Exchange Online handles email delivery through a series of well-defined steps and security checks to ensure messages are delivered correctly and safely. This report provides a detailed technical walkthrough of how an email is sent and received in Exchange Online, covering each stage of the journey, the security evaluations at each step, and the policies that govern them. It also explains the role of Exchange Online Protection (EOP) and Microsoft Defender for Office 365 in securing email, how attachments and links are handled, and what logging and monitoring is available for security and compliance.
Overview of Exchange Online Mail Flow
Exchange Online is Microsoft’s cloud-hosted email service, which uses a multi-layered transport pipeline and filtering system to route and secure emails[1][2]. All email – whether incoming from the internet or outgoing from a user – passes through Exchange Online Protection (EOP), the built-in cloud filtering service. EOP applies default security policies (anti-malware, anti-spam, anti-phishing) to all messages by default[2]. Administrators can customize these with organization-specific rules and advanced protection features. Microsoft Defender for Office 365 (Plan 1 or 2) augments EOP with additional layers like Safe Attachments and Safe Links for advanced threat protection.
At a high level, the email flow in Exchange Online involves the following components and stages:
- Client Submission – The sender’s email client (e.g. Outlook) submits the message to Exchange Online’s service.
- Transport Pipeline – Exchange Online routes the message through its transport services where various checks (policies, spam/malware filters, rules) are applied[1][1].
- Exchange Online Protection (EOP) – Core filtering including connection filtering, malware scanning, spam/phishing detection, and policy enforcement[2][2].
- Microsoft Defender for Office 365 – Advanced threat protection (if enabled), such as detonating attachments and scanning links for malicious content.
- Mailbox Delivery – If the message is deemed safe (or after appropriate filtering actions), it is delivered to the recipient’s mailbox. If not, it may be quarantined or routed to Junk email as per policy[2].
- Logging & Monitoring – Throughout this process, Exchange Online logs message events and outcomes for traceability, and administrators can monitor mail flow through reports and message traces for compliance[3].
The subsequent sections describe the outbound (sending) and inbound (receiving) email processes in detail, along with all security checks and policies at each stage.
Outbound Email Flow (Sending an Email via Exchange Online)
When a user sends an email using Exchange Online, the message goes through several steps before reaching the external recipient. Below is a detailed breakdown of the outbound process and the security measures applied at each step:
1. Submission from Client to Exchange Online
-
User Composes and Sends: The process begins with the user composing an email in an email client (e.g. Outlook, Outlook on the web) and clicking Send. The email client connects to Exchange Online (over a secure channel) to submit the message. The client uses either a direct MAPI/HTTPS connection (in the case of Outlook) or SMTP submission (for other clients) with the user’s authentication.
-
Exchange Online Reception: Exchange Online’s servers receive the message into the service. Internally, the message is handed off to the Exchange Online transport pipeline on a Mailbox server. In Exchange’s architecture, a component called the Mailbox Transport Submission service retrieves the message from the user’s outbox in the mailbox database and submits it to the transport service over SMTP[4]. This begins the journey through Exchange Online’s mail flow pipeline.
2. Transport Processing and Policy Checks (Outbound)
Once the Exchange Online transport service has the message, it processes it through various checks before allowing it to leave the organization:
-
Initial Categorization: The transport service categorizes the message (identifying the sender, recipients, message size, etc.) and prepares it for filtering. It determines if the recipient is external (requiring outbound routing) or internal (for intra-organizational email).
-
Mail Flow Rules (Transport Rules): Exchange Online evaluates any custom mail flow rules (also known as transport rules) that apply to outgoing messages[2]. Administrators create these rules to enforce organization-specific policies. For example, a rule might prevent certain sensitive data from being sent out (Data Loss Prevention, DLP) or add a disclaimer to outbound emails. At this stage, any rule that matches the message can take action (such as encrypt the message, redirect it, or block it). If a DLP policy is triggered (for organizations licensed for Microsoft Purview DLP), it can also take action here in the transport pipeline[2].
-
Anti-Malware Scan: All outgoing mail is scanned by Exchange Online’s anti-malware engines (just as with incoming mail)[5]. Exchange Online Protection’s anti-malware policy checks the message body and attachments for known malware signatures and heuristics[5]. This is to ensure no virus or malicious code is being sent from your organization (which could harm recipients or signal a compromised account). If malware is detected in an outgoing message, the message is typically quarantined immediately, preventing it from being sent out[2]. By default, malware-quarantined messages are accessible only to admins for review[2]. Administrators manage malware filtering through anti-malware policies (which include settings like the common attachment types filter to block certain file types automatically)[4][4].
-
Content Inspection: Exchange may also perform policy-based content inspection on outbound mail. This includes checking for spam-like characteristics (to protect the reputation of your mail domain) and applying outbound Data Loss Prevention policies if configured. For example, if an organization has DLP rules to detect credit card numbers or personal data in outgoing emails, those rules are evaluated at this point (within the transport rules/DLP check mentioned above). If a policy violation is found, the action could be to block the email or notify an admin, depending on policy configuration.
-
Authentication and DKIM Signing: For outbound messages, Exchange Online will apply any domain keys or signing policies configured. If the organization has set up DKIM (DomainKeys Identified Mail) for their custom domain, Exchange Online will attach a DKIM signature to the email at this stage, which allows recipient servers to verify that the message was truly sent by your domain and not tampered with[4]. Exchange Online also ensures the outbound message meets SPF requirements by sending it from Microsoft’s authorized mail servers. (Note: Outbound SPF is mainly relevant to the recipient side – your DNS SPF record must include Microsoft 365 to prevent failures. Exchange Online itself doesn’t “check” SPF on send, but it ensures compliance by using Microsoft 365 IPs.)
