Order and precedence of email protection

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email might be flagged by multiple forms of protection. For example, anti-spoofing protection that's available to all Microsoft 365 customers, and impersonation protection that's available to Microsoft Defender for Office 365 customers only. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there might be some confusion as to which policy is applied.

In general, a policy that's applied to a message is identified in the X-Forefront-Antispam-Report header in the CAT (Category) property. For more information, see Anti-spam message headers.

There are two major factors that determine which policy is applied to a message:

For example, the group named "Contoso Executives" is included in the following policies:

  • The Strict preset security policy
  • A custom anti-spam policy with the priority value 0 (highest priority)
  • A custom anti-spam policy with the priority value 1.

Which anti-spam policy settings are applied to the members of Contoso Executives? The Strict preset security policy. The settings in the custom anti-spam policies are ignored for the members of Contoso Executives, because the Strict preset security policy is always applied first.

As another example, consider the following custom anti-phishing policies in Microsoft Defender for Office 365 that apply to the same recipients, and a message that contains both user impersonation and spoofing:

Policy name Priority User impersonation Anti-spoofing
Policy A 1 On Off
Policy B 2 Off On
  1. The message is identified as spoofing, because spoofing (5) is evaluated before user impersonation (6) in the order of processing for the email protection type.
  2. Policy A is applied first, because it has a higher priority than Policy B.
  3. Based on the settings in Policy A, no action is taken on the message because anti-spoofing is turned off.
  4. The processing of anti-phishing policies stops for all included recipients, so Policy B is never applied to recipients who are also in Policy A.

To make sure that recipients get the protection settings that you want, use the following guidelines for policy memberships:

  • Assign a smaller number of users to higher priority policies, and a larger number of users to lower priority policies. Remember, default policies are always applied last.
  • Configure higher priority policies to have stricter or more specialized settings than lower priority policies. You have complete control over the settings in custom policies and the default policies, but no control over most settings in preset security policies.
  • Consider using fewer custom policies (only use custom policies for users who require more specialized settings than the Standard or Strict preset security policies, or the default policies).

Appendix

It's important to understand how user allows and blocks, tenant allows and blocks, and filtering stack verdicts in EOP and Defender for Office 365 complement or contradict each other.

  • For information about filtering stacks and how they're combined, see Step-by-step threat protection in Microsoft Defender for Office 365.
  • After the filtering stack determines a verdict, only then are tenant policies and their configured actions evaluated.
  • If the same email address or domain exists in a user's Safe Senders list and Blocked Senders list, the Safe Senders list takes precedence.
  • If the same entity (email address, domain, spoofed sending infrastructure, file, or URL) exists in an allow entry and a block entry in the Tenant Allow/Block List, the block entry takes precedence.

User allows and blocks

Entries in a user's safelist collection (the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox) are able to override some filtering stack verdicts as described in the following table:

Filtering stack verdict User's Safe Senders/Recipients list User's Blocked Senders list
Malware Filter wins: Email quarantined Filter wins: Email quarantined
High confidence phishing Filter wins: Email quarantined Filter wins: Email quarantined
Phishing User wins: Email delivered to user's Inbox Tenant wins: The applicable anti-spam policy determines the action
High confidence spam User wins: Email delivered to user's Inbox Tenant wins: The applicable anti-spam policy determines the action
Spam User wins: Email delivered to user's Inbox Tenant wins: The applicable anti-spam policy determines the action
Bulk User wins: Email delivered to user's Inbox User wins: Email delivered to user's Junk Email folder
Not spam User wins: Email delivered to user's Inbox User wins: Email delivered to user's Junk Email folder
  • In Exchange Online, the domain allow in the Safe Sender's list might not work if the message is quarantined by any of the following conditions:
    • The message is identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).
    • Actions in anti-spam policies are configured to quarantine instead of move mail to the Junk Email folder.
    • The email address, URL, or file in the email message is also in a block entry in the Tenant Allow/Block List.

For more information about the safelist collection and anti-spam settings on user mailboxes, see Configure junk email settings on Exchange Online mailboxes.

Tenant allows and blocks

Tenant allows and blocks are able to override some filtering stack verdicts as described in the following tables:

  • Advanced delivery policy (skip filtering for designated SecOps mailboxes and phishing simulation URLs):

    Filtering stack verdict Advanced delivery policy allow
    Malware Tenant wins: Email delivered to mailbox
    High confidence phishing Tenant wins: Email delivered to mailbox
    Phishing Tenant wins: Email delivered to mailbox
    High confidence spam Tenant wins: Email delivered to mailbox
    Spam Tenant wins: Email delivered to mailbox
    Bulk Tenant wins: Email delivered to mailbox
    Not spam Tenant wins: Email delivered to mailbox
  • Exchange mail flow rules (also known as transport rules):

