Microsoft Anti-Spam Protection & Security Policy

ryan

If you’re wondering why cold emails are generating a lot more non-delivery reports recently, it may be time to review your company’s Office365 Exchange anti-spam and security policy setup.

This post will focus on the most impactful for sales organizations using Microsoft to prospect for leads.  There’s a lot of information to process and we’ll link out to Microsoft documentation so you can do your own research.  

When you Office 365 account, it’s important to review your configuration for Exchange Online Protection (EOP) and Defender for Office 365 following these setup and deployment guides. 

Outbound Spam Protection for Office 365

Outbound spam protection is something that Microsoft takes very seriously and one user can impact email deliverability for the rest of the company. 

Users who hit the sending limits or the Outbound Spam Policies (OSP) listed in the Exchange Online Protection (EOP) may  trigger the default Suspicious Email Sending Patterns alert.  

Admins will be notified of the policy violation and can take further action like unblocking the restricted entity or reviewing third-party spam complaints for Office 365.

A restricted entity is a user account which is blocked from sending email “due to indications of compromise” most commonly exceeding message sending limits or sending emails with spam content.

For example, if 50%+ of your messages sent within a given time frame (ie – 1 hour or 1 day) is considered outbound spam by Microsoft, then the user will be blocked.

If the user tries to send email, the message is returned in a non-delivery report (also known as an NDR or bounce message) with the error code 550 5.1.8 ‘bad outbound sender’ and the following text: 

“Your message couldn’t be delivered because you weren’t recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it’s no longer allowed to send email. Contact your email admin for assistance. Remote Server returned ‘550 5.1.8 Access denied, bad outbound sender.”

-Microsoft Learn

High-risk delivery pools for Office 365

Microsoft scans all outgoing messages for spam.  

Any suspected spam emails are routed through a high-risk IP delivery pool which protects the normal delivery pool that is reserved for ‘high quality’ emails. 

“We monitor accounts that are sending spam, and when they exceed an undisclosed limit, the account is blocked from sending email. There are different thresholds for individual users and the entire tenant.”

Microsoft Learn

Not all spam is the same.  

A zero-day spam email has a content pattern that was ‘previously unrecognized’ by Microsoft’s spam filter.  These emails are often triggered by a violation of the daily sending volume limit which disables the sender’s account.  

Microsoft is very secretive, for good reason…

“We don’t advertise the exact limits so spammers can’t game the system, and so we can increase or decrease the limits as necessary. The limits are high enough to prevent an average business user from ever exceeding them, and low enough to help contain the damage caused by a spammer.”

https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about

Best practices from Microsoft to prevent your account getting blocked for spam:

  • Don’t send a high rate or volume of emails.
  • Don’t send to a list of BCC recipients. 
  • Don’t use your primary domain if you plan on sending bulk emails.  Instead, use a custom subdomain (or alternative email address) with SPF, DKIM and DMARC.
  • Make sure your email domain has an ‘A’ and ‘MX’ record set in your DNS.
  • One-click option to unsubscribe is preferable.
  • Email aliases do not protect your account from repercussions of sending spam.
  • Maximum number of recipients per day is 1000.
  • Maximum number of messages that can be sent per minute is 30.

Customizing EOP Outbound Spam Policies for Office 365 

The recommended settings for Exchange Online Protection (EOP) allows you to create and configure your company’s outbound spam policies.  Microsoft even provides a guide to ensure you have the optimal security controls.

If your sales team is prospecting with cold email, you should review the outbound spam policies and consider customizing policies to avoid wasting time having to unblock a restricted entity in your organization. 

Note: The Standard and Strict presets have preset values for the default policies which can be overridden with custom outbound spam policies that you create for your organization.  

If a user violates a policy, you can select the action from a list:

  • Restrict the user from sending mail until the following day
  • Restrict the user from sending mail (indefinitely)
  • No action, alert only.

Considerations about the recommended values in the table below: 

  • The value ‘0’ is a bit confusing because it’s not zero but rather an undisclosed number that Microsoft determines.
  • From our research, the default values are LOWER than the recommended values.
  • 1,000 emails per day is the recommended maximum number of recipients you can email each day.
  • The restrictions for users who exceed your policy’s daily sending limit can cause the user’s email account to be restricted for 24 hours or indefinitely.

Microsoft automatically applies their default settings which can have a negative impact on your email functionality.   The default policies are different from preset security policies. 

For example ‘outbound spam’ does NOT have a preset security policy rather a default policy because it relates to external emails. 

Microsoft automatically updates the recommended settings for the default policies which is why we recommend creating your own custom policy.  

August 2024 was the most recent major overhaul to Microsoft’s policies and email admins flocked to the support forums looking for help.  

Microsoft claims that the “Secure Presets are always recommended because it ensures admins are exercising Microsoft best practices.”  These presets are composed of 3 specific policies that you can’t delete.  However, you can create custom policies in EOP and Defender for Office 365 as an alternative to their recommended settings.

Pro Tip: if you create custom outbound spam policies, it’s important to remember to adjust the order of priority to ensure your custom policy is adhered to and not ignored because the default policy was unintentionally set to a higher priority.  

You can always increase or decrease the priority of one policy over another on the anti-spam page.  Once the first policy is applied, the lower priority policies may be ignored.   

Admins are always encouraged to act quickly to resolve security issues which can limit mailflow.