Allow Legitimate Bulk Email From Specific Sender and IP

Hi @Any Body

As my research, bulk classification is determined by Microsoft’s global reputation and user‑engagement signals and is applied before tenant‑level rules are evaluated. As a result, there is no safe or permanent method to force Bulk messages into users’ Inboxes without weakening existing security controls.

While temporary mitigations may be applied, such as time‑limited allow entries or submitting messages as false positives, long‑term Inbox placement ultimately depends on the sender’s reputation, recipient engagement, and adherence to bulk‑sending best practices (including unsubscribe handling, list hygiene, and complaint rate management).

You can refer via: What's the difference between junk email and bulk email? - Microsoft Defender for Office 365 | Micr…

If you believe this configuration change would significantly improve the user experience, we recommend submitting feedback directly to Microsoft through the Microsoft 365 Feedback Portal. Doing so ensures that your request reaches the Microsoft product team, enabling them to better understand customer needs, evaluate the impact, and potentially prioritize enhancements in future product updates.

We apologize for redirecting you to the appropriate development channel. This platform is a user‑to‑user support forum, and moderators who participate here do not have access to backend systems or the ability to modify product behavior. Our role is limited to providing technical guidance and sharing best practices based on publicly available information, reported issues, and community discussions.

Please feel free to correct me if I misunderstood your request. If you have any additional concerns, feel free to comment below. I would be more than happy to assist. 

Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread. 

I've added the sender to the Tenant Allow List but they don't have a "never expire" option so I selected "45 days after last used date" and I will submit samples as "clean" to Microsoft in the meantime. I already have the transport rule to set the SCL to 3 for messages from that sender and IP and if they pass SPF/DKIM/DMARC, so I'll leave that in place and keep an eye on them over time.

Use a combination of Tenant Allow/Block List and a mail flow rule that still enforces authentication, and avoid broad allowlists in anti-spam policies.

1. Add the sender/domain to the Tenant Allow/Block List
   • This is the most recommended allow method for cloud mailboxes.
   • Add the specific sending email address or domain (including any spoofed variants actually used) as an Allow entry in the Tenant Allow/Block List.
   • This lets legitimate messages bypass spam while still enforcing the platform’s secure-by-default behavior (malware and high confidence phishing are still quarantined).
   • Continue to submit samples as “good” so the service can learn and reduce the need for manual allow entries over time.
2. Use a mail flow rule that checks DMARC and/or source IP Since mail flow rules are the second-preferred method, configure a rule that:
   • Condition 1 (sender domain):
     • Apply this rule if → The sender → domain is → contoso.com (replace with the survey sender’s domain).
   • Condition 2 (authentication check – preferred):
     • And → The message headers → includes any of these words
       • Header name: Authentication-Results
       • Header values: dmarc=pass and dmarc=bestguesspass (add both)
     • This ensures the rule only helps messages that actually pass DMARC, reducing spoofing risk.
   • Alternative Condition 2 (if they don’t consistently authenticate):
     • Instead of the header condition, tightly scope the source IP using the IP Allow List in the default connection filter policy:
       • Add only the specific sending IP or a very small range (ideally /24 or smaller).
       • Do not add consumer/shared ranges.
   • Action:
     • Use an action that ensures delivery to Inbox (for example, lower SCL or bypass spam) as documented for mail flow rules.
   Important security guidance from the context:
   • Never configure a rule that skips spam filtering based only on the sender domain; always pair it with DMARC header checks or a tightly scoped IP Allow List.
   • Keep IP Allow List entries to an absolute minimum and review them regularly.
3. Avoid risky allow methods
   • Do not rely on:
     • Allowed sender/domain lists in anti-spam policies for this scenario. These bypass spam, spoof, phishing protection and sender authentication (except high confidence phishing) and are recommended only for temporary testing.
     • Broad IP Allow List entries (large ranges, consumer/shared infrastructure).
   • Outlook Safe Senders only affects individual mailboxes and is less suitable for a consistent, organization-wide solution.
4. Handle bulk classification specifically
   • For bulk/marketing mail that is wanted, consider tuning the Bulk Complaint Level (BCL) threshold in anti-spam policies:
     • Check the BCL value in the X-Microsoft-Antispam header of these survey messages.
     • If they are consistently below or near the threshold, adjust the BCL threshold so that only higher-BCL (less wanted) bulk is filtered.
     • Choose an appropriate bulk action (Junk vs Quarantine) based on user tolerance.

This combination—Tenant Allow/Block List + DMARC-aware mail flow rule (and optionally tight IP Allow List and BCL tuning)—allows the legitimate survey traffic into Inboxes while still validating SPF/DKIM/DMARC and minimizing spoofing and abuse risk.

References:

• Create sender allowlists for cloud mailboxes
• Use mail flow rules
• Use allowed sender lists or allowed domain lists in anti-spam policies
• Considerations for bulk email
• Tune Bulk mail (grey mail) filtering in Defender for Office 365
• Frequently asked questions - Anti-spam protection
• External senders - Troubleshoot email sent to Microsoft 365