3. Outbound Spam Filtering and Throttling
Exchange Online Protection applies outbound anti-spam controls to mitigate spam or abuse from within your tenant, which protects your organization’s sending reputation:
-
Scan for Spam Characteristics: Every outbound message is scanned by EOP’s outbound spam engine. If the system determines that the message looks like spam (for example, bulk emailing patterns or known spam content), it will flag it. Identified outbound spam is redirected to a special “high-risk delivery pool” of IP addresses for sending[1]. The high-risk pool is a separate set of sender IPs that Microsoft uses for suspected spam, so that if those IPs get blocked by external receivers it doesn’t impact the normal pool of legitimate mail servers[1]. This means the message is still sent, but from a less reputable IP, and it may be more likely to land in the recipient’s spam folder.
-
Sending Limits and User Restrictions: If a user in the organization is sending an unusually large volume of email or sending messages that are consistently flagged as spam, EOP will trigger thresholds to protect the service. Exchange Online can automatically throttle or block a sender who exceeds certain sending limits or spam detection rates[1]. For instance, if an account is compromised and starts a spam campaign, EOP may place a restriction on that account to stop any further sending[1]. Administrators receive alerts (via security alert policies) when a user is restricted for sending spam[1]. They can then investigate the account for compromise. The default alert policy “User restricted from sending email” is one example that notifies admins in such cases[1].
-
Review and Remediation: Admins can review outbound spam incidents in the security portal. If a legitimate bulk mailing needs to be sent (such as a customer newsletter), Microsoft recommends using specialized services or ensuring compliance with bulk mailing guidelines, since using normal Exchange Online for mass email can trigger outbound spam controls. Outbound spam policies are configurable to some extent, but they are mainly managed by Microsoft to protect the service’s overall reputation.
4. Routing and Delivery to External Recipient
After passing all checks, the email is ready to leave Microsoft’s environment:
-
DNS Lookup: The Exchange Online transport will perform a DNS lookup for the recipient’s domain to find the MX record (Mail Exchange record) of the destination. This MX record tells Exchange Online where to deliver the email on the internet. For example, if you send an email to user@partnercompany.com, your Exchange server will find the MX record for “partnercompany.com” which might be something like partnercompany-com.mail.protection.outlook.com if they also use EOP, or another third-party/own mail server.
-
Establish SMTP Connection: Exchange Online’s frontend transport service (in the cloud) will establish an SMTP connection from Microsoft’s datacenter to the target mail server listed in the MX record. Exchange Online always tries to use a secure connection (TLS) if the receiving server supports TLS encryption for SMTP – this is by default, ensuring confidentiality in transit.
-
Transfer Outbound Mail: The email is transmitted over SMTP to the external mail system. If TLS is used, the transmission is encrypted. Exchange Online’s sending servers identify themselves and transfer the message data. At this point, the email has left the Exchange Online environment and is in the hands of the external recipient’s email system.
-
External Handling: The external recipient’s mail server will perform its own set of checks (which is outside Exchange Online’s control). However, because Exchange Online applied outbound hygiene, the message has been DKIM-signed (if configured) and sent from known IP ranges that correspond to your SPF record. The recipient server may verify the DKIM signature and do an SPF check against your domain’s DNS; if those pass and no other spam indicators are present, the message is accepted. (If your domain has a DMARC policy published, the recipient server will also check that SPF and/or DKIM pass and align, and take the appropriate action if they fail).
-
Confirmation: If the delivery is successful, Exchange Online logs a delivery confirmation event. If delivery fails (e.g., the recipient server is down or rejects the message), Exchange Online will generate a Non-Delivery Report (NDR) back to the sender or will retry for a certain period depending on the failure reason.
Summary: For outbound mail, Exchange Online ensures that the message is compliant with policies and free of malware. It also monitors for spam-like behavior. Only after passing these checks does it hand off the email to the external network. These measures prevent outbound threats and help maintain the sender’s reputation and deliverability.
Inbound Email Flow (Receiving an Email in Exchange Online)
When an external party sends an email to an Exchange Online mailbox, the message must travel from the sender’s server, across the internet, into Microsoft’s cloud. Exchange Online applies a series of filters and checks before delivering it to the user’s inbox. The following steps outline the inbound mail flow and security evaluations at each stage:
1. Sender’s Server to Exchange Online (Connection and Acceptance)
-
DNS and MX Routing: The external sender’s mail server determines where to send the email based on the recipient’s domain MX record. For a company using Exchange Online, the MX record typically points to an address at the Microsoft 365 service (for example, .mail.protection.outlook.com). This entry directs all incoming mail for your domain to Exchange Online Protection (EOP), which is the gateway for Exchange Online.
-
SMTP Connection to EOP: The sender’s mail server opens an SMTP connection to the Exchange Online Protection service. This is the first point of entry into Microsoft’s infrastructure. Exchange Online’s Front-End Transport service receives the connection on a load-balanced endpoint in a Microsoft datacenter.
-
TLS and Session Setup: Exchange Online supports TLS encryption for inbound email. If the sending server offers TLS, the session will be encrypted. The two servers perform an SMTP handshake, where the sender’s server introduces the message (with commands like MAIL FROM, RCPT TO, etc.).
-
Recipient Verification: Before fully accepting the message data, Exchange Online checks whether the recipient email address is valid in the target organization. Exchange Online can use Directory Based Edge Blocking (DBEB) to reject messages sent to invalid addresses at the network perimeter, saving resources[6]. If the recipient address does not exist in your tenant (and you haven’t allowed catch-all or similar), EOP will return a 550 5.4.1 Recipient not found error and drop the connection. This ensures Exchange Online only processes emails for known recipients[6].
