Description

In rare cases, Office 365 (O365) users find that legitimate emails are sent to the Junk Email folder despite being checked by Mailprotector's filters. There can be several reasons for the situation. This article describes adding Mailprotector's transport IP addresses to the Office 365 tenant's connection filter IP allow list. It should prevent Office 365 from sending emails scanned by Mailprotector to a user's Junk Email folder.

BEST PRACTICE: Another preferred method to avoid emails going to the Junk Email folder is to configure a transport rule that sets the spam confidence level when emails come from Mailprotector's transport servers.

Applies to:

Office 365 (O365), Exchange Online, Outlook

Prerequisites

The article assumes Mailprotector has been set up to protect the Office 365 tenant domain, and the Inbound Connector has been implemented. The configuration steps below are performed from the Exchange Admin Center on Office 365.

NOTE: Before taking these steps, please try disabling the Junk Email folder settings in Outlook. Often, it is the Outlook client making the decision, not Office 365's Exchange Online Protection.

Configuration Steps (before December 1, 2020)

Begin by logging into the tenant domain on Office 365 and navigating to the Exchange Admin Center.
From the Exchange Admin Center, click on the protection link as shown in Figure 1.

Fig. 1
On the protection settings page, click on the connection filter option as shown in Figure 2.

Fig. 2
You will see a Default connection filter. Double-click the Default connection filter to open the settings.
In the settings window that opens, click on connection filtering and add the three transport IP addresses used in the Inbound Connector. The IP addresses are:
52.0.70.91
52.0.74.211
52.0.31.31

The settings window should look similar to Figure 3. Click the Save button to complete the configuration.

Fig. 3

Configuration Steps

Begin by logging into the Microsoft 365 Admin Center.
From the Admin Center, click on the Security or Compliance Admin Center link on the left-hand navigation.
From the Security & Compliance Admin Center, expand the Threat Management menu, and select Policy.
On the Policy section, click the Anti-Spam widget.
Expand the Connection filter policy and click the Edit policy button.
Give the policy a name, such as "Mailprotector inbound IPs"
Click the Edit link to the right of IP Allow List.
Enter the three IP addresses for Mailprotector's transport servers and click the Save button. Be sure to use CIDR notation by including the '/32' at the end of the IP address. The IP addresses are:
52.0.70.91/32
52.0.74.211/32
52.0.31.31/32
Click the Save button on the IP Allow list, and the second Save button on the policy screen to save the policy and complete the configuration.

Comments

Michael Robins November 05, 2020 22:44

This page needs updated. First off there is a new portal for managing this and the old one will be deprecated on 12-1-2020.
New site: https://protection.office.com/antispam

Secondly, I had to add the IPs with a "/32" at the end for it to work. Adding just the IP did not work for me.

52.0.70.91/32
52.0.74.211/32
52.0.31.31/32

Comment actions Permalink
Paul Nebb February 27, 2023 22:00

Do you have updated documentation (post 12/20/20), including any cool scripts to add to our arsenal to disabling the Junk Email folder settings in Outlook Client?

Comment actions Permalink
Mark Glowacz February 27, 2023 22:21

Unfortunately, to our knowledge, that is not an option. The Junk Email folder is considered a system folder in Outlook and will always be present. You can minimize the number of emails that go to the Junk Email folder by configuring the Inbound Connector and, in rarer cases, transport rules and skip listing. But none of those options will outright disable the Junk Email functionality.

Comment actions Permalink