Exchange Online or Exchange Online Protection (EOP) administrators with the appropriate access credentials can use these steps to help ensure that an email message traveling through the service isn’t marked as spam.
It can be frustrating to have legitimate, good email quarantined or blocked as spam and landing in a quarantine folder. You can use a safe sender list or a mail flow rule to bypass spam filtering and prevent good email messages from getting marked as junk mail. When a message is incorrectly marked as spam by the spam filter, it's called a false positive. The Office 365 spam filter also provides some options that end users can customize in order to help prevent false positives.
If you're looking for help with false negative mail, that is, a spam message that gets through when it shouldn't, check out the tips in Block email spam with the Office 365 spam filter to prevent false negative issues.
EOP-only customers: use directory synchronization
EOP is a cloud-based email filtering service that helps protect your organization against spam and malware. If you have mailboxes in Office 365, they are automatically protected by EOP since it is part of the service.
If you’re an EOP-only customer, that is, you subscribe to the EOP service for use with your on-premises Exchange Server, you should sync user settings with the service by using directory synchronization. Doing this ensures that your safe senders lists are respected by EOP. For more information, see “Use directory synchronization to manage mail users” in Manage Mail Users in EOP.
Prevent false positive email by using the connection filter's IP allow list
If you find that a sender's email is always moved to the Junk folders in your organization, you can add the email sender's IP address to your connection filter's IP allow list. Normally, this prevents false positive responses for this sender for all recipients within your organization. The exception is when a user enables the option "Safe Lists Only: Only mail from people or domains on your Safe Senders list or Safe Recipients List will be delivered to your Inbox" in Outlook and does not add that sender to the Safe Sender List. For information on overriding that option, see Troubleshooting: A message ends up in the Junk folder even though EOP marked the message as non-spam.
To add an IP address to your connection filter's IP allow list
Obtain the header from a message sent by the sender that you want to allow. You can do this from your mail client such as Outlook or Outlook on the Web, as described in Message Header Analyzer.
Manually search for the IP address following the CIP tag in the X-Forefront-Antispam-Report header or by using the Message Analyzer tab of the Remote Connectivity Analyzer.
Add the IP address to the IP allow list by following the steps in “Use the EAC to edit the default connection filter policy” in Configure the connection filter policy.
Prevent false positive email by configuring spam filter policies
You can add domains or individual email addresses to an allow list by following the steps in Configure your spam filter policies.
Review your advanced spam filter policies
If you have special restrictions set up in a spam filter policy, for example, if you have blocked an entire domain, you should review them to check if they may be causing false positives. See Configure your spam filter policies, and turn off additional Advanced spam filtering options that might cause messages to be marked as spam.
Help your end users create a safe sender list to prevent good email from being marked as spam
Tell your users to add addresses from senders that they trust to their safe sender list in Outlook or Outlook on the Web. To get started in Outlook on the Web, choose Settings > Options > Block or allow. The following diagram shows an example of adding something to a safe sender list.
EOP will honor your users’ Safe Senders and Recipients, but not Safe Domains. This is true regardless of whether the domain is added through the Outlook on the Web, or added in Outlook and synchronized using Directory Sync.
For more detailed information about this safe sender list, see Safe sender and blocked sender lists FAQ. You can also review several related topics listed under See Also later in this article, in order to help avoid having good email marked as spam.
Troubleshooting: A message ends up in the Junk folder even though EOP marked the message as non-spam
If your users have the option in Outlook enabled for “Safe Lists Only: Only mail from people or domains on your Safe Senders list or Safe Recipients List will be delivered to your Inbox”, then all email will go to the junk folder for a sender unless the sender is on the recipient’s Safe Sender list. This will happen regardless of whether EOP marks a message as non-spam, or if you have set up a rule in EOP to mark a message as non-spam.
You can disable the Safe Lists Only option for your Outlook users by following the instructions in Outlook: Policy setting to disable the Junk E-mail UI and filtering mechanism.
If you view the message in Outlook on the Web, there will be a yellow safety tip that indicates that the message is in the Junk folder because the sender is not on the recipient’s Safe Senders list.
If you look at the header of a message, it may include the stamp SFV:SKN (IP Allow or ETR Allow) or SFV:NSPM (non-spam), but the message is still placed in the user’s junk folder. There is nothing in the message header that indicates that the user has “Safe Lists Only” enabled. This happens because the "Safe Lists Only" option set by users in Outlook overrides the EOP setting.
To verify why a message from a safe sender is marked as non-spam in the message header, but still ends up in the user’s Junk folder
To learn how to connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Run the following command to view the user's junk email configuration settings:
Get-MailboxJunkEmailConfiguration firstname.lastname@example.org | fl TrustedListsOnly,ContactsTrusted,TrustedSendersAndDomains
If TrustedListsOnly is set to True, it means that this setting is enabled. If ContactsTrusted is set to True, it means that the user trusts both Contacts and Safe Senders. The TrustedSendersAndDomains lists the contents of the user's Safe Senders list.