-
Connection Filtering (IP Reputation): If the recipient is valid, EOP then evaluates the sending server’s IP address through connection filtering. Connection filtering is the first layer of defense in EOP, checking the sender’s IP against known blocklists and allowlists[5]. If the IP is on the Microsoft blocked senders list (RBL) or on your tenant’s custom block list, EOP may reject the connection outright or mark the message for dropping, thereby stopping most spam at the doorstep[2][5]. Conversely, if the IP or sender is on your allow list (tenant allow), EOP will bypass some spam filtering for this message (though it will still scan for malware). Through connection filtering:
- Blocked Senders/IPs: e.g. known spam networks are blocked at this stage[5].
- Allowed IPs: If configured, those sources skip to the next steps with less scrutiny.
- Throttling of Bad Senders: EOP can also tarpitting or slow down responses for suspicious connections to deter spammers.
-
HELO/SMTP checks: Exchange Online also performs some protocol-level checks here (e.g., does the sending server greet with a valid HELO, is the MAIL FROM address syntactically correct). However, these are standard SMTP hygiene checks.
At this point, if the connection and basic checks are passed, Exchange Online will issue an SMTP 250 OK to accept the incoming message data for processing. The email now enters the filtering pipeline within EOP/Exchange Online.
2. Message Filtering in Exchange Online Protection (Inbound Security Checks)
Once the message content is accepted, Exchange Online Protection (EOP) applies multiple layers of filtering. The filtering process for inbound mail occurs in a specific order to efficiently eliminate threats[2][2]:
Stage 1: Anti-Malware Scanning
Immediately after acceptance, the message is scanned for malware by EOP’s anti-malware engines[2]. This includes checking all attachments and the message body against known virus signatures and algorithms. Key points about this stage:
- EOP uses multiple anti-malware engines to detect viruses, spyware, ransomware, and other malicious software in emails[4].
- If any malware is found (either in an attachment or the message content), the message is stopped and quarantined. The malware-infected email will not be delivered to the recipient’s mailbox. Instead, it is placed in the quarantine where (by default) only admins can review it[2]. Quarantined malware emails are effectively removed from the mail flow to protect the user.
- The sender is typically notified of non-delivery via a Non-Delivery Report (NDR) stating the message was not delivered. (Admins can customize anti-malware policy actions to notify senders or not.)
- Admins can configure anti-malware policies in the Microsoft 365 Security Center. For example, they can enable the “Common Attachment Types Filter” which blocks files like .exe, .bat, .js, etc., which are often malicious[5]. By default, this common attachment filter is enabled and blocks several dozen file types that are high-risk[4].
- EOP also has a feature called Zero-Hour Auto Purge (ZAP) which is related to malware/phish: if a message was delivered but later a malware signature or threat intelligence identifies it as malicious, ZAP will automatically remove the email from the mailbox post-delivery (moving it to quarantine)[4]. This is a post-delivery safety net in case new threats emerge.
If the message clears the malware scan (no viruses detected), it proceeds to the next stage.
Stage 2: Policy-Based Filtering (Mail Flow Rules & DLP)
After confirming the message is malware-free, Exchange Online applies any custom organization policies to the message:
- Mail Flow (Transport) Rules: These are administrator-defined rules that can look for specific conditions in messages and take actions. For inbound mail, a transport rule might be used to flag or redirect certain messages. For example, a rule could add a warning email header or prepend text to the subject line if the email originates from outside the organization, or it could block messages with certain keywords or attachments (like blocking all .ZIP files to specific recipients)[2]. Mail flow rules are very flexible; they can check sender domain, recipient, message classification, message size, presence of attachments, text patterns, etc., and then perform a variety of actions (delete, quarantine, forward, notify, apply encryption, etc.).
- Data Loss Prevention (DLP) Policies: If the organization has advanced compliance features (often in E5 licenses or using Purview DLP), inbound emails can also be subjected to DLP checks at this point. In a hybrid scenario, if EOP is protecting on-prem mailboxes, it can stamp a header for spam verdict that on-prem Exchange recognizes to move mail to Junk[6]. But specifically for DLP, Exchange can detect sensitive info types even in inbound mail. (Inbound DLP is less common than outbound, but for example, you might want to quarantine any incoming email that contains credit card numbers to protect your users.) For on-prem Exchange Enterprise with certain licenses, Microsoft Purview DLP checks are integrated into transport and would run at this stage in EOP for inbound mail[2].
- Policy Actions: If a mail flow rule triggers, it can alter the path. For instance, a rule might quarantine a message that matches a forbidden content pattern (like a phishing simulation from outside), or it might append a banner to warn users. If no rules match, the mail goes on unchanged.
Stage 3: Content Filtering (Anti-Spam and Anti-Phishing)
This is a critical layer where EOP assesses the content and context of the message to identify spam or phishing. The content filter utilizes Microsoft’s spam detection algorithms, machine learning models, and sender intelligence:
- Spam Detection: The message is analyzed for characteristics of spam (unsolicited/bulk email). This includes examining the message’s headers and content for spam keywords, suspicious formatting, and known spam signatures. It also considers sender reputation data (from Microsoft’s global telemetry) that wasn’t already handled by connection filtering.
- Phishing and Spoofing Detection: Exchange Online checks if the message might be a phishing attempt. This includes verifying the sender’s identity through authentication checks:
- SPF (Sender Policy Framework): EOP checks the SPF result that was obtained during the SMTP session. If the message’s sending server is not authorized by the domain’s SPF record, that SPF failure is noted. An SPF failure can contribute to a spam/phish verdict, especially if the domain is known to send fraud or has a DMARC policy of reject/quarantine[4][4].
