Spam Filtering and Message Hygiene


Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

Topic last modified: 2012-12-04

All versions of the Microsoft cloud-based email service use Forefront Online Protection for Exchange (FOPE) to combat spam and phishing. When messages are received at the gateway server for the cloud-based email service, they are evaluated and assigned a spam confidence level (SCL) value. The SCL rating assigned to the message indicates the likelihood that the message is spam, based on the such characteristics as content, message header and so forth. The SCL is added to the message metadata as the message travels through the cloud-based email service infrastructure.

The SCL value is a numeral between 0 and 9. A higher rating indicates that a message is more likely to be spam. The cloud-based email service infrastructure has fixed SCL thresholds that define the actions to be taken at specific SCL values.


SCL threshold


SCL is 5 or greater.

The message is delivered to the cloud-based email service, where it is delivered to the user's Junk Email folder.

SCL is 4 or less.

The message is delivered to the cloud-based email service, where it is delivered to the user's Inbox.

End users can configure lists of Safe Senders, whose email should never be treated as spam, and Blocked Senders, whose email should always be treated as spam.

User-managed spam filtering

By default, junk email filtering is enabled on all mailboxes in the cloud-based email service. Users can manage some spam settings for their own mailbox. For more information about how users can manage spam, see Junk Email Settings.

Administrator-managed message hygiene with FOPE

Although all Microsoft cloud-based email systems are protected by the FOPE infrastructure, the ability to manage message hygiene features with the FOPE Administration Centre is limited to Microsoft Office 365 for enterprises and Live@edu administrators.

The following table describes the message hygiene features that you can manage in the FOPE Administration Centre.

For more information about how to manage these features for Microsoft Office 365 for enterprises, see FOPE in Office 365 Feature Differences.




Anti-spam protection

Connection filtering using the Microsoft DNS-based block list.

Anti-spam protection

Content filtering from the Microsoft spam analysis team for real time SPAM updates

Anti-spam protection

Safe sender support


Multiple antivirus engine scanning at the FOPE gateway

Inbound mail control

Safe listing, skip listing

Inbound mail control

TLS encryption configuration and enforcement

Inbound mail control

Connection, content and policy filtering

Outbound mail control

Custom outbound SMTP routing

Outbound mail control

TLS encryption configuration and enforcement

The spam filtering process

Two kinds of spam filtering are applied before email is delivered to the cloud-based mailboxes:

  • Connection filtering   The volume of messages that are sent from a single IP address is monitored. Connections from a single IP address that sends large volumes of email to one or more recipients in your domain may be suspected of sending spam.

  • Content filtering   The message subject and body are examined for keywords or phrases that might indicate that a message is spam.

Messages that meet filtering criteria can be blocked or delivered to the user's Junk Email folder. You can also use organisation-wide rules to control the flow of email messages in your organisation. For example, a rule might reject all email that contains specific keywords or is from a specific source.

Emergency and broadcast messages

In emergency situations, your organisation may need to send a broadcast message to all users in the cloud-based email service. Some organisations use third-party emergency notification services to do this.

To make sure that these messages aren't treated as spam by FOPE and that all your users receive these messages as quickly as possible, take the following precautions:

If you are sending broadcast messages to a large number of users at once, remember that only 100 messages are accepted per connection. If more than 100 messages are queued for delivery to the cloud-based email service, the connection is dropped after 100 messages, and your on-premises email servers have to reestablish the connection to send the next batch of 100 messages. Therefore, you must devise an emergency broadcast message plan that lets you quickly send out email to all users without exceeding the 100 messages-per-connection limit. The best way to do this is to use distribution groups or a dynamic distribution group to reduce the number of messages that are sent at one time. A group is treated as a single recipient for email delivery restrictions. For more information, see Send Broadcast Messages to All Users.

If you use a third-party emergency notification service to broadcast emergency messages to your users, contact your cloud-based email service representative to verify that the service complies with Windows Live.

Related help topics
No resources were found.