Order and precedence of email protection
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email might be flagged by multiple forms of protection. For example, anti-spoofing protection that's available to all Microsoft 365 customers, and impersonation protection that's available to Microsoft Defender for Office 365 customers only. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there might be some confusion as to which policy is applied.
In general, a policy that's applied to a message is identified in the X-Forefront-Antispam-Report header in the CAT (Category) property. For more information, see Anti-spam message headers.
There are two major factors that determine which policy is applied to a message:
The order of processing for the email protection type: This order isn't configurable, and is described in the following table:
Order Email protection Category Where to manage 1 Malware CAT:MALW
Configure anti-malware policies in EOP 2 High confidence phishing CAT:HPHSH
Configure anti-spam policies in EOP 3 Phishing CAT:PHSH
Configure anti-spam policies in EOP 4 High confidence spam CAT:HSPM
Configure anti-spam policies in EOP 5 Spoofing CAT:SPOOF
Spoof intelligence insight in EOP 6* User impersonation (protected users) CAT:UIMP
Configure anti-phishing policies in Microsoft Defender for Office 365 7* Domain impersonation (protected domains) CAT:DIMP
Configure anti-phishing policies in Microsoft Defender for Office 365 8* Mailbox intelligence (contact graph) CAT:GIMP
Configure anti-phishing policies in Microsoft Defender for Office 365 9 Spam CAT:SPM
Configure anti-spam policies in EOP 10 Bulk CAT:BULK
Configure anti-spam policies in EOP * These features are available only in anti-phishing policies in Microsoft Defender for Office 365.
The priority order of policies: The policy priority order is shown in the following list:
The anti-spam, anti-malware, anti-phishing, Safe Links*, and Safe Attachments* policies in the Strict preset security policy (when enabled).
The anti-spam, anti-malware, anti-phishing, Safe Links*, and Safe Attachments* policies in the Standard preset security policy (when enabled).
Anti-phishing, Safe Links, and Safe Attachments in Defender for Office 365 evaluation policies (when enabled).
Custom anti-spam, anti-malware, anti-phishing, Safe Links*, and Safe Attachments* policies (when created).
Custom policies are assigned a default priority value when you create the policy (newer equals higher), but you can change the priority value at any time. This priority value affects the order that custom policies of that type (anti-spam, anti-malware, anti-phishing, etc.) are applied, but doesn't affect where custom policies are applied in the overall order.
Of equal value:
- The Safe Links and Safe Attachments policies in the Built-in protection preset security policy*.
- The default policies for anti-malware, anti-spam, and anti-phishing.
You can configure exceptions to the Built-in protection preset security policy, but you can't configure exceptions to the default policies (they apply to all recipients and you can't turn them off).
* Defender for Office 365 only.
Important
The priority order matters if you have the same recipient intentionally or unintentionally included in multiple policies, because only the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is included in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type.
For example, the group named "Contoso Executives" is included in the following policies:
- The Strict preset security policy
- A custom anti-spam policy with the priority value 0 (highest priority)
- A custom anti-spam policy with the priority value 1.
Which anti-spam policy settings are applied to the members of Contoso Executives? The Strict preset security policy. The settings in the custom anti-spam policies are ignored for the members of Contoso Executives, because the Strict preset security policy is always applied first.
As another example, consider the following custom anti-phishing policies in Microsoft Defender for Office 365 that apply to the same recipients, and a message that contains both user impersonation and spoofing:
Policy name | Priority | User impersonation | Anti-spoofing |
---|---|---|---|
Policy A | 1 | On | Off |
Policy B | 2 | Off | On |
- The message is identified as spoofing, because spoofing (5) is evaluated before user impersonation (6) in the order of processing for the email protection type.
- Policy A is applied first, because it has a higher priority than Policy B.
- Based on the settings in Policy A, no action is taken on the message because anti-spoofing is turned off.
- The processing of anti-phishing policies stops for all included recipients, so Policy B is never applied to recipients who are also in Policy A.
To make sure that recipients get the protection settings that you want, use the following guidelines for policy memberships:
- Assign a smaller number of users to higher priority policies, and a larger number of users to lower priority policies. Remember, default policies are always applied last.
- Configure higher priority policies to have stricter or more specialized settings than lower priority policies. You have complete control over the settings in custom policies and the default policies, but no control over most settings in preset security policies.
- Consider using fewer custom policies (only use custom policies for users who require more specialized settings than the Standard or Strict preset security policies, or the default policies).
Appendix
It's important to understand how user allows and blocks, tenant allows and blocks, and filtering stack verdicts in EOP and Defender for Office 365 complement or contradict each other.
- For information about filtering stacks and how they're combined, see Step-by-step threat protection in Microsoft Defender for Office 365.
- After the filtering stack determines a verdict, only then are tenant policies and their configured actions evaluated.
- If the same email address or domain exists in a user's Safe Senders list and Blocked Senders list, the Safe Senders list takes precedence.
- If the same entity (email address, domain, spoofed sending infrastructure, file, or URL) exists in an allow entry and a block entry in the Tenant Allow/Block List, the block entry takes precedence.
User allows and blocks
Entries in a user's safelist collection (the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox) are able to override some filtering stack verdicts as described in the following table:
Filtering stack verdict | User's Safe Senders/Recipients list | User's Blocked Senders list |
---|---|---|
Malware | Filter wins: Email quarantined | Filter wins: Email quarantined |
High confidence phishing | Filter wins: Email quarantined | Filter wins: Email quarantined |
Phishing | User wins: Email delivered to user's Inbox | Tenant wins: The applicable anti-spam policy determines the action |
High confidence spam | User wins: Email delivered to user's Inbox | Tenant wins: The applicable anti-spam policy determines the action |
Spam | User wins: Email delivered to user's Inbox | Tenant wins: The applicable anti-spam policy determines the action |
Bulk | User wins: Email delivered to user's Inbox | User wins: Email delivered to user's Junk Email folder |
Not spam | User wins: Email delivered to user's Inbox | User wins: Email delivered to user's Junk Email folder |
- In Exchange Online, the domain allow in the Safe Sender's list might not work if the message is quarantined by any of the following conditions:
- The message is identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).
