Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
One of the questions that has come up recently, especially as a lot of customers migrate over from an existing spam filtering solution to Office 365, is how to force Office 365 to rely upon the spam/non-spam verdict of the service that's sitting in front of Exchange Online and not double-filter.
Office 365 already has a way to do this via connectors if the email server in front is an on-premise Exchange server. It does this by using TLS certs to "promote" the pre-existing properties of a message stamped by the Exchange server so they are re-used by Office 365. But what if your server in front is not Exchange? Then what?
There are a few ways to do this, but the key thing is that there is no simple way to disable spam filtering in Office 365. The option for "Do not filter spam" does not exist at an organizational level. Instead, you have to do a few tricks depending on the configuration.
You want the service in front of Office 365 to get rid of spam, such as sending it to a spam quarantine.
.
In this case, the spam is taken care of somewhere else, and all email going to Office 365 is non-spam (according to the upstream filter). Therefore, you can create a set of IP Allow List entries corresponding to the relay IPs into the service. This will set SCL -1 and send all email into your users' inbox, bypassing spam scanning, and stamp IPV:CAL and SFV:SKN in the X-Forefront-Antispam-Report header.Alternatively (even preferably) you can create an Exchange Transport Rule (ETR) for those connecting IPs that (a) sets the SCL to -1, and (b) sets an x-header:
.
X-Relay-IP-for-service: Allow email from <name of service>
.
... as it is already filtered for spam.
.
This way, when someone in your organization gets a message that is spam, and you decide to escalate to Office 365 for missing spam even though we didn't filter it because you said not to, we'll be able to quickly look at the headers and see that's why the message was delivered to the user's inbox..
There is another method such as disabling junk mail filtering on a per-mailbox basis which will force messages to go through filtering but still land in the inbox (this is what I do on my own personal email, although my MX points to Office 365). However, this is an advanced scenario and causes customers a lot of trouble.
Putting additional services in front of Office 365 is what we call "complex routing"; there are several scenarios for complex routing, and the MX pointing to another service is the simplest case.
Finally, if you do use complex routing like this, there are some things to be aware of:
Related posts
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in