In Microsoft 365 (Office 365) organizations, you can use Exchange Online Protection (EOP) to block email from unwanted senders (SMTP addresses) or domain names. In Exchange Online, you can configure multiple levels of spam blocking:
- Block domains and email addresses using Tenant Allow/Block List;
- List of Outlook Blocked Senders (an individual list is stored in each user mailbox);
- Exchange Online Protection anti-spam policies;
- Exchange Mail flow (transport) rules;
- Connection filters (the IP Block List).
The available sender blocking methods in this list are listed in order from most recommended to least recommended.
Manage Exchange Online Tenant Block List
There is a separate Tenant Allow/Block List feature in Microsoft 365 Defender that allows you to manage your list of allowed and blocked external senders.
- Sign-in to Microsoft 365 Defender portal with an account that is a member of one of the following groups: Organization Management, Security Administrator role, or role group;
- Go to Email and collaboration > Policies and rules > Threat Policies > Tenant Allow/Block Lists;
- Click Block to add a new sender to M365 blacklist;
- Specify the list of sender domain names and SMTP addresses that you want to block (up to 20 entries at a time);
- In the Remove block entry after field, specify the expiration date after which they will be automatically removed from the blacklist. By default, the entries in this list will expire in 30 days, but you can choose one of the following values: 1 day, 7 days, 30 days, up to 90 days from today, or Never expire;
- Click the Add button to add entries to the list.
Emails from these senders will be marked as high confidence spam (SCL = 9). In addition, users in your organization won’t be able to send email messages to blocked addresses and domains. When sent to these addresses, users will receive an NDR with the text:
‘550 5.7.703 Your message can’t be delivered because one or more recipients are blocked by your organization’s tenant recipient block policy’
You can manage the Exchange Online tenant Allow/Block list with PowerShell. Connect to your Exchange Online organization with the Exchange online PowerShell module:
Connect-ExchangeOnline -UserPrincipalName admin@theitbros.com
To blacklist a new sender address, run the command:
New-TenantAllowBlockListItems -ListType Sender -Block -Entries 'spam@example1.com','spam@test1.com' -ExpirationDate 12/31/2022
To change an entry in the list, use the Set-TenantAllowBlockListItems command:
Set-TenantAllowBlockListItems -ListType Sender -Entries 'spam@example1.com' -NoExpiration
List blocked addresses in Microsoft 365:
Get-TenantAllowBlockListItems -ListType Sender -Block|select value, ExpirationDate
Managing Blocked Senders List in Outlook
Users can block specific email domains or senders in Outlook manually:
- If you are using Outlook Web, sign in to your Microsoft 365 mailbox;
- Open its Settings;
- Got to Mail > Junk email;
- Add email addresses and/or external domains from which you do not want to receive emails to the Blocked senders and domains list;
- Save changes;
- All emails from the specified senders will be automatically moved to the Junk Email Folder.
You can also display or change the list of blocked emails and domains in the user’s mailbox using PowerShell. Connect to your Exchange Online tenant:
Connect-ExchangeOnline -UserPrincipalName admin@theitbros.com
To display a blacklist in a specific user’s mailbox, run the command:
Get-MailboxJunkEmailConfiguration -Identity jsmith | Format-List BlockedSendersAndDomains
Use the following command to add a new sender address to a user’s blacklist:
Set-MailboxJunkEmailConfiguration jsmith -BlockedSendersAndDomains @{Add="info@spam.org"}
You can add a specific email to the blocked sender list to all mailboxes in your organization at once:
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited $All | foreach {Set-MailboxJunkEmailConfiguration $_.Name -BlockedSendersAndDomains @{Add="info@spam.org"} }
Configure Spam Filter Policies in Microsoft 365
To block specific email addresses or domains globally at the organization level, you can create a custom anti-spam policy in the Microsoft 365 Defender:
- Sign in to Microsoft 365 Defender portal at https://security.microsoft.com;
- Go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam;
- Create a new Inbound policy;
- Set a unique policy name and description (optional);
- Select the users, groups, and domains to which this anti-spam policy should apply. You can specify a list of accepted domains for your organization;
- Next, you need to configure the Bulk email threshold & spam properties. Here you can configure the quarantine policies for the inbound email flow. Or you can skip this step if you only want to configure a blacklist;
- On the Actions tab, you need to select the action that you want to apply to the inbound email in this rule. You can move the message to the Junk Email folder, delete the email, or send it to quarantine;
- Next, you can add individual sender’s SMTP addresses to the blocked Senders list or FQDN domain name to Domains list. Emails from these senders will always be marked as Spam;
- Click Next > Create;
- Your new anti-spam rule will now apply to all senders on your blacklist.
Please note that you can add a maximum of 1000 entries to this blocked list.
Block Senders with Exchange Online Mail Flow Rules
Another way to block senders in Microsoft 365 is to use mail flow rules.
- Sign in Classic Exchange admin center or new Exchange admin center;
- Go to Mail flow > Rules > and click Add a rule;
- Select Restrict messages by sender or recipient;
- Create the following rule conditions:
Apply this rule if > The sender > domain is > specify the domain name here
Do the following > Block the message > Delete the message without notifying anyone
- In the next step, you can set the rule settings. Select Rule mode > Enforce. Save your mail flow rule.
Now all inbound e-mail messages from this sender will be rejected.
2 comments
strange, it’s not deleting the address I entered in the list, still just sending it to Junk. It is configured to delete a specified address but our end user is still receiving it in his Junk folder.
Explained well. Thanks.