Exchange Online Protection and internal email


Last month we pointed our Exchange 2010 server to EOP to help reduce spam and virus problems. I set up the Exchange server to use send through EOP as well. I've been tweaking the settings as best as I can, but we are having one big problem. A lot of our internal email is being caught by the Junk Email filter in Outlook, even if we specify our domain as a safe sender. Are there any other settings I can look at whether in EOP or Outlook that could fix this? We have a lot of users missing important emails and reports that are send internally that they don't see until they check their Junk Email folder.

Who is Participating?
Vasil Michev (MVP)Connect With a Mentor Commented:
For hybrid, mail between the two organizations should be treated as internal, if it doesnt, check this article for some common causes:

Creating transport rules with SCL set to -1 should solve any remaining cases. The Connection filter Allow list will accept private IP ranges too, but you should of course add the IP that the EOP servers 'see' (i.e. check headers).
Vasil Michev (MVP)Commented:
Just add some transport rules to set SCL to -1? You can also add the IPs to the IP allow list under Protection -> Connection filter. Here is an article with more details on both methods:
OrbusLLCAuthor Commented:
So will this work with internal IP's or do I enter my external IP's? We are in hybrid mode right now. Getting ready to move users into the cloud.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

OrbusLLCAuthor Commented:
I worked with a tech from Microsoft last night on my hybrid configuration and asked him the question about internal email going to the junk e-mail folder. He said that all internal email is rated with -1 so if it's still going to junk e-mail there must be something Outlook see's. Is there a way to add our domain as a safe sender for all users? I guess it would be in group policy. But would that help? I believe I have a couple users with the address in question as a safe sender, but it still goes to junk email.

Vasil Michev (MVP)Commented:
Well, check the headers of one of those messages. If SCL is indeed -1, Outlook is to blame. If SCL is different, review the article above to make sure mail is indeed treated as internal.
OrbusLLCAuthor Commented:
Here is the one that went to Junk E-Mail, I don't even see an SCL rating!

Received: from SQLSERVER ( by
 ( with Microsoft SMTP Server id; Wed, 21 Jan 2015
 07:45:04 -0600
Thread-Topic: This was executed at 1/21/2015 7:45:04 AM
thread-index: AdA1gHXUfQq+9EY4T0qOko1pQz6QjQ==
From: <>
To: <>
CC: <>, <>,
      <>, <>,
      <>, <>
Subject: This was executed at 1/21/2015 7:45:04 AM
Date: Wed, 21 Jan 2015 07:45:04 -0600
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed;
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18645
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Auto-Response-Suppress: DR, OOF, AutoReply
Vasil Michev (MVP)Commented:
This is like internal internal one, it doesnt even go to EOP :) Change SQLSERVER to something that at least resemble an FQDN if possible, i think this is what Outlook doesnt like.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.