How Microsoft Filters Email: What Senders Need to Know

When an email lands in a Microsoft-hosted inbox — whether that's Outlook.com, Hotmail, or a corporate mailbox running Exchange Online — it passes through one of the most aggressive filtering stacks in the industry. Microsoft protects over 400 million mailboxes, and the systems it uses to do that are layered, adaptive, and not always obvious from the outside.
If you're sending newsletters, transactional email, or business correspondence to Microsoft-hosted addresses and experiencing delivery issues, understanding how Microsoft's filtering works is the first step toward fixing the problem.
The Three Layers of Microsoft's Filtering Stack
Microsoft's email filtering is not a single system — it's a pipeline. Mail passes through multiple checkpoints before it reaches an inbox, and rejection can happen at any layer.
Exchange Online Protection (EOP)
EOP is the first line of defense for all mail flowing into Microsoft 365 environments. It handles connection-level filtering, reputation checks, spam scoring, and malware scanning. When your mail reaches a Microsoft mail server, EOP evaluates it based on:
- The sending IP's reputation in Microsoft's own blocklist database
- Whether the sending domain and IP have matching reverse DNS (PTR records)
- SPF, DKIM, and DMARC authentication results
- Content signals — phrase patterns, URL reputation, and structural analysis
- Aggregate complaint data from Microsoft users
Mail that EOP scores as high-risk gets rejected outright or silently routed to the Junk folder, depending on the recipient's organization settings.
Microsoft Defender for Office 365
Organizations that subscribe to Microsoft Defender (Plan 1 or Plan 2) get a second filtering layer on top of EOP. Defender adds Safe Links (real-time URL scanning), Safe Attachments (sandbox detonation for files), and advanced phishing detection — including impersonation analysis that flags messages using domains that look like known brands.
Defender is particularly aggressive about impersonation. If your sending domain is even slightly similar to a major brand, Defender may quarantine your message even if EOP let it through.
SmartScreen and the Junk Mail Filter
Microsoft's SmartScreen technology is the reputation engine that's been part of the stack since the Hotmail era. It evaluates IP and domain reputation at the connection level, and its data feeds into both EOP and the client-side Junk Mail filter in Outlook. Even if a message gets delivered, Outlook's local filter can move it to Junk based on SmartScreen signals.
What Microsoft Uses to Judge Your Reputation
Microsoft maintains its own sender reputation database, separate from Spamhaus or other third-party blocklists. It's fed by:
- User complaints: Every time an Outlook or Hotmail user clicks "Report as junk," that signal gets added to Microsoft's reputation model for the sending IP and domain.
- Trap hits: Microsoft operates its own network of spam trap addresses. Sending to these is a serious reputation hit.
- Engagement data: Microsoft tracks whether recipients open, move, or delete messages. Low engagement is a negative signal.
- Authentication failures: Consistent SPF or DKIM failures damage domain reputation over time.
Two Free Tools Every Bulk Sender Should Use
Smart Network Data Services (SNDS)
SNDS shows you per-IP data: the volume of mail sent, complaint rates, and trap hits. If Microsoft is blocking or filtering your IP, SNDS often shows why. Register your sending IPs through Microsoft's sender support portal and check it regularly when you're troubleshooting deliverability issues.
Junk Mail Reporting Partner Program (JMRP)
JMRP is Microsoft's feedback loop program. When a Microsoft user marks your message as junk, JMRP forwards a copy of the complaint to a mailbox you specify. This lets you identify which sends are generating complaints and act on them before your reputation takes a deeper hit.
Common Reasons Microsoft Blocks Legitimate Email
Senders with clean lists and good authentication still sometimes run into Microsoft delivery problems. The most common causes:
- Shared IP contamination: If you're on a shared IP and another sender on that IP has a poor Microsoft reputation, your mail suffers for it.
- Missing or mismatched PTR records: Microsoft is strict about reverse DNS. Your sending IP must have a PTR record, and that hostname should match your EHLO/HELO string.
- No DMARC policy: While DMARC doesn't automatically prevent filtering, the absence of any DMARC record is a mild negative signal in Microsoft's model.
- Sudden volume spikes: Sending 5,000 messages one week and 500,000 the next triggers Microsoft's anomaly detection.
Getting Delisted or Unblocked
If Microsoft is actively blocking your IP with a 550 5.7.1 or similar rejection, you can request manual review through the Sender Support portal. The delisting process typically involves:
- Registering your IP in SNDS to see complaint and trap data
- Cleaning your list based on what SNDS shows
- Fixing authentication if there are failures
- Submitting a delist request via the portal
Microsoft typically processes delist requests within a few business days. Note that delisting removes you from the IP block, but doesn't reset your reputation — you'll need to maintain good sending practices after delisting to avoid returning to the blocked list.
Authentication Is Non-Negotiable for Microsoft
No sender getting serious about Microsoft deliverability can skip authentication. Set up proper SPF, DKIM, and DMARC records before anything else. Microsoft has been progressively tightening its authentication requirements, and mail that fails SPF or lacks DKIM is increasingly likely to land in Junk or get rejected outright.
If you need help managing your sending infrastructure, MailDog's SMTP relay handles authentication setup as part of onboarding. For more guidance on fixing deliverability issues, see our deliverability audit checklist and our guide on recovering from a complaint spike. Questions? Reach out to the team.
The Bottom Line
Microsoft's filtering stack is multi-layered, reputation-driven, and increasingly dependent on authentication signals. Senders who treat it like just another spam filter will keep fighting delivery problems. The fundamentals are consistent: clean lists, proper authentication, stable sending patterns, and low complaint rates. Get those right, and Microsoft's filters will largely get out of your way.