- DKIM (DomainKeys Identified Mail): If the sending domain signs its emails with DKIM, Exchange Online will verify the DKIM signature using the domain’s public key (fetched via DNS). A valid DKIM signature means the message was indeed sent by (or on behalf of) that domain and wasn’t tampered with. Failure or absence of DKIM doesn’t automatically equal spam, but it’s one of the signals.
- DMARC (Domain-based Message Authentication Reporting & Conformance): If the sending domain has a DMARC policy, once SPF and DKIM are checked, EOP will honor the DMARC policy. For example, if both SPF and DKIM fail alignment for a domain that publishes
p=reject, EOP will likely quarantine or reject the message as instructed by DMARC[4][4]. This helps prevent domain spoofing. (Microsoft 365 complies with DMARC to mitigate incoming spoofed emails.)
- Anti-Spoofing Measures: Even for domains without DMARC, Microsoft employs spoof intelligence. If an email claims to be from your own domain or a domain that rarely sends to you, and it fails authentication, EOP’s anti-phishing policies might flag it as a spoof attempt and handle it accordingly.
- Phishing content analysis: The content filter also looks at the body of the email for phishing indicators. This can include suspicious URLs (links). If a URL is found, EOP might scan it against known bad domains or use machine learning to judge if it’s a phishing link. (If Defender for Office 365 Safe Links is enabled, there’s a dedicated step for URLs—discussed in the next section.)
- Bulk Mail and Promotional Mail: Microsoft’s filters can classify some mail as “bulk” (mass marketing email) which is not outright malicious but could be unwanted. These get a lower priority and often are delivered to Junk Email folder by default rather than inbox to reduce clutter, unless the user has opted into them.
- Spam Scoring: Based on all these factors, the system assigns a Spam Confidence Level (SCL) to the message. For example, an SCL of 5 might indicate spam, 9 indicates high confidence spam, etc. It also tags if it’s phishing or bulk. Internally, EOP might categorize the message as:
- Not spam – passed content filter.
- Spam – likely unsolicited.
- High confidence spam – almost certainly spam.
- Phish – likely malicious phishing.
- High confidence phish – confirmed phish.
- Bulk – mass mail/marketing.
- Spoof – spoofing detected (a subset of phish/spam verdicts).
- Policy Actions for Spam/Phish: Depending on the anti-spam and anti-phishing policy settings configured by the admin, EOP will take the configured action for the detected threat level[2]:
- By default, Spam is delivered to the recipient’s Junk Email folder (with an SCL that Outlook or OWA uses to put it in Junk).
- High Confidence Spam might be quarantined by default (or also sent to Junk, admin configurable)[2].
- Phish and High Confidence Phish are usually quarantined, since phishing is higher risk. Microsoft’s Preset Security Policies (Standard/Strict) will quarantine high confidence phish to prevent user exposure.
- Bulk mail often goes to Junk by default as well.
- Spoofed mail (failed authentication from a domain that shouldn’t be sending) will often be quarantined or rejected depending on severity.
- These actions are part of the Anti-spam policy in EOP, which admins can customize. For instance, an admin might choose to quarantine all spam rather than send to Junk, or send an alert for certain phishing attempts. Anti-phishing policies (part of Defender for Office 365 Plan 1/2) allow finer control, such as impersonation protection: you can specify protection for your VIP users or domains, and set whether a detected impersonation gets quarantined.
- End-User Notifications: If a message is quarantined as spam/phish, users can optionally get a quarantine notification (usually sent in a summary once a day) listing messages EOP held. Admins can enable these notifications so users know to check the quarantine portal for legitimate messages mistakenly caught. For malware quarantines, by default, no user notification is sent because those are admin-only.
By the end of content filtering, the system has decided the message’s fate:
- It’s either clean enough to deliver,
- or it’s flagged as spam/phish (to junk or quarantine),
- or malicious (to quarantine or drop).
If the message successfully passes all these filtering layers (or is only classified as something that still permits delivery, like “Normal” or “Bulk” to Junk), it proceeds to the final stage.
Stage 4: Advanced Threat Protection (Defender for Office 365)
If the organization has Microsoft Defender for Office 365 (Plan 1 or 2) enabled and properly configured, two additional security features come into play for inbound mail: Safe Attachments and Safe Links. These occur alongside or just after the EOP filtering:
-
Safe Attachments (ATP Attachment Sandboxing): For unknown or suspicious attachments that passed the initial anti-malware scan (i.e., no known virus was detected), Defender for Office 365 can perform a deeper analysis by detonating the attachment in a virtual environment. This process, called Safe Attachments, opens the attachment in a secure sandbox to observe its behavior (for example, does a Word document try to run a macro that downloads malware?). This happens before the email reaches the user.
- If Safe Attachments is enabled in Block mode, potentially unsafe attachments will cause the entire email to be held until the sandbox analysis is done. If the analysis finds malware or malicious behavior, the email is quarantined (treated as malware) instead of delivered[4]. If the attachment is deemed safe, then the message is released for delivery.
- If Safe Attachments is in Dynamic Delivery mode, Exchange delivers the email without the attachment immediately, with a placeholder notifying the attachment is being scanned. Once the scan is complete, if it’s clean, the attachment is re-inserted and delivered; if not, the attachment is replaced with a warning or the email is quarantined per policy.
- This feature adds a short time delay for emails with attachments (typically under a few minutes) to significantly increase protection against zero-day malware (new, previously unseen malware files).
- Admins manage Safe Attachments policies where they can set the mode (Off, Monitor, Block, Replace, Dynamic Delivery) and scope (which users/groups it applies to).
- Outcome: Safe Attachments provides an extra verdict. If it finds an attachment to be malicious, it will override prior decisions and treat the email as malware (quarantine it). If clean, the email goes on to delivery. This helps catch malware that signature-based scanning might miss.
