Use mail flow rules to filter bulk email in Exchange Online

In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, anti-spam policies (also known as spam filter policies or content filter policies) scan inbound messages for spam and bulk mail (also known as gray mail). For more information, see Configure anti-spam policies in EOP.

If you want more options to filter bulk mail, you can create mail flow rules (also known as transport rules) to search for text patterns or phrases that are frequently found in bulk mail, and mark those messages as spam. For more information about bulk mail, see What's the difference between junk email and bulk email? and Bulk complaint level (BCL) in EOP.

This topic explains how to create these mail flow rules in the Exchange admin center (EAC) and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know before you begin?

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Exchange Online permissions: You need the Transport Rules role, which is assigned to the Compliance Management, Records Management, and Organization Management role groups by default.

  • Microsoft Entra permissions: Membership in the Exchange Administrator or Global Administrator^* roles.

    Important

    ^* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

• To open the EAC in Exchange Online, see Exchange admin center in Exchange Online. To open the EAC in standalone EOP, see Exchange admin center in standalone EOP.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

• For more information about mail flow rules in Exchange Online and standalone EOP, see the following topics:

  • Mail flow rules (transport rules) in Exchange Online
  • Mail flow rule conditions and exceptions (predicates) in Exchange Online
  • Mail flow rule actions in Exchange Online

• The list of words and text patterns that are used to identify bulk mail in the examples isn't exhaustive; you can add and remove entries as necessary. However, they're a good starting point.

• The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions to search for the raw (typically, Base 64) encoded values of the subject or other header fields in messages.

• The following procedures mark a bulk message as spam for your entire organization. However, you can add another condition to apply these rules only to specific recipients, so that you can use aggressive filtering on a few, highly targeted users, while the rest of your users (who mostly get the bulk email they signed up for) aren't impacted.

Use the EAC to create mail flow rules that filter bulk email

1. In the EAC at https://admin.exchange.microsoft.com, go to Mail flow > Rules. Or, to go directly to the Rules page, use https://admin.exchange.microsoft.com/#/transportrules.

2. On the Rules page, select Add a rule > Create a new rule to start the new rule wizard.

3. In the Set rule conditions page that opens, configure the following settings:

   • Name: Enter a unique, descriptive name for the rule.

   • Apply this rule if: Configure one of the following settings to look for content in messages using regular expressions (RegEx) or words or phrases:

     • The subject or body > subject or body matches these text patterns: In the Specify words or phrases flyout that opens, enter one of the following values, select Add, and repeat until you enter all of the values:

       • If you are unable to view the content of this email\, please
       • \>(safe )?unsubscribe( here)?\</a\>
       • If you do not wish to receive further communications like this\, please
       • <img height="?1"? width="?1"? src=.?http\://
       • To stop receiving these+emails\:http\://
       • To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)
       • no longer (wish )?(to )?(be sent|receive) w+ email
       • If you are unable to view the content of this email\, please click here
       • To ensure you receive (your daily deals|our e-?mails)\, add
       • If you no longer wish to receive these emails
       • to change your (subscription preferences|preferences or unsubscribe)
       • click (here to|the) unsubscribe

     To edit an entry, select it and then select Edit . To remove an entry, select it and then select Delete .

     When you're finished in the flyout, select Save.

     • The subject or body > subject or body includes any of these words: In the Specify words or phrases flyout that opens, enter one of the following values, select Add, and repeat until you enter all of the values:

       • to change your preferences or unsubscribe
       • Modify email preferences or unsubscribe
       • This is a promotional email
       • You are receiving this email because you requested a subscription
       • click here to unsubscribe
       • You have received this email because you are subscribed
       • If you no longer wish to receive our email newsletter
       • to unsubscribe from this newsletter
       • If you have trouble viewing this email
       • This is an advertisement
       • you would like to unsubscribe or change your
       • view this email as a webpage
       • You are receiving this email because you are subscribed

     To edit an entry, select it and then select Edit . To remove an entry, select it and then select Delete .

     When you're finished in the flyout, select Save.

   • Do the following: Select Modify the message properties > set the spam confidence level (SCL). In the Specify SCL flyout that appears, configure one of the following settings:

     • To mark messages as Spam, select 6. The action that's configured for Spam filtering verdicts in your anti-spam policies is applied to the messages.
     • To mark messages as High confidence spam, select 9. The action that's configured for High confidence spam filtering verdicts in your anti-spam policies is applied to the messages.

     For more information about SCL values, see Spam confidence level (SCL) in EOP.

     When you're finished in the flyout, select Save.

   When you're finished on the Set rule conditions page, select Next.

4. On the Set rule settings page, review or configure the settings, and then select Next.

5. On the Review and finish page, review the settings, and then select Finish.

Use PowerShell to create mail flow rules that filter bulk email

Use the following syntax to create one or both of the mail flow rules (regular expressions vs. words):

New-TransportRule -Name "<UniqueName>" [-SubjectOrBodyMatchesPatterns "<RegEx1>","<RegEx2>"...] [-SubjectOrBodyContainsWords "<WordOrPhrase1>","<WordOrPhrase2>"...] -SetSCL <6 | 9>

The following example creates a new rule named "Bulk email filtering - RegEx" that uses the same list of regular expressions from earlier in the topic to set messages as Spam:

New-TransportRule -Name "Bulk email filtering - RegEx" -SubjectOrBodyMatchesPatterns "If you are unable to view the content of this email\, please","\>(safe )?unsubscribe( here)?\</a\>","If you do not wish to receive further communications like this\, please","\<img height\="?1"? width\="?1"? src=.?http\://","To stop receiving these+emails\:http\://","To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)","no longer (wish )?(to )?(be sent|receive) w+ email","If you are unable to view the content of this email\, please click here","To ensure you receive (your daily deals|our e-?mails)\, add","If you no longer wish to receive these emails","to change your (subscription preferences|preferences or unsubscribe)","click (here to|the) unsubscribe"... -SetSCL 6

The following example creates a new rule named "Bulk email filtering - Words" that uses the same list of words from earlier in the topic to set messages as High confidence spam:

New-TransportRule -Name "Bulk email filtering - Words" -SubjectOrBodyContainsWords "to change your preferences or unsubscribe","Modify email preferences or unsubscribe","This is a promotional email","You are receiving this email because you requested a subscription","click here to unsubscribe","You have received this email because you are subscribed","If you no longer wish to receive our email newsletter","to unsubscribe from this newsletter","If you have trouble viewing this email","This is an advertisement","you would like to unsubscribe or change your","view this email as a webpage","You are receiving this email because you are subscribed" -SetSCL 9

For detailed syntax and parameter information, see New-TransportRule.

How do you know this procedure worked?

To verify that you've configured mail flow rules to filter bulk email, do any of the following steps:

• In the EAC, go to Mail flow > Rules > select the rule > select Edit , select the Settings tab, and verify the settings.

• In PowerShell, replace <Rule Name> with the name of the rule, and run the following command to verify the settings:

  Get-TransportRule -Identity "<Rule Name>" | Format-List
  

• From an external account, send a test message to an affected recipient that contains one of the phrases or text patterns, and verify the results.