When Blocked Senders Go Bad

To ensure the safe and block lists work across all clients – Junk Mail MUST be enabled on the mailbox!

SPAM is war, but sometimes even when you do the right thing, blocked messages can still get through and make it to the inbox.

From the documentation and within Outlook itself, this doesn’t seem possible:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-worldwide#about-junk-email-settings-in-outlook

And from within Outlook:

There are cases however when this doesn’t work. Specifically if junk mail on the mailbox is disabled and if using OWA.

What does this have to do with the Outlook settings? Bear with me.

From the screen shot above, it would appear that junk mail is disabled. But that is not necessarily the case. That setting is referring to the Outlook junk mail capabilities – specifically – SmartScreen, which, despite being deprecated will still honor safe and blocked senders lists.

More importantly, choosing the other junk mail options from this dialog box does not *enable* junk mail on the mailbox.

https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecating-support-for-smartscreen-in-outlook-and-exchange/ba-p/605332

So given all that, how would junk mail become disabled and how does OWA behave that is different than Outlook?

Lets look a few examples.

Test Case 1:

A mailbox that blocks this sender but junk mail is not enabled and using OWA.

A simple transport rule that bypasses SPAM checking for that same sender

Let’s trace it

See that? Despite the fact the sender ( its obfuscated, trust me!) is in the blocked sender list, this message was delivered to the inbox.

Now let’s enable junk mail for this account:

Set-MailboxJunkEmailConfiguration adavid -Enabled $true

Message trace…

Boom! Now it works as expected.

As you can see, enabling junk mail is for an account is key and this doc backs that up:

https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/configure-antispam-settings?view=exchserver-2019

So we now we know the ways junk mail can be disabled or enabled. Either via OWA or via PowerShell – but NOT from Outlook. And from what I can tell, it can NO longer be disabled via OWA either unless using the classic interface: https://outlook.office365.com/owa/?path=/classic

I don’t see – or can’t find that setting in the new interface

So there you go. If you find blocked senders showing up in the inbox, your first stop should be powershell and Get-MailboxJunkEmailConfiguration/Set-MailboxJunkEmailConfiguration to enable it if disabled!

Bottom line: To ensure the safe and block lists work across all clients – JunkMail MUST be enabled on the mailbox!

Note this works the other way as well – safe senders ending up in junk mail when it’s disabled. But this one seems to be the one that can annoy the most.

Sadly, there isn’t an easy button to force junk mail enabling on all mailboxes. A GPO can be used or walking through the mailboxes and enabling. It would be nice to have a simple global policy that could be managed as as admin to prevent it being disabled.