How Email Spam Filtering Works

Email spam filtering is the layer that checks every inbound message and decides whether it reaches the inbox, goes to junk, or is blocked outright. It works on a stack of signals: the sender's reputation, whether the domain passes authentication, the content and links in the message, and increasingly machine learning trained on billions of messages. For a business, the practical question is not "do we have a filter" but "is it tuned well enough to stop the dangerous mail without burying the real mail".

Key facts

• Spam filtering scores each message on sender reputation, authentication results, content, and links, then delivers, quarantines, or rejects it.
• Every Microsoft 365 mailbox includes Exchange Online Protection, and Business Premium adds Defender for Office 365 Plan 1 with Safe Links and Safe Attachments.
• Filters work best when SPF, DKIM, and DMARC are in place, because authentication is one of the strongest trust signals a filter uses.
• A filter tuned too aggressively causes false positives, where legitimate mail lands in junk, which is as costly to a business as spam itself.
• Pure spam filtering does not reliably stop business email compromise, which uses clean, text-only impersonation rather than malicious content.
• Quarantine review and a clear release process matter as much as the filter, so staff can recover wrongly held mail quickly.

How does email spam filtering actually work?

A modern filter runs every inbound message through several checks before it ever reaches a person. First it looks at where the message came from: the sending server's reputation, whether the domain passes SPF, DKIM, and DMARC, and whether the sending pattern looks like bulk or abuse. Then it examines the message itself, scanning content and headers for known spam and phishing patterns, and checking links and attachments against threat intelligence. Services like Microsoft Defender for Office 365 go further and detonate suspicious links and attachments in a sandbox before delivery. Each signal adds to a score, and the filter delivers, quarantines, or rejects based on where that score lands and the policy you have set.

What is the difference between filtering, junk, and quarantine?

These three outcomes are not the same, and knowing the difference saves a lot of "where did my email go" calls. Junk is mail the filter judged low-confidence spam, delivered to the user's Junk Email folder where they can still see and recover it. Quarantine is mail held back from the mailbox entirely because the filter rated it riskier, released only by an admin or through a review process. Rejection means the message was refused at the door and never accepted, which is what happens to mail that fails strict authentication. Good configuration is mostly about setting sensible thresholds for each, so genuinely dangerous mail is quarantined or rejected while borderline mail goes to junk rather than vanishing.

Why does legitimate email sometimes go to spam?

Most false positives trace back to authentication or reputation, not content. If the sender's domain has a weak or missing SPF, DKIM, or DMARC setup, your filter has less reason to trust it, so legitimate mail scores worse. The same happens when a sender's IP has a poor reputation or when a filter is tuned too aggressively in the name of safety. This is the trade-off at the heart of spam filtering: turn it up and you stop more bad mail but trap more good mail; turn it down and the reverse. The fix is rarely a blunt setting change. It is correct authentication on both ends, sender allow-listing where appropriate, and a quarantine process staff can actually use. (This is also why we set up email and spam protection and email authentication together rather than separately.)

Is built-in filtering enough for a business?

For many Sydney SMEs, Microsoft 365 filtering is enough once it is configured properly, and that "once configured properly" is the catch. Exchange Online Protection comes with every mailbox, and Business Premium adds Defender for Office 365 Plan 1, which brings Safe Links, Safe Attachments, and impersonation protection. Left on defaults it is decent; tuned with the right preset security policies it is strong. Where a business has heavier compliance needs, wants email archiving alongside, or runs a mix of mail platforms, a dedicated third-party layer such as Sophos can add value. The honest answer for most SMEs is that getting the Microsoft tooling configured correctly beats buying another product on top of a misconfigured one.

Frequently asked questions

Does Microsoft 365 include spam filtering?

Yes. Every Microsoft 365 mailbox includes Exchange Online Protection, which handles spam, bulk mail, and known malware. Business Premium adds Defender for Office 365 Plan 1 for stronger phishing, impersonation, and link and attachment protection. Both work far better once configured with the recommended security policies rather than left on defaults.

How do I stop real emails going to junk?

Start with authentication. Make sure the sender's domain passes SPF, DKIM, and DMARC, because weak authentication is the most common reason legitimate mail is distrusted. From there, sensible allow-listing of known senders and tuning the filter thresholds usually resolves it, without weakening protection across the board.

Can spam filtering stop phishing and BEC?

It stops a lot of phishing, especially anything with malicious links or attachments. It is weaker against business email compromise, which uses clean, text-only impersonation. For that you need impersonation protection and strong account security in addition to the filter.

Should we buy a third-party spam filter?

Often the better first step is to configure the Microsoft 365 protection you already pay for. A third-party layer earns its place when you have specific compliance, archiving, or multi-platform needs. We look at what you have before recommending more spend.

If your team is either drowning in spam or constantly fishing real mail out of junk, the filter is usually just tuned wrong. We sort that out for Sydney businesses regularly, and it is normally a configuration job rather than a new purchase.