    Filtering stack verdict Mail flow rule allows* Mail flow rule blocks
    Malware Filter wins: Email quarantined Filter wins: Email quarantined
    High confidence phishing Filter wins: Email quarantined except in complex routing Filter wins: Email quarantined
    Phishing Tenant wins: Email delivered to mailbox Tenant wins: Phishing action in the applicable anti-spam policy
    High confidence spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
    Spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
    Bulk Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
    Not spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder

    * Organizations that use a third-party security service or device in front of Microsoft 365 should consider using Authenticated Received Chain (ARC) (contact the third-party for availability) and Enhanced Filtering for Connectors (also known as skip listing) instead of an SCL=-1 mail flow rule. These improved methods reduce email authentication issues and encourage defense-in-depth email security.

  • IP Allow List and IP Block List in connection filter policies:

    Filtering stack verdict IP Allow List IP Block List
    Malware Filter wins: Email quarantined Filter wins: Email quarantined
    High confidence phishing Filter wins: Email quarantined Filter wins: Email quarantined
    Phishing Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped
    High confidence spam Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped
    Spam Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped
    Bulk Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped
    Not spam Tenant wins: Email delivered to mailbox Tenant wins: Email silently dropped
  • Allow and block settings in anti-spam policies:

    • Allowed sender and domain list.
    • Blocked sender and domain list.
    • Block messages from specific countries/regions or in specific languages.
    • Block messages based on Advanced Spam Filter (ASF) settings.
    Filtering stack verdict Anti-spam policy allows Anti-spam policy blocks
    Malware Filter wins: Email quarantined Filter wins: Email quarantined
    High confidence phishing Filter wins: Email quarantined Filter wins: Email quarantined
    Phishing Tenant wins: Email delivered to mailbox Tenant wins: Phishing action in the applicable anti-spam policy
    High confidence spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
    Spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
    Bulk Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
    Not spam Tenant wins: Email delivered to mailbox Tenant wins: Email delivered to user's Junk Email folder
  • Allow entries in the Tenant Allow/Block List: There are two types of allow entries:

    • Message level allow entries act on the entire message, regardless of the entities in the message. Allow entries for email address and domains are message level allow entries.
    • Entity level allow entries act on the filtering verdict of entities. Allow entries for URLs, spoofed senders, and files are entity level allow entries. To override malware and high confidence phishing verdicts, you need to use entity level allow entries, which you can create by submission only due to Secure by default in Microsoft 365.
    Filtering stack verdict Email address/domain
    Malware Filter wins: Email quarantined
    High confidence phishing Filter wins: Email quarantined
    Phishing Tenant wins: Email delivered to mailbox
    High confidence spam Tenant wins: Email delivered to mailbox
    Spam Tenant wins: Email delivered to mailbox
    Bulk Tenant wins: Email delivered to mailbox
    Not spam Tenant wins: Email delivered to mailbox
  • Block entries in the Tenant Allow/Block List:

    Filtering stack verdict Email address/domain Spoof File URL
    Malware Filter wins: Email quarantined Filter wins: Email quarantined Tenant wins: Email quarantined Filter wins: Email quarantined
    High confidence phishing Tenant wins: Email quarantined Filter wins: Email quarantined Tenant wins: Email quarantined Tenant wins: Email quarantined
    Phishing Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined
    High confidence spam Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined
    Spam Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined
    Bulk Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined
    Not spam Tenant wins: Email quarantined Tenant wins: Spoof action in the applicable anti-phishing policy Tenant wins: Email quarantined Tenant wins: Email quarantined

User and tenant settings conflict

The following table describes how conflicts are resolved if an email is affected by both user allow/block settings and tenant allow/block settings:

Type of tenant allow/block User's Safe Senders/Recipients list User's Blocked Senders list
Block entries in the Tenant Allow/Block List for:
  • Email addresses and domains
  • Files
  • URLs
Tenant wins: Email quarantined Tenant wins: Email quarantined
Block entries for spoofed senders in the Tenant Allow/Block List Tenant wins: Spoof intelligence action in the applicable anti-phishing policy Tenant wins: Spoof intelligence action in the applicable anti-phishing policy
Advanced delivery policy User wins: Email delivered to mailbox Tenant wins: Email delivered to mailbox
Block settings in anti-spam policies User wins: Email delivered to mailbox User wins: Email delivered to user's Junk Email folder
Honor DMARC policy User wins: Email delivered to mailbox User wins: Email delivered to user's Junk Email folder
Blocks by mail flow rules User wins: Email delivered to mailbox User wins: Email delivered to user's Junk Email folder
Allows by:
  • Mail flow rules
  • IP Allow List (connection filter policy)
  • Allowed sender and domain list (anti-spam policies)
  • Tenant Allow/Block List
User wins: Email delivered to mailbox User wins: Email delivered to user's Junk Email folder