If you are using Transport Rules to manage your email filtering you may run into a very odd situation of having mail sent from White-listed domains (or email addresses or content or…) still being blocked by other transport rules. This can occur even if you have set the STOP PROCESSING MORE RULES checkbox. Microsoft documentation states:
Stop processing more rules This is an action for the rule, but it looks like a property in the EAC. You can choose to stop applying additional rules to a message after a rule processes a message.
The confusion is caused by the wording Microsoft chose for STOP PROCESSING MORE RULES is inaccurate. It should read STOP PROCESSING MORE RULES FOR THE SAME CHARACTERISTIC.
In my case, I had whitelisted a domain in rule number 12 which correctly set emails from that domain to Spam Confidence Level (SCL) equals -1. However, a sender from that domain was using TINY.CC links in the body of their emails and my rule number 14 quarantined any messages that use TINY.CC.
To my reading, rule number 12 is above rule 14, so rule 14 should have not been processed or considered. That is not the case.
After banging my head on this for weeks (on and off) I called Microsoft and had an excellent tech explain that the STOP PROCESSING MORE RULES only applies to rules setting the same characteristic. In rule 12’s case, it was considering the domain, but rule 14 was considering the content so both rules were applied and a whitelisted domain still had its emails sent to the quarantine. Bizarre.
The solution in my case was to simply add an EXCEPT in my rule 14 for the domain in question.
EMAIL FILTERING ORDER OF OPERATIONS ON OFFICE 365 HOSTED EXCHANGE:
The order for email blocking on Office 365 Exchange is:
- Connection Filter
- Malware Filter
- Transport Rule (in order and with the STOP PROCESSING issue noted above)
- Spam Filter
- Advanced Threat Management (has base features [AntiPhishing, AntiSpam, Anti-Malware] and additional cost options, [Safe Attachments and SafeLinks])