If you are looking for an article full of suspense I am sorry to disappoint you. The heading gives away the entire plot. The story is about misclassified emails and the culprits have already been identified to be the Outlook SafeSenders and BlockedSenders lists.
This is one of those stories that have been recounted several times. Everyone seems to know it, and yet many are still caught unprepared. Supporting IMF Tune, with its tight Exchange anti-spam integration, I often end up troubleshooting Exchange problems to prove that our product is working fine. So I find myself in the perfect position to regularly rescue those who forget of this trap.
The story always concerns incoming emails. Sometimes a legitimate email is always getting blocked. Other times it's a spam email that seems unstoppable getting delivered to the user Inbox. Very often the problem affects one user (the boss of course) but it could also concern multiple or all user mailboxes.
What makes this problem elusive is that pretty much everyone today uses server-side spam filtering (whether on-premises or cloud). Administrators often think that they are in complete control of the filter configuration. After all, aren't they the only ones to access the server configuration?
We have a video series on the various server-side spam filters available in Exchange out-of-the-box. The videos cover the configuration tasks Exchange administrators perform when managing these filters. Unfortunately even these videos overlook the sneaky Outlook sender lists.
Note: The videos were produced for Exchange 2013 but are largely applicable to all Exchange versions from 2007 up to 2016. Check them for a tour of the anti-spam features readily available in Exchange.
Getting back to our problem scenario, consider a legitimate email getting blocked with a Sender Denied
SMTP rejection response. The Exchange administrator looks up the blocked senders at the Sender Filter Agent configuration but finds nothing:
Get-SenderFilterConfig | FL BlockedSenders,BlockedDomains
Stopping the Sender ID filter makes no difference. So what can it be, given the very clear rejection response?
This is when we should check the Outlook sender lists. Outlook lists are the window for users to customize their spam filtering directly. These settings are taken up by transport servers and are enforced together with all other server-side anti-spam settings.
Before Exchange 2010 managing these settings wasn't easy. We had to login as the user and change the settings from Outlook/OWA, or else we could use complex scripts.
However the situation improved significantly as from Exchange 2010 with the introduction of the lifesaving MailboxJunkEmailConfiguration
cmdlet. This allows us to review and modify the anti-spam settings configured by users.
Working with MailboxJunkEmailConfiguration
To see the sender lists for a user mailbox:
Get-MailboxJunkEmailConfiguration -Identity "UserName" | FL TrustedSendersAndDomains,BlockedSendersAndDomains
We can use the usual list manipulation syntax to modify these lists. Clearing the blocked senders list is done by setting it to $null
as follows:
Set-MailboxJunkEmailConfiguration -Identity "UserName" -BlockedSendersAndDomains $null
To completely replace all the list entries:
Set-MailboxJunkEmailConfiguration -Identity "UserName" -BlockedSendersAndDomains "user1@domain.com","user2@domain2.com","spam1.com","spam2.com"
Here I am clearing all BlockedSendersAndDomains
entries, replacing them with two addresses and two domains.
To add new addresses to the current BlockedSendersAndDomains
list:
Set-MailboxJunkEmailConfiguration -Identity "UserName" -BlockedSendersAndDomains @{Add="new@domain3.com","spam3.com"}
To only remove specific entries from the BlockedSendersAndDomains
list:
Set-MailboxJunkEmailConfiguration -Identity "UserName" -BlockedSendersAndDomains @{Remove="new@domain3.com","spam3.com"}
Configuring Multiple Mailboxes
If we wanted to modify multiple user mailboxes we would pipe the result of Get-Mailbox into Set-MailboxJunkEmailConfiguration.
For example here I am clearing all sender lists on all mailboxes for the specified Mailbox Database:
Get-Mailbox -Database MailboxDatabaseName | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains $null -BlockedSendersAndDomains $null -ErrorAction SilentlyContinue
When dealing with multiple mailboxes it's best to include the ErrorAction
parameter to SilentlyContinue
. Otherwise newly created mailboxes may cause the operation to fail.
Running cmdlets on multiple mailboxes is most useful when clearing lists or removing problematic addresses. Adding addresses to all user lists is less useful. Addresses that should be blocked/accepted by all users should go to the server configuration whenever possible.
More MailboxJunkEmailConfiguration Options
Apart for the sender lists let me also highlight some other important MailboxJunkEmailConfiguration
parameters that allow us to control more anti-spam settings.
Enable
- Enables/Disables the Junk Email filtering functionality for the mailbox. This switch is so useful that I wrote another article to cover it: Exchange 2003, 2007, 2010, 2013 Junk Email Folder.
Other configuration options to be aware of include the ContactsTrusted
and the TrustedListsOnly
switches. These are set to $true
or $false
. ContactsTrusted
causes all contacts to be considered as Trusted Senders. If $true
, the set of trusted senders can be significantly extended without directly editing the anti-spam sender lists.
On the other hand TrustedListsOnly
significantly limits who is considered to be a source of legitimate emails. If $true
emails are considered to be spam unless they are sent from a trusted sender.
So these options also have a significant impact on how emails are filtered. Indeed these can be trickier to pinpoint than an explicit TrustedSendersAndDomains/BlockedSendersAndDomains
entry.