-
Safe Links: This feature protects users when they click URLs in emails. Safe Links works by URL rewriting and time-of-click analysis[7]. Here’s how it functions in the mail flow:
- When an email that passed spam/phish checks is being prepared for delivery, the Safe Links policy (if active) will modify URLs in the email to route through Microsoft’s safe redirect service. Essentially, each URL is replaced with a longer URL that points to Microsoft’s Defender service (with the original URL embedded).
- At the moment of email delivery, Safe Links does not yet determine if the link is good or bad; instead, it ensures that if/when the user clicks the link, that click will first go to Microsoft’s service which will then check the real target. This is known as “time-of-click” protection[7].
- When the user eventually clicks the link in the email, the Safe Links system will check the latest threat intelligence for that URL: it can decide to allow the user to proceed to the site, block access with a warning page if the URL is malicious, or perform dynamic scanning if needed. Safe Links thus accounts for the fact that some URLs are “weaponized” after an email is sent (changing to malicious later) or that new phishing sites may appear – it provides protection beyond the initial email receipt.
- Safe Links policies can be configured to not allow the user to click through to a malicious site at all, or to let them bypass the warning (admin’s choice). They also can optionally track user clicks for audit purposes.
- Within the scope of mail flow, the main effect is the URLs in the delivered email are rewritten (which users might notice hover over). There is minimal delay in delivery due to Safe Links; it’s mostly about protecting the click.
- Note: If an email was going to be junked or quarantined by spam filters, Safe Links generally doesn’t get applied because the user never sees the message. It’s applied to emails that are actually delivered to inbox (or potentially to Junk folder emails as well, since a user might still click links in Junk).
These Defender features complement the earlier filtering: Safe Attachments catches what the regular anti-malware might miss, and Safe Links adds protection against malicious URLs used in phishing[7]. They are especially valuable for targeted attacks and new threats.
3. Final Delivery to Mailbox
After all filtering is done and any modifications (like attachment detonation or link wrapping) are applied, the message is ready for delivery to the user’s mailbox:
-
Mailbox Lookup: Exchange Online determines the mailbox database where the recipient’s mailbox is located. In Exchange Online, this is handled within Microsoft’s distributed architecture – the directory service will have mapped the recipient to the correct mailbox server.
-
Mailbox Transport Delivery: The message is handed off to the Mailbox Transport Delivery service for final delivery on the mailbox server[4]. This service takes the message and stores it in the recipient’s mailbox (inside the appropriate folder). It uses an internal protocol (RPC or similar) to write the message to the mailbox database[4]. Essentially, at this point the email appears in the user’s mailbox.
-
Inbox or Junk Folder Placement: Based on the spam filtering verdict:
- If the message was clean (no spam/phish detected), it will be placed in the user’s Inbox by default.
- If the message was classified as Spam (SCL indicating spam) and the policy action is to send to Junk, Exchange will stamp the message in a way that the Outlook client or OWA will put it into the Junk Email folder. In fact, Exchange Online adds an header (
X-Forefront-Antispam-Report and SCL) and also often fill the Spam Confidence Level (SCL) MAPI property. Outlook’s Junk Email rule (which runs on the client or mailbox) sees SCL=5 (for example) and moves it to Junk folder automatically. The user will find it in Junk Email.
- If the message was quarantined (e.g., for high-confidence phishing or malware), it is not delivered to the mailbox at all. The user will not see it in Inbox or Junk. Instead, it resides in the quarantine held in the cloud. The user may get a quarantine notification email listing it (if enabled).
- If the message is delivered to Junk, users can review it and if it’s legitimate, they can mark it as not junk which helps train filters.
- If delivered to Inbox, any client-side rules or mailbox rules the user set (like Outlook rules) might then apply, but those are after delivery and out of scope of server-side flow.
-
Post-Delivery Actions: As mentioned, Exchange Online has Zero-Hour Auto Purge (ZAP) which continually monitors messages even after delivery. If later on a message is determined to be malicious (perhaps via updated threat intelligence), ZAP will move the message out of the mailbox to quarantine retroactively[4]. For example, if an email with a link was delivered as normal but a day later that link is confirmed as phishing, the message can disappear from the user’s inbox (or junk) and end up in quarantine. This helps mitigate delayed detection.
-
User Access: Finally, the user can access the email via their mail client. If in Inbox, they’ll read it normally. If it went to Junk, they can still read it but with a warning banner indicating it was marked as spam. If it was quarantined, the user would only know if they check the quarantine portal or got a notification; otherwise, the email is essentially hidden unless an admin releases it.
Thus, the inbound email has either been delivered safely or appropriately isolated. Exchange Online has applied all relevant policies and checks along the way to protect the user and the organization.
For clarity, the diagram below summarizes the inbound email filtering steps in order:
Filtering Stage
Description
Service/Policy Involved
Connection Filtering
Checks sender’s IP against allow/block lists; blocks known spammers at the network edge[5].
EOP Connection Filter (IP reputation and blocklists)[5].
Recipient & SMTP Checks
Verifies recipient address exists (DBEB) and that SMTP protocol is correctly followed. Drops invalid recipients early[6].
Exchange Online frontend transport (recipient lookup)[6].
Anti-Malware Scanning
Scans email content and attachments for viruses/malware. Quarantines message if malware found[2].
EOP Anti-Malware Policy (multiple AV engines)[2].
Mail Flow Rules / DLP
Applies admin-defined transport rules and DLP policies (e.g., block, modify, or reroute messages based on content).
Exchange Transport Rules (configured by admin)[2]; DLP policies.
Content Filter (Spam/Phish)
Analyzes message content and sender authenticity. Determines spam/phishing verdict (spam confidence level)[2]. Takes action per policy (Junk, quarantine, etc.)[2].