- Actions in anti-spam policies are configured to quarantine instead of move mail to the Junk Email folder.
- The email address, URL, or file in the email message is also in a block entry in the Tenant Allow/Block List.
For more information about the safelist collection and anti-spam settings on user mailboxes, see Configure junk email settings on Exchange Online mailboxes.
Tenant allows and blocks
Tenant allows and blocks are able to override some filtering stack verdicts as described in the following tables:
Advanced delivery policy (skip filtering for designated SecOps mailboxes and phishing simulation URLs):
Filtering stack verdict Advanced delivery policy allow Malware Tenant wins: Email delivered to mailbox High confidence phishing Tenant wins: Email delivered to mailbox Phishing Tenant wins: Email delivered to mailbox High confidence spam Tenant wins: Email delivered to mailbox Spam Tenant wins: Email delivered to mailbox Bulk Tenant wins: Email delivered to mailbox Not spam Tenant wins: Email delivered to mailbox Exchange mail flow rules (also known as transport rules):
Filtering stack verdict Mail flow rule allows* Mail flow rule blocks Malware Filter wins: Email quarantined Filter wins: Email quarantined High confidence phishing Filter wins: Email quarantined except in complex routing Filter wins: Email quarantined Phishing Tenant wins: Email delivered to mailbox Tenant wins: Phishing action in the applicable anti-spam policy High confidence spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Bulk Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Not spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder * Organizations that use a third-party security service or device in front of Microsoft 365 should consider using Authenticated Received Chain (ARC) (contact the third-party for availability) and Enhanced Filtering for Connectors (also known as skip listing) instead of an SCL=-1 mail flow rule. These improved methods reduce email authentication issues and encourage defense-in-depth email security.
IP Allow List and IP Block List in connection filter policies:
Filtering stack verdict IP Allow List IP Block List Malware Filter wins: Email quarantined Filter wins: Email quarantined High confidence phishing Filter wins: Email quarantined Filter wins: Email quarantined Phishing Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped High confidence spam Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped Spam Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped Bulk Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped Not spam Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped Allow and block settings in anti-spam policies:
- Allowed sender and domain list.
- Blocked sender and domain list.
- Block messages from specific countries/regions or in specific languages.
- Block messages based on Advanced Spam Filter (ASF) settings.
Filtering stack verdict Anti-spam policy allows Anti-spam policy blocks Malware Filter wins: Email quarantined Filter wins: Email quarantined High confidence phishing Filter wins: Email quarantined Filter wins: Email quarantined Phishing Tenant wins: Email delivered to mailbox Tenant wins: Phishing action in the applicable anti-spam policy High confidence spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Bulk Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Not spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder Allow entries in the Tenant Allow/Block List: There are two types of allow entries:
- Message level allow entries act on the entire message, regardless of the entities in the message. Allow entries for email address and domains are message level allow entries.
- Entity level allow entries act on the filtering verdict of entities. Allow entries for URLs, spoofed senders, and files are entity level allow entries. To override malware and high confidence phishing verdicts, you need to use entity level allow entries, which you can create by submission only due to Secure by default in Microsoft 365.
Filtering stack verdict Email address/domain Malware Filter wins: Email quarantined High confidence phishing Filter wins: Email quarantined Phishing Tenant wins: Email delivered to mailbox High confidence spam Tenant wins: Email delivered to mailbox Spam Tenant wins: Email delivered to mailbox Bulk Tenant wins: Email delivered to mailbox Not spam Tenant wins: Email delivered to mailbox Block entries in the Tenant Allow/Block List:
Filtering stack verdict Email address/domain Spoof File URL Malware Filter wins: Email quarantined Filter wins: Email quarantined Tenant wins: Email quarantined Filter wins: Email quarantined High confidence phishing Tenant wins: Email quarantined Filter wins: Email quarantined Tenant wins: Email quarantined Tenant wins: Email quarantined Phishing Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined High confidence spam Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined Spam Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined Bulk Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined Not spam Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined
User and tenant settings conflict
The following table describes how conflicts are resolved if an email is affected by both user allow/block settings and tenant allow/block settings:
Type of tenant allow/block | User's Safe Senders/Recipients list | User's Blocked Senders list |
---|---|---|
Block entries in the Tenant Allow/Block List for:
|
Tenant wins: Email quarantined | Tenant wins: Email quarantined |
Block entries for spoofed senders in the Tenant Allow/Block List | Tenant wins: Spoof intelligence action in the applicable anti-phishing policy | Tenant wins: Spoof intelligence action in the applicable anti-phishing policy |
Advanced delivery policy | User wins: Email delivered to mailbox | Tenant wins: Email delivered to mailbox |
Block settings in anti-spam policies | User wins: Email delivered to mailbox | User wins: Email delivered to user's Junk Email folder |
Honor DMARC policy | User wins: Email delivered to mailbox | User wins: Email delivered to user's Junk Email folder |
Blocks by mail flow rules | User wins: Email delivered to mailbox | User wins: Email delivered to user's Junk Email folder |
Allows by:
|
User wins: Email delivered to mailbox | User wins: Email delivered to user's Junk Email folder |