Skip to content
Cloudflare Docs

3 - Junk email and administrative quarantine

In this tutorial, you will learn how to deliver SUSPICIOUS and BULK messages to the users's junk email folder, and MALICIOUS, SPAM, and SPOOF messages to the administrative quarantine (this requires an administrator to release the emails).

Create quarantine policies

To create quarantine policies:

  1. Open the Microsoft 365 Defender console

  2. Go to Email & collaboration > Policies & rules.

  3. Select Threat policies.

  4. Under Rules, select Quarantine policies.

  5. Select Add custom policy.

  6. Set the Policy name to UserNotifyAdminRelease.

  7. Select Next.

  8. In Recipient message access, select Set specific access (Advanced), and then:

    • In Select release action preference, choose Allow recipients to request a message to be released from quarantine.
    • In Select additional actions recipients can take on quarantined messages, select the Delete and Preview checkboxes.

  9. Select Next.

  10. In Quarantine notification, select Enable.

  11. Select Next.

  12. Review your settings and select Submit.

  13. Select Done.

Configure quarantine notifications

To configure quarantine notifications:

  1. Open the Microsoft 365 Defender console.

  2. Go to Email & collaboration > Policies & rules.

  3. Select Threat policies.

  4. Under Rules, select Quarantine policies.

  5. Select Global settings.

  6. Scroll to the bottom and set the desired frequency in Send end-user spam notifications every (days). This value can only be incremented in days.

  7. Select Save.

Configure anti-spam policies

To configure anti-spam policies:

  1. Open the Microsoft 365 Defender console.

  2. Go to Email & collaboration > Policies & rules.

  3. Select Threat policies.

  4. Under Policies, select Anti-spam.

  5. Select the Anti-spam inbound policy (Default) text (not the checkbox).

  6. In Actions, scroll down and select Edit actions.

  7. Set the following conditions and actions (you might need to scroll up or down to find them):

  • Spam: Move messages to Junk Email folder.
  • High confidence spam: Quarantine message.
    • Select quarantine policy: _UserNotifyAdminRelease_.
  • Phishing: Quarantine message.
    • Select quarantine policy: _UserNotifyAdminRelease_.
  • High confidence phishing: Quarantine message.
    • Select quarantine policy: _UserNotifyAdminRelease_.
  • Retain spam in quarantine for this many days: Default is 15 days. Email Security recommends 15-30 days.
    • Select the spam actions in the above step.
  1. Select Save.

Create transport rules

To create the transport rules that will send emails with certain disposition to Email Security:

  1. Open the new Exchange admin center.

  2. Go to Mail flow > Rules.

  3. Select Add a Rule > Create a new rule.

  4. Set the following rule conditions:

    • Name: `Email Security Deliver to Junk Email folder`.
    • Apply this rule if: The message headers > includes any of these words.
      • Enter text: X-CFEmailSecurity-Disposition > Save.
      • Enter words: `SUSPICIOUS`, `BULK` > Add > Save.
    • Apply this rule if: Select + to add a second condition.
    • And: The sender > IP address is in any of these ranges or exactly matches > enter the egress IPs in the Egress IPs page.
    • Do the following - _Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _5_.

  5. Select Next.

  6. You can use the default values on this screen. Select Next.

  7. Review your settings and select Finish > Done.

  8. Select the rule `Email Security Deliver to Junk Email folder` you have just created, and Enable.

  9. Select Add a Rule > Create a new rule.

  10. Set the following rule conditions:

    • Name: `Email Security User Quarantine Message`.
    • Apply this rule if: The message headers > includes any of these words.
      • Enter text: X-CFEmailSecurity-Disposition > Save.
      • Enter words: `MALICIOUS`, `UCE`, `SPOOF` > Add > Save.
    • Apply this rule if: Select + to add a second condition.
    • And: The sender > IP address is in any of these ranges or exactly matches > enter the egress IPs in the Egress IPs page.
    • Do the following: _Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _9_.

  11. Select Next.

  12. You can use the default values on this screen. Select Next.

  13. Review your settings and select Finish > Done.

  14. Select the rule `Email Security User Quarantine Message` you have just created, and select Enable.