Manage Outlook spam filters using PowerShell and GPOs

• Author
• Recent Posts

Benjamin Bürk

Benjamin Bürk is a senior systems engineer who has been managing IT infrastructures for companies since 2002. His focus is on server operations and especially on Remote Desktop Services (RDS) environments. Further competences are unified communications, virtualization, and Active Directory management. He holds MCSA 2008 and 2012 certifications.

Latest posts by Benjamin Bürk (see all)

• Send emails in Exchange Online using an alias address: Configuration with PowerShell and admin center - Tue, Jun 29 2021
• Deactivate update notifications on Windows Server - Wed, Jun 3 2020
• Remove unneeded settings from Group Policy Objects - Thu, Apr 23 2020

Users can configure personal settings in Outlook using junk email options. These settings determine which messages Outlook classifies as spam. This will not reject mail, but rather, you only control the final processing.

Stubborn junk email function

The name of this function is somewhat inappropriate. Strictly speaking, it refers to a rule (InboxRule) called the Junk E-mail Rule. By default, it is activated and hidden. It is only viewable in an on-premises environment via the following PowerShell command:

Get-InboxRule "Junk E-mail Rule" -Mailbox "MAILBOX" -IncludeHidden

This command does not work with Exchange Online because there it does not support the IncludeHidden parameter.

Unfortunately, it is not possible to disable the incoming mail rule completely. Even if you turn off the level of filtering, it moves messages from blocked senders to the Junk Email folder.

Even the degree of filtering cannot completely disable the incoming mail rule

Conversely, in my test environment, Outlook puts messages Exchange marks as spam and should normally be moved to the Junk Email folder back into the Inbox. So users can override blocked senders in the server's antispam rule with "Safe Senders."

You could remedy this, for example, by placing the emails directly under quarantine by Exchange so they do not end up in the user's mailbox and the mailbox rule does not apply.

Safe Senders

Users can add trusted senders via various menu items in Outlook or OWA. However, since this may counteract the rules at the server level, it makes sense for central administration to curb this feature.

In addition, Outlook can classify personal contacts as trustworthy and automatically add recipients of sent mails to the list of secure senders.

Unfortunately, PowerShell can't change the "Automatically add people I email to the Safe Senders list" option. However, we can use it to control handling contacts as trusted senders.

Use the Set-MailboxJunkEmailConfiguration cmdlet for this purpose:

Set-MailboxJunkEmailConfiguration -Identity Benjamin -ContactsTrusted $true

To add single safe senders, type the following command:

Set-MailboxJunkEmailConfiguration -Identity Benjamin `
-TrustedSendersAndDomains @{Add="info@windowspro.de"}

Separate multiple senders with a comma. If you want to remove an address, replace @{Add with @{Remove.

You can also add safe senders centrally via PowerShell

If you want to enforce the trusted contacts company-wide, the following PowerShell command will do the job:

Get-Mailbox | Set-MailboxJunkEmailConfiguration -ContactsTrusted $true

Blocked senders

Similar to defining safe senders, we can block unwanted senders. Add single addresses with the following command:

Set-MailboxJunkEmailConfiguration -Identity Benjamin `
-BlockedSendersAndDomains @{Add="newsletter@abc.de"}

You can also generally move all mails to the Junk Email folder with the exception of those from safe senders. The principle is similar to that of a whitelist. You can switch on the function with the following PowerShell command:

Set-MailboxJunkEmailConfiguration -Identity Benjamin -TrustedListsOnly $true

Automatically mark messages that do not originate from secure senders as spam

Disabling the Junk Mail feature

Outlook can also assess messages for spam detection. Based on this analysis, it then shifts them into the junk folder. However, these mail client activities increase the complexity of spam handling and troubleshooting.

Therefore, the administrator might want to deactivate this feature. Using PowerShell, you could turn off junk mail in this way:

Set-MailboxJunkEmailConfiguration -Identity Benjamin -Enabled $false

However, in my test environment, the inbox rule remained active and continued to move emails to the spam folder.

GPO for Outlook

As an alternative to deactivating the junk email option, you can gray out the corresponding menu item on the GUI using a Group Policy Object (GPO). Thus, the user can no longer influence the filter in Outlook. For this, you would need the administrative templates for Office.

Hide junk mail filters from Outlook via group policies

The required setting is under User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Settings > Junk E-mail and is called Hide User Interface for Junk E-mail.

With a GPO, you can block the configuration of the spam filter for users

Settings for OWA

OWA also lets you control the personal spam filter. Unfortunately it is not possible to disable this feature easily in Exchange Online at the moment. In an on-premises environment, you can customize the OWA policy as follows:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -JunkEmailEnabled $false

Junk mail filter settings in OWA

Conclusion

Microsoft hasn't really designed Outlook's spam handling to work with Exchange or Exchange Online. In the worst cases, this leads to results the administrator did not intend during the server-side configuration of the spam protection.

It is questionable whether separate spam detection has to take place on the client today, especially if this is only controllable centrally to a limited extent. Here it would be nice if Outlook interacted with the Exchange Server even without add-ins.