Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This article doesn't apply to mailboxes in the cloud.
If you use Exchange Online Protection (EOP) for cloud protection of mailboxes in an on-premises Exchange organization, you need to configure on-premises Exchange to recognize and translate the spam filtering verdicts from the cloud. This configuration allows the junk email rule in on-premises mailboxes to correctly move spam from the Inbox to the Junk Email folder.
Specifically, you need to create Exchange mail flow rules (also known as transport rules) in your on-premises Exchange organization with the following settings:
Conditions: Find messages with the following cloud anti-spam headers and values:
X-Forefront-Antispam-Report: SFV:SPM(message marked as spam by spam filtering)X-Forefront-Antispam-Report: SFV:SKS(message marked as spam by mail flow rules in the cloud before spam filtering)X-Forefront-Antispam-Report: SFV:SKB(message marked as spam by spam filtering due to the sender's email address or email domain being in the blocked sender list or the blocked domain list in cloud anti-spam policies.)
For more information about these header values, see Anti-spam message headers in cloud organizations.
Action: Set the spam confidence level (SCL) of these messages to 6 (spam).
This article describes how to create the required mail flow rules the Exchange admin center (EAC) and in the Exchange Management Shell (Exchange PowerShell) in the on-premises Exchange organization.
Tip
Instead of delivering the messages to the on-premises user's Junk Email folder, you can configure cloud anti-spam policies to quarantine spam messages. For more information, see Configure anti-spam policies in cloud organizations.
What do you need to know before you begin?
You need to be assigned permissions in the on-premises Exchange environment before you can do these procedures. Specifically, you need to be assigned the Transport Rules role, which is assigned to the Organization Management, Compliance Management, and Records Management roles by default. For more information, see Add members to a role group.
A combination of the following settings control whether a message is delivered to the Junk Email folder in an on-premises Exchange mailbox:
- The SCLJunkThreshold parameter value on the Set-OrganizationConfig cmdlet in the Exchange Management Shell. The default value is 4, which means an SCL of 5 or higher should deliver the message to the user's Junk email folder.
- The SCLJunkThreshold parameter value on the Set-Mailbox cmdlet in the Exchange Management Shell. The default value is blank ($null), which means the organization setting is used. For details, see Exchange spam confidence level (SCL) thresholds.
- Whether the junk email rule is enabled on the mailbox (the Enabled parameter value is $true on the Set-MailboxJunkEmailConfiguration cmdlet in the Exchange Management Shell). It's the junk email rule that actually moves the message to the Junk Email folder after delivery. By default, the junk email rule is enabled on mailboxes. For more information, see Configure Exchange antispam settings on mailboxes.
To open the EAC on an Exchange Server, see Exchange admin center in Exchange Server. To open the Exchange Management Shell, see Open the Exchange Management Shell or Connect to Exchange servers using remote PowerShell.
For more information about mail flow rules in on-premises Exchange, see the following articles:
Use the EAC to create mail flow rules that set the SCL of cloud-detected spam messages
In the EAC in the on-premises Exchange organization, go to Mail flow > Rules.
On the Rules page, select
Add > Create a new rule in the dropdown list.In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule. For example:
- EOP SFV:SPM to SCL 6
- EOP SFV:SKS to SCL 6
- EOP SFV:SKB to SCL 6
Select More Options.
Apply this rule if: Select A message header > includes any of these words.
In the Enter text header includes Enter words sentence that appears, do the following steps:
- Select the Enter text link. In the Specify header name dialog that opens, enter X-Forefront-Antispam-Report and then select OK.
- Select the Enter words link. In the Specify words or phrases dialog that opens, enter one of the cloud spam header values (SFV:SPM, SFV:SKS, or SFV:SKB), select Add
, and then select OK.
Do the following: Select Modify the message properties > Set the spam confidence level (SCL).
In the Specify SCL dialog that opens, select 6 (the default value is 5).
When you're finished on the New rule page, select Save.
Repeat these steps for the remaining cloud spam verdict values (SFV:SPM, SFV:SKS, or SFV:SKB).
Use the Exchange Management Shell to create mail flow rules that set the SCL of cloud-protected spam messages
If you would rather use the Exchange Management Shell to create the three mail flow rules, use the following syntax:
New-TransportRule -Name "<RuleName>" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "<EOPSpamFilteringVerdict>" -SetSCL 6
For example:
New-TransportRule -Name "EOP SFV:SPM to SCL 6" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM" -SetSCL 6
New-TransportRule -Name "EOP SFV:SKS to SCL 6" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS" -SetSCL 6
New-TransportRule -Name "EOP SFV:SKB to SCL 6" -HeaderContainsMessageHeader "X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKB" -SetSCL 6
For detailed syntax and parameter information, see New-TransportRule.
How do you know this procedure worked?
To verify you successfully configured on-premises Exchange to deliver cloud-detected spam to the Junk Email folder in on-premises mailboxes, do any of the following steps:
In the EAC in the on-premises Exchange organization, go to Mail flow > Rules, select the rule, and then select Edit
to verify the settings.In the Exchange Management Shell, replace <RuleName> with the name of the mail flow rule, and run the following command to verify the settings:
Get-TransportRule -Identity "<RuleName>" | Format-ListIn an external email system that doesn't scan outbound messages for spam, send a Generic Test for Unsolicited Bulk Email (GTUBE) message to an affected on-premises recipient, and confirm that the message is delivered to the Junk Email folder. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings.
To send a GTUBE message, include the following text in the body of an email message on a single line, without any spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X