Skip to Content
EmailExchangeEmail SecurityConnection Filter

Connection Filter

Configure connection filtering in Exchange Online Protection to allow or block email based on the sending server’s IP address. Connection filtering is the first layer of email protection, evaluating messages before content analysis.

Note: Connection filtering applies to all inbound email. It evaluates the connecting IP address before any content-based filtering occurs.

How Connection Filtering Works

  1. Connection established — Sending server connects to EOP.
  2. IP evaluation — Sending IP checked against allow list, block list, and safe list.
  3. Allow list match — Message bypasses spam filtering (still scanned for malware).
  4. Block list match — Connection rejected with 550 error.
  5. No match — Message proceeds to content filtering.

IP Allow List

Add IP addresses of legitimate mail servers that should bypass spam filtering:

  • Single IP addresses (e.g., 192.168.1.1)
  • IP address ranges using CIDR notation (e.g., 192.168.1.0/24)
  • Maximum 1273 entries

Warning: IP allow list entries bypass spam filtering. Only add IPs you trust completely. Does not bypass malware or phishing scanning.

IP Block List

Block all email from specific IP addresses:

  • Block known spam sources not caught by reputation filters
  • Block compromised servers sending unwanted email
  • Messages are rejected at connection with a 550 error
  • Maximum 1273 entries

Safe List

Microsoft maintains a safe list of known legitimate mail servers:

  • Automatically updated by Microsoft
  • Includes major email service providers
  • Can be enabled or disabled per organization
  • Reduces false positives for legitimate senders

Enhanced Filtering

When using a third-party email gateway before EOP:

  • Skip listing — Configure EOP to skip the gateway IPs and evaluate the original sender IP
  • Preserves original sender IP for accurate spam and authentication evaluation
  • Required for proper SPF, DKIM, and DMARC evaluation behind a gateway

Connection Filter Policy Settings

SettingDescription
IP Allow ListIPs that bypass spam filtering
IP Block ListIPs that are always blocked
Enable Safe ListUse Microsoft maintained safe list
Enhanced FilteringSkip gateway IPs for accurate evaluation

Best Practices

  • Minimize allow list entries — Each entry bypasses spam filtering.
  • Use enhanced filtering with gateways — Preserve original sender IP for accurate detection.
  • Enable safe list — Reduces false positives from known legitimate services.
  • Review block list regularly — Remove entries for IPs that are no longer a threat.

API Reference

GET /api/exchange/connection-filter Get connection filter policy

PUT /api/exchange/connection-filter/ip-allow Update IP allow list

PUT /api/exchange/connection-filter/ip-block Update IP block list

PUT /api/exchange/connection-filter/safe-list Enable or disable safe list

Last updated on
Anti-PhishingConnection Filter Templates