Exchange offers various mechanisms to protect users against spam and malware, which the administrator configures centrally. In Outlook and Outlook on the Web (OWA), users can also define their own rules for spam detection. To prevent them from overriding the server rules, you can limit the client options.

Users can configure personal settings in Outlook using junk email options. These settings determine which messages Outlook classifies as spam. This will not reject mail, but rather, you only control the final processing.

Stubborn junk email function

The name of this function is somewhat inappropriate. Strictly speaking, it refers to a rule (InboxRule) called the Junk E-mail Rule. By default, it is activated and hidden. It is only viewable in an on-premises environment via the following PowerShell command:

Get-InboxRule "Junk E-mail Rule" -Mailbox "MAILBOX" -IncludeHidden

This command does not work with Exchange Online because there it does not support the IncludeHidden parameter.

Unfortunately, it is not possible to disable the incoming mail rule completely. Even if you turn off the level of filtering, it moves messages from blocked senders to the Junk Email folder.

Even the degree of filtering cannot completely disable the incoming mail rule

Even the degree of filtering cannot completely disable the incoming mail rule

Conversely, in my test environment, Outlook puts messages Exchange marks as spam and should normally be moved to the Junk Email folder back into the Inbox. So users can override blocked senders in the server's antispam rule with "Safe Senders."

You could remedy this, for example, by placing the emails directly under quarantine by Exchange so they do not end up in the user's mailbox and the mailbox rule does not apply.

Safe Senders

Users can add trusted senders via various menu items in Outlook or OWA. However, since this may counteract the rules at the server level, it makes sense for central administration to curb this feature.

In addition, Outlook can classify personal contacts as trustworthy and automatically add recipients of sent mails to the list of secure senders.

Unfortunately, PowerShell can't change the "Automatically add people I email to the Safe Senders list" option. However, we can use it to control handling contacts as trusted senders.

Use the Set-MailboxJunkEmailConfiguration cmdlet for this purpose:

Set-MailboxJunkEmailConfiguration -Identity Benjamin -ContactsTrusted $true

To add single safe senders, type the following command:

Set-MailboxJunkEmailConfiguration -Identity Benjamin `
-TrustedSendersAndDomains @{Add=""}

Separate multiple senders with a comma. If you want to remove an address, replace @{Add with @{Remove.

You can also add safe senders centrally via PowerShell

You can also add safe senders centrally via PowerShell

If you want to enforce the trusted contacts company-wide, the following PowerShell command will do the job:

Get-Mailbox | Set-MailboxJunkEmailConfiguration -ContactsTrusted $true

Blocked senders

Similar to defining safe senders, we can block unwanted senders. Add single addresses with the following command:

Set-MailboxJunkEmailConfiguration -Identity Benjamin `
-BlockedSendersAndDomains @{Add=""}

You can also generally move all mails to the Junk Email folder with the exception of those from safe senders. The principle is similar to that of a whitelist. You can switch on the function with the following PowerShell command:

Set-MailboxJunkEmailConfiguration -Identity Benjamin -TrustedListsOnly $true

Automatically mark messages that do not originate from secure senders as spam

Disabling the Junk Mail feature

Outlook can also assess messages for spam detection. Based on this analysis, it then shifts them into the junk folder. However, these mail client activities increase the complexity of spam handling and troubleshooting.

Therefore, the administrator might want to deactivate this feature. Using PowerShell, you could turn off junk mail in this way:

Set-MailboxJunkEmailConfiguration -Identity Benjamin -Enabled $false

However, in my test environment, the inbox rule remained active and continued to move emails to the spam folder.

GPO for Outlook

As an alternative to deactivating the junk email option, you can gray out the corresponding menu item on the GUI using a Group Policy Object (GPO). Thus, the user can no longer influence the filter in Outlook. For this, you would need the administrative templates for Office.

Hide junk mail filters from Outlook via group policies

Hide junk mail filters from Outlook via group policies

The required setting is under User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Settings > Junk E-mail and is called Hide User Interface for Junk E-mail.

With a GPO, you can block the configuration of the spam filter for users

With a GPO, you can block the configuration of the spam filter for users

Settings for OWA

OWA also lets you control the personal spam filter. Unfortunately it is not possible to disable this feature easily in Exchange Online at the moment. In an on-premises environment, you can customize the OWA policy as follows:

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -JunkEmailEnabled $false
Junk mail filter settings in OWA

Junk mail filter settings in OWA


Microsoft hasn't really designed Outlook's spam handling to work with Exchange or Exchange Online. In the worst cases, this leads to results the administrator did not intend during the server-side configuration of the spam protection.

Subscribe to 4sysops newsletter!

It is questionable whether separate spam detection has to take place on the client today, especially if this is only controllable centrally to a limited extent. Here it would be nice if Outlook interacted with the Exchange Server even without add-ins.

  1. Michael O Donovan 3 years ago

    The issue we see is email addresses being added to the safe senders list from our own domain. This may sound benign, but it is anything but. Put the CEO or the CFO’s address in safe senders and now the address can be spoofed! We have contacted Microsoft about this to no avail. We also find addresses being automatically populated into the safe senders list. We have not enabled contacts to be added or recipients to be added automatically, but they just keep getting added. Again, no explanation or solution from Microsoft. The safe senders component in Outlook needs a major evaluation and reworking by Microsoft IMHO. It does not seem compatible with their new Threat Management tools.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account