EOP Anti-Spam and Anti-Phishing Policies (configurable actions)[2]; SPF/DKIM/DMARC checks[4].
Safe Attachments (ATP)
detonates attachments in a sandbox to detect unknown malware before delivery. Malicious findings lead to quarantine.
Defender for Office 365 Safe Attachments Policy.
Safe Links (ATP)
Rewrites URLs and scans them at click time for malicious content[7]. Protects against phishing links.
Defender for Office 365 Safe Links Policy[7].
Delivery/Store Email
Delivers message to mailbox (Inbox or Junk folder) if not quarantined. Final storage in mailbox database[1].
Exchange Mailbox Transport Delivery service[1]; Outlook Junk Email rule.
Quarantine (if applied)
Holds email out of user’s mailbox if quarantined by policy (malware, phish, etc.). Admin/user can review in quarantine portal.
EOP Quarantine (access per Quarantine Policy settings)[2].
Zero-Hour Auto Purge
Post-delivery, automatically removes emails later found dangerous (moves to quarantine)[4].
EOP/Defender ZAP feature (enabled by default)[4].
(Table: Inbound email filtering pipeline in Exchange Online, with key stages and policies.)
Security Policies and Management of Email Flow
Numerous policies control the behavior of each filtering step in Exchange Online. These policies allow administrators to configure how strict the filters are, what actions to take on detected threats, and exceptions or special rules. Below we discuss the main policy types and how they manage the mail flow steps:
-
Anti-Malware Policy: Governs how Exchange Online scans and handles viruses and malware. By default, EOP’s anti-malware protection is enabled for all mails with a Default policy[2]. Admins can edit or create policies to:
- Quarantine or reject messages with malware (default is quarantine)[2].
- Enable the common attachments filter to block file types like .exe, .bat, .vbs (this is usually on by default with a preset list)[4].
- Configure notifications (e.g., send a notification to the sender or admin when malware is found).
- Example: If a virus is found, the policy can send an NDR to the sender saying “Your message contained a virus and was not delivered.”
-
Anti-Spam Policy (Spam Filter Policy): Controls the spam filtering thresholds and actions. Exchange Online comes with a Default anti-spam policy (which is always on) and allows custom policies. Key settings include:
- What to do with messages marked as Spam, High Confidence Spam, Phish, High Confidence Phish, and Bulk[2].
- Common actions: move to Junk folder, quarantine, delete, or add X-header. By default: Spam -> Junk, High confidence spam -> Quarantine, Phish -> Quarantine.
- Allowed and Blocked sender lists: Admins can specify allowed senders or domains (bypass spam filtering) and blocked senders or domains (always treated as spam).
- International spam settings: Filter by languages or regions if needed.
- Spoof intelligence: EOP automatically learns when a sender is allowed to spoof a domain (for example, a third-party service sending as your domain). Admins can review spoofed sender allow/block decisions in the Security portal. This ties into anti-phishing policies as well.
- Anti-spam policies can be set at the org level or targeted to specific user/groups (custom policies override the default for those users, and have priority orders if multiple).
-
Anti-Phishing Policy: (Part of Defender for Office 365, though some baseline anti-spoof is in EOP).
- Impersonation protection: You can configure protection for specific high-profile users (e.g., CEO, CFO) so that if an inbound email purports to be from them (display name trick) but isn’t, it will be flagged.
- User and domain impersonation lists: e.g., block emails that look like they’re from your domain but actually aren’t (punycode domains or slight name changes).
- Actions for detected phishing can be set (quarantine, delete, etc.).
- While EOP has built-in anti-phishing (like SPF/DKIM and some impersonation checks), the Defender anti-phishing policy is more advanced and configurable. Admins can also manage the tenant allow/block list for spoofed senders here.
- These policies also integrate with machine learning (mailbox intelligence, which learns user communication patterns to better spot unusual senders).
-
Mail Flow Rules (Transport Rules): These are custom rules admins can create in the Exchange Admin Center (EAC) or via PowerShell. They are extremely flexible and can override or supplement the default behavior.
- For example, a mail flow rule can be created to override spam filtering for certain types of messages (perhaps if you have an application that sends bulk email that EOP would classify as spam by content, you can set a rule to set the spam confidence to 0 for those messages by recognizing a header or specific trait).
- Conversely, a rule could manually quarantine any message that meets certain conditions, even if spam filtering doesn’t catch it. E.g., quarantine any message with a .zip attachment and coming from outside to specific recipients.
- Mail flow rules can also route mail (e.g., forward a copy of all mail to legal for compliance journaling, though Exchange Online offers separate Journaling too).
- They are managed by admin and need careful planning to not conflict with other policies. They execute in a certain order relative to built-in filters (generally after malware scan, before spam verdict as shown above).
- There are templates for common rules (DLP templates, etc.). Also, rules can add disclaimers, or encrypt messages using Microsoft Purview Message Encryption.
-
Defender for Office 365 Safe Attachments Policy: This controls the behavior of the Safe Attachments feature:
- Admins can set whether Safe Attachments is on for incoming (and internal) emails, and what action to take: Off (no attachment sandboxing), Monitor (just log but don’t delay mail), Block (hold message until scan complete – ensures no risky attachment is delivered), Replace (remove attachment if malicious, deliver email with a notice), or Dynamic Delivery (deliver email immediately without attachment, then follow up) as described earlier.
- Scope: can apply to all or specific users/groups. Possibly you might not enable it for certain mailboxes if they only get internal mail, etc., but typically you protect everyone.
- By default, there is no Safe Attachments policy until you create one or turn on a Preset Security Policy that includes it. The Preset “Standard/Strict” in Defender for Office 365 can enable Safe Attachments in Block mode for all users easily.
