Configure Connection Filter to Reduce Emails in Junk Email Folder


In rare cases, Microsoft 365 (M365) users find that legitimate emails are sent to the Junk Email folder despite being checked by Mailprotector's filters. There can be several reasons for the situation. This article describes adding Mailprotector's transport IP addresses to the Microsoft 365 tenant's connection filter IP allow list. It should prevent Microsoft 365 from sending emails scanned by Mailprotector to a user's Junk Email folder.

BEST PRACTICE: Another preferred method to avoid emails going to the Junk Email folder is to configure a transport rule that sets the spam confidence level when emails come from Mailprotector's transport servers.

Applies to:

Microsoft 365 (M365), Office 365 (O365), Exchange Online, Outlook


The article assumes Mailprotector has been set up to protect the Microsoft 365 tenant domain, and the Inbound Connector has been implemented. The configuration steps below are performed from Microsoft 365.

NOTE: Before taking these steps, please disable Outlook's Junk Email folder settings. Often, the Outlook client is making the decision, not Office 365's Exchange Online Protection.

Configuration Steps

  1. Begin by logging into the tenant domain on Microsoft 365.

  2. In the Microsoft Defender portal at, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use
  3. On the Anti-spam policies page, select Connection filter policy (Default) from the list by clicking anywhere in the row other than the check box next to the name.

  4. In the policy details flyout that opens use the Edit links to modify the policy settings:

  5. Always allow messages from the following IP addresses or address range: This setting is the IP Allow List. Click in the box, enter a value, and press the ENTER key or select the complete value displayed below the box. Valid values are:

  6. When you're finished in the flyout, select Save.

  7. Back on the policy details flyout, select Close.

Configuration Steps (Older Interface)

  1. Begin by logging into the Microsoft 365 Admin Center.

  2. From the Admin Center, click on the Security or Compliance Admin Center link on the left-hand navigation.

  3. From the Security & Compliance Admin Center, expand the Threat Management menu and select Policy.

  4. On the Policy section, click the Anti-Spam widget.

  5. Expand the Connection filter policy and click the Edit policy button.

  6. Give the policy a name, such as "Mailprotector inbound IPs"

  7. Click the Edit link to the right of IP Allow List.

  8. Enter the three IP addresses for Mailprotector's transport servers and click the Save button. Be sure to use CIDR notation by including the '/32' at the end of the IP address. The IP addresses are:


  9. Click the Save button on the IP Allow list and the second Save button on the policy screen to save the policy and complete the configuration.


Have more questions? Submit a request


  • Avatar
    Michael Robins

    This page needs updated. First off there is a new portal for managing this and the old one will be deprecated on 12-1-2020.
    New site:

    Secondly, I had to add the IPs with a "/32" at the end for it to work. Adding just the IP did not work for me.

  • Avatar
    Paul Nebb

    Do you have updated documentation (post 12/20/20), including any cool scripts to add to our arsenal to disabling the Junk Email folder settings in Outlook Client?

  • Avatar
    Mark Glowacz

    Unfortunately, to our knowledge, that is not an option. The Junk Email folder is considered a system folder in Outlook and will always be present. You can minimize the number of emails that go to the Junk Email folder by configuring the Inbound Connector and, in rarer cases, transport rules and skip listing. But none of those options will outright disable the Junk Email functionality.