Manage Outlook spam filters using PowerShell and GPOs

Exchange offers various mechanisms to protect users against spam and malware, which the administrator configures centrally. In Outlook and Outlook on the Web (OWA), users can also define their own rules for spam detection. To prevent them from overriding the server rules, you can limit the client options.

Users can configure personal settings in Outlook using junk email options. These settings determine which messages Outlook classifies as spam. This will not reject mail, but rather, you only control the final processing.

Stubborn junk email function ^

The name of this function is somewhat inappropriate. Strictly speaking, it refers to a rule (InboxRule) called the Junk E-mail Rule. By default, it is activated and hidden. It is only viewable in an on-premises environment via the following PowerShell command:

This command does not work with Exchange Online because there it does not support the IncludeHidden parameter.

Unfortunately, it is not possible to disable the incoming mail rule completely. Even if you turn off the level of filtering, it moves messages from blocked senders to the Junk Email folder.

Even the degree of filtering cannot completely disable the incoming mail rule

Even the degree of filtering cannot completely disable the incoming mail rule

Conversely, in my test environment, Outlook puts messages Exchange marks as spam and should normally be moved to the Junk Email folder back into the Inbox. So users can override blocked senders in the server's antispam rule with "Safe Senders."

You could remedy this, for example, by placing the emails directly under quarantine by Exchange so they do not end up in the user's mailbox and the mailbox rule does not apply.

Safe Senders ^

Users can add trusted senders via various menu items in Outlook or OWA. However, since this may counteract the rules at the server level, it makes sense for central administration to curb this feature.

In addition, Outlook can classify personal contacts as trustworthy and automatically add recipients of sent mails to the list of secure senders.

Unfortunately, PowerShell can't change the "Automatically add people I email to the Safe Senders list" option. However, we can use it to control handling contacts as trusted senders.

Use the Set-MailboxJunkEmailConfiguration cmdlet for this purpose:

To add single safe senders, type the following command:

Separate multiple senders with a comma. If you want to remove an address, replace @{Add with @{Remove.

You can also add safe senders centrally via PowerShell

You can also add safe senders centrally via PowerShell

If you want to enforce the trusted contacts company-wide, the following PowerShell command will do the job:

Blocked senders ^

Similar to defining safe senders, we can block unwanted senders. Add single addresses with the following command:

You can also generally move all mails to the Junk Email folder with the exception of those from safe senders. The principle is similar to that of a whitelist. You can switch on the function with the following PowerShell command:

Automatically mark messages that do not originate from secure senders as spam

Disabling the Junk Mail feature ^

Outlook can also assess messages for spam detection. Based on this analysis, it then shifts them into the junk folder. However, these mail client activities increase the complexity of spam handling and troubleshooting.

Therefore, the administrator might want to deactivate this feature. Using PowerShell, you could turn off junk mail in this way:

However, in my test environment, the inbox rule remained active and continued to move emails to the spam folder.

GPO for Outlook ^

As an alternative to deactivating the junk email option, you can gray out the corresponding menu item on the GUI using a Group Policy Object (GPO). Thus, the user can no longer influence the filter in Outlook. For this, you would need the administrative templates for Office.

Hide junk mail filters from Outlook via group policies

Hide junk mail filters from Outlook via group policies

The required setting is under User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Settings > Junk E-mail and is called Hide User Interface for Junk E-mail.

With a GPO, you can block the configuration of the spam filter for users

With a GPO, you can block the configuration of the spam filter for users

Settings for OWA ^

OWA also lets you control the personal spam filter. Unfortunately it is not possible to disable this feature easily in Exchange Online at the moment. In an on-premises environment, you can customize the OWA policy as follows:

Junk mail filter settings in OWA

Junk mail filter settings in OWA

Conclusion ^

Microsoft hasn't really designed Outlook's spam handling to work with Exchange or Exchange Online. In the worst cases, this leads to results the administrator did not intend during the server-side configuration of the spam protection.

It is questionable whether separate spam detection has to take place on the client today, especially if this is only controllable centrally to a limited extent. Here it would be nice if Outlook interacted with the Exchange Server even without add-ins.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

1+
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account