled quarantine notifications, users will receive email digests listing messages being held and can request release for items that aren't high-confidence phishing. Administrators can expand or restrict end-user permissions further through custom quarantine policies in the Microsoft 365 Defender portal.

How Often Should Anti-Spam Policies Be Reviewed and Updated?

At a minimum, administrators should review anti-spam policies quarterly to ensure settings still align with the organization's needs and to account for changes in Microsoft's recommended configurations. After any significant business change — such as a merger, a new email domain, or a reported phishing incident — an immediate policy review is warranted rather than waiting for the next scheduled audit. Microsoft regularly updates its default policy recommendations in the Standard and Strict preset security policies, so comparing your custom settings against those presets is a useful benchmarking exercise. The Threat Protection Status report in the Defender portal provides trend data that makes it easy to spot sudden spikes in filtered mail, which can signal a new campaign targeting your organization.

Is the Built-In Spam Filter Enough, or Does My Business Need a Third-Party Solution?

For most small and mid-sized businesses, Exchange Online Protection combined with Microsoft Defender for Office 365 Plan 1 provides a very strong level of protection that meets or exceeds what many standalone third-party products offer at a similar price point. The main advantage of sticking with Microsoft's native tools is tight integration — policies apply consistently across Outlook on the web, desktop, and mobile without additional configuration, and all reporting flows into one portal. Third-party solutions may offer advantages in specific areas like more granular reporting dashboards, email archiving, or compliance-focused filtering rules that Microsoft's tools don't cover natively. The right answer depends on your industry, compliance requirements, and internal IT capacity, which is why working with a managed services provider to evaluate your options is often the most efficient path forward.

Properly configuring and maintaining your email security settings takes time, expertise, and ongoing attention that many small businesses simply don't have in-house — and that's exactly where Always Beyond can help. Our team works with Microsoft 365 environments every day, and we can audit your current spam filter settings, implement best-practice policies, and monitor your tenant so threats don't slip through. To get started protecting your inbox the right way, contact Always Beyond today.