Emails End Up in the Junk Email Folder

Description

In rare cases, users on Office 365 (O365) find that legitimate emails are sent to the Junk Email folder despite being checked by Mailprotector's filters. There can be several reasons for the situation. This article describes how to add Mailprotector's transport IP addresses to the Office 365 tenant's connection filter IP allow list. It should prevent Office 365 from sending emails scanned by Mailprotector to a user's Junk Email folder.

Applies to:

Office 365 (O365), Exchange Online, Outlook

Prerequisites

The article assumes Mailprotector has been set up to protect the Office 365 tenant domain and the Inbound Connector has been implemented. The configuration steps below are performed from the Exchange Admin Center on Office 365.

NOTE: Before taking these steps, please try disabling the Junk Email folder settings in Outlook. Often, it is the Outlook client making the decision, not Office 365's Exchange Online Protection.

Configuration Steps (prior to December 1, 2020)

  1. Begin by logging into the tenant domain on Office 365 and navigate to the Exchange Admin Center.

  2. From the Exchange Admin Center, click on the protection link as shown in Figure 1.

    Fig. 1
    1-protection.png

  3. On the protection settings page, click on the connection filter option as shown in Figure 2.

    Fig. 2
    2-connectionfilter.png

  4. You will see a Default connection filter. Double-click the Default connection filter to open the settings.

  5. In the settings window that opens, click on connection filtering and add the three transport IP addresses used in the Inbound Connector. The IP addresses are:
    52.0.70.91
    52.0.74.211
    52.0.31.31

    The settings window should look similar to Figure 3. Click the Save button to complete the configuration.

    Fig. 3
    3-addIPallow.png

Configuration Steps

  1. Begin by logging into the Microsoft 365 Admin Center.

  2. From the Admin Center, click on the Security or Compliance Admin Center link on the left-hand navigation.

  3. From the Security & Compliance Admin Center, expand the Threat Management menu, and select Policy.
    2020-11-06_16-48-23.png

  4. On the Policy section, click the Anti-Spam widget.
    2020-11-06_16-48-54.png

  5. Expand the Connection filter policy and click the Edit policy button.
    2020-11-06_16-49-37.png

  6. Give the policy a name, such as "Mailprotector inbound IPs"
    2020-11-06_16-57-22.png

  7. Click the Edit link to the right of IP Allow List.

  8. Enter the three IP addresses for Mailprotector's transport servers and click the Save button. Be sure to use CIDR notation by including the '/32' at the end of the IP address. The IP addresses are:
    52.0.70.91/32
    52.0.74.211/32
    52.0.31.31/32

    2020-11-06_16-58-56.png


  9. Click the Save button on the IP Allow list, and the second Save button on the policy screen to save the policy and complete the configuration.
    2020-11-06_16-59-22.png

 

Have more questions? Submit a request

Comments

  • Avatar
    Michael Robins

    This page needs updated. First off there is a new portal for managing this and the old one will be deprecated on 12-1-2020.
    New site: https://protection.office.com/antispam

    Secondly, I had to add the IPs with a "/32" at the end for it to work. Adding just the IP did not work for me.

    52.0.70.91/32
    52.0.74.211/32
    52.0.31.31/32