- Safe Attachments policies also allow admins to set organization-wide preferences, like letting users preview quarantined attachments or not.
-
Defender for Office 365 Safe Links Policy: For managing Safe Links:
- Here you define which users get Safe Links protection (again often all, via preset or custom).
- You can choose to uniformly wrap all URLs or only apply to certain scenarios.
- Options like: Do you want to track user clicks? Do you want to allow users to click through to the original URL if it’s detected as malicious (a toggle for “do not allow click through” for strict security)?
- Safe Links policies cover not just email, but can also cover Microsoft Teams, and Office apps if enabled, but in this context the email part is key.
- Like Safe Attachments, no default policy covers Safe Links until you use a preset or define one, but Built-in-Protection (a default security preset available) might enable it for all by default with lower priority than custom policies[7].
-
Outbound Spam Policy: While much of outbound spam handling is automated, admins do have settings:
- You can configure notification preferences for when users are blocked for sending spam, etc. (As mentioned, by default global admins get alerts).
- You also have the ability to manually release a user from a send restriction (via admin center or by contacting support) if a user was mistakenly flagged.
- Microsoft doesn’t allow turning off outbound spam filtering, but you can mitigate false positives by understanding the sending limits. It’s not typically something with many knobs for the admin; it’s more of a built-in safeguard.
-
Quarantine Policies: A newer addition, quarantine policies allow admins to control what users can do with quarantined messages of different types:
- For example, you may allow end-users to review and release their own spam-quarantined messages (perhaps via the quarantine portal or from the quarantine notification email) but not allow them to release malware-quarantined messages (which is the default – only admins can release those)[2].
- Quarantine policies can also define if users receive quarantine notification emails and how frequently.
- By default, there are baseline rules (malware quarantine is strict: admin only; spam quarantine might allow user to release or request release based on config).
-
Other Policies: There are additional settings that impact mail flow:
- Accepted Domains and Email Address Policies: This defines which domains your Exchange Online will accept mail for (important for recipient filtering)[6].
- Connector Policies: If you set up connectors (for hybrid scenarios or specialized routing), those connectors can enforce TLS encryption or partner-specific rules.
- Junk Email Settings for mailboxes: Microsoft recommends leaving the per-mailbox junk email setting at default (“No automatic filtering”) so as not to conflict with EOP’s decisions[1]. Outlook’s client-side filter is secondary to EOP.
- User Safe Senders/Blocked Senders: Users can add entries to their safe senders list in Outlook, which Exchange Online will honor by not filtering those as spam. Conversely, blocked senders by a user will go to Junk.
Policy Management: All these policies are typically managed in the Microsoft 365 Defender Security Portal (security.microsoft.com) under Policies & Rules for threat policies, or in the Exchange Admin Center (admin.exchange.microsoft.com) under Mail Flow for rules and accepted domains. Microsoft provides preset security templates (Standard and Strict) to help admins quickly configure recommended settings for EOP and Defender for Office 365[5]. The presets bundle many of the above policies into a hardened configuration.
Administrators should regularly review these policies to keep up with evolving threats. Microsoft also updates the backend (for example, spam filter definitions, malware engine updates) continuously, but how those are handled (quarantine vs deliver) is in your control via policy. EOP’s default is to secure by default – it’s enabled when you start with Exchange Online and will catch most junk[5][2], but tuning policies (and reviewing quarantine/mail logs) can further improve security and reduce false positives.
Logging, Monitoring, and Compliance
Exchange Online provides robust logging and reporting capabilities that allow organizations to monitor email flow, investigate issues, and meet compliance requirements regarding email communications.
1. Message Tracking and Trace Logs:
Every email that flows through Exchange Online is recorded in message tracking logs. Administrators can use the Message Trace feature to follow an email’s journey. For example, if an email is not received as expected, a message trace can show whether it was delivered, filtered, or bounced (and why). In Exchange Online (accessible via the Exchange Admin Center or via PowerShell), you can run traces for messages up to 90 days in the past[3] (traces for last 7 days are near-real-time, older ones take a few hours as they pull from historical data). The trace results will show events like “Received by transport”, “Scanned by malware filter, status Clean”, “Spam filter verdict: Spam, moved to Junk”, “Delivered to mailbox” or “Quarantined (Phish)”, etc., along with timestamps and server details. This is invaluable for troubleshooting mail flow issues or confirming policy actions.
2. Reports and Dashboards:
Exchange Online and Microsoft 365 offer several built-in reports for email traffic:
- Email Security Reports: In the Microsoft 365 Defender portal, admins can view dashboards for things like Spam detection rates, Malware detected, Phishing attempts, and Trend charts. There are specific reports such as Top senders of spam, Top malware, and Spam false positive/negative stats. These help gauge the health of your email system – e.g., what volume of mail is being filtered out versus delivered.
- Mail Flow Reports: In the Exchange Admin Center, the mail flow dashboard can show statistics on sent/received mails, counts of spam, etc.
- DLP and Compliance Reports: If using DLP, there are reports for DLP policy matches, etc., in the Compliance Center.
- User-reported messages: If users use the Outlook “Report Phishing” or “Report Junk” buttons (with the report message add-in), those submissions are tracked and can be reviewed (to improve the filters and also to see what users are reporting).
- Microsoft provides recommended practices and preset queries; e.g., an admin can quickly see how many messages were blocked by DMARC or how many were auto-forwarded outside (useful for detecting potential auto-forward rules set by attackers).
3. Auditing:
Exchange Online supports audit logs that are important for compliance:
- Mailbox Audit Logging: This tracks actions taken on mailboxes (like mailbox access by delegates or admins, deletion of emails, moves, etc.). By default in newer tenants, mailbox auditing is enabled. This is more about user activity on mail items rather than the transport events.
- Admin Audit Logging: Any changes to the configuration (like changes to a transport rule or policy) are logged so you can see who changed what and when.
- In the Microsoft Purview Compliance Portal, you can search the Unified Audit Log which includes events from Exchange (and other M365 services). For example, you can search for “MailItemsAccessed” events to see if someone accessed a lot of mailbox items (possible data theft indicator) or search for transport rule edits.
- These logs help in forensic analysis and demonstrate compliance with policies (e.g., proving that certain emails were indeed blocked or that no one read a particular mailbox).
4. Compliance Features:
Beyond just logging:
- Retention and EDiscovery: Exchange Online can be set up with retention policies or litigation hold to retain copies of emails for compliance for a specified duration (even if users delete them). This ensures any email can later be retrieved for legal purposes. This ties into compliance but is not part of the active mail flow – rather, it’s a background process that preserves messages.
- Journaling: Some organizations use journaling to send a copy of all (or specific) emails to an external archive for compliance. Exchange Online can journal messages to a specified mailbox or external address, ensuring an immutable copy is kept. Journaling rules can be set to target certain users or criteria.
- Data Loss Prevention Reports: If DLP policies are used, admins can get incident reports when a DLP rule is triggered (like if someone sent a message with sensitive info that was blocked, etc.), and these incidents are logged.
5. Monitoring and Alerting:
Microsoft 365 has a variety of alerts that assist admins:
- Security Alerts: as mentioned, alerts like “User Restricted from sending (spam)” or “Malware campaign detected” will flag unusual scenarios.
- Mail Flow Insights: The portal might give recommendations or insights, for example, if a lot of mail from a particular sender is getting blocked, it might surface that.
- Queue Monitoring: Admins can also monitor the service health; if Exchange Online is having an issue, or if messages are queued (e.g., because the on-prem server is down in a hybrid setup), the admin center indicates that.
6. Protocol and Connectivity Logging:
For advanced troubleshooting, Exchange Online (being a cloud service) doesn’t expose raw SMTP logs to tenants, but tools like the Message Header Analyzer can be used. When you have a delivered email, you can look at its internet headers (which contain time stamps of each hop, spam filter results like X-Forefront-Antispam-Report including SPF, DKIM, DMARC results, SCL, etc.). Microsoft provides an analyzer tool in the Security portal to parse these headers, which helps understand why something went to Junk, for instance[1].
7. Summaries in Admin Center:
In the Microsoft 365 admin center, usage analytics show overall mail volume, active users, etc. While not security-focused, it’s part of monitoring the email service’s usage.
In summary, Exchange Online offers comprehensive reporting to monitor the health and security of mail flow[3]. Administrators can trace messages end-to-end, view real-time dashboards of threats blocked, and ensure compliance through audit logs and retention policies. Microsoft’s continuous updates to EOP and Defender are reflected in these logs (for instance, if a new malware campaign is blocked, it will show up in malware reports). By regularly reviewing these logs and reports, organizations can adjust their policies (e.g., whitelist a sender that is falsely marked as spam, or tighten policies if too much spam is reaching users) and demonstrate that controls are working.
Finally, all these capabilities work together to manage risk: the multi-layered filtering (EOP + Defender), the admin policies, and the monitoring tools create a feedback loop – where monitoring can reveal new threats or policy gaps, allowing admins to fine-tune configurations, which then feed back into better filtering outcomes.
Conclusion
Exchange Online’s mail flow is engineered to deliver emails reliably while enforcing robust security at every step. From the moment an email is sent or received, it traverses a sequence of transport services and rigorous checks – including sender authentication, malware scanning, spam/phishing detection, and custom organization policies – before it reaches its destination. Exchange Online Protection (EOP) serves as the first line of defense, blocking threats like spam, viruses, and spoofing attempts by default[2][2]. Organizations can extend this with Microsoft Defender for Office 365 to gain advanced protection through features like Safe Attachments and Safe Links, which neutralize unknown malware and phishing URLs in real time[7].
Crucially, every stage of this pipeline is governed by configurable policies, giving administrators control over how to handle different types of threats and scenarios – from quarantining malware to allowing trusted partners to bypass spam filters. The policies and filters work in concert: connection filtering stops known bad actors early, anti-malware catches dangerous payloads, transport rules enforce internal compliance, content filters separate spam/phish, and Defender add-ons provide deep analysis for stealthy threats. Legitimate email is delivered to users’ mailboxes, often within seconds, whereas malicious content is safely defanged or detained for review.
Throughout the process, extensive logging and reporting ensure visibility and accountability, enabling admins to trace message flow, verify policy enforcement, and collect evidence for security audits[3]. Whether it’s an outbound message being scanned to protect the organization’s reputation or an inbound email undergoing multi-factor authentication verification and inspection, Exchange Online meticulously evaluates each email against a variety of checks and balances.
In summary, the journey of an email through Exchange Online is not just about moving bits from sender to recipient – it’s a managed, secure pipeline that exemplifies the zero-trust principle: never trust, always verify. By understanding and leveraging the full range of steps and security checks outlined in this report, organizations can ensure their email communications remain reliable, confidential, and safe from evolving threats. [2][2]
References
[1] How Exchange Online Email Flow Works – Schnell Technocraft
[2] Exchange Online Protection (EOP) overview – Microsoft Defender for …
[3] Monitoring, reporting, and message tracing in Exchange Online
[4] Email authentication in Microsoft 365 – Microsoft Defender for Office …
[5] Exchange Online Protection – What you need to know – LazyAdmin
[6] Mail flow in EOP – Microsoft Defender for Office 365
[7] Safe Links in Microsoft Defender for Office 365
CIAOPS 
