What Determines Whether an Email Goes to Junk Folder or Quarantine?
If your organization uses Microsoft Defender, you may have received emails in your inbox about messages being held in quarantine for you to review.
We’re all familiar with the Outlook junk folder: it’s reserved for emails that Microsoft has flagged as possible spam. Of course, the algorithm behind which emails get moved to the junk folder isn’t perfect, as even real messages from your employees or clients could end up there.
Quarantining emails takes it one step further, as it’s reserved for emails that Microsoft has flagged as high-confidence spam or possibly phishing. When an email is quarantined, Microsoft allows you to safely preview it before deciding to release the email to your inbox, delete it, and/or block the sender.
So what determines whether emails end up in the junk folder or quarantine?
It’s important to note that phishing emails still can slip through the cracks and find their way into your inbox. Microsoft’s spam filter cannot guarantee 100% protection, so you’ll still need to look out for signs of phishing when reviewing emails.
Spam Confidence Level Dictates Where Emails Go
It all has to do with Microsoft’s spam confidence level (SCL). Every inbound message goes through spam filtering and is assigned an SCL value. A higher SCL value indicates a message is more likely to be spam or phishing.
The table below shows Microsoft’s default action depending on the SCL value.
SCL value | Definition | Default action | Example of triggers |
-1 | The message skipped spam filtering. For example, the message is from a safe sender, was sent to a safe recipient or is from an email source server on the IP Allow List. | Deliver the message to recipient inbox folders. | Whitelisted IPs or domains, safe sender lists, internal communication |
0 or 1 | Spam filtering determined the message wasn’t spam. | Deliver the message to recipient inbox folders. | Legitimate business correspondence, transactional emails, personal emails |
5 or 6 | Spam filtering marked the message as Spam. | Default anti-spam policy, new anti-spam policies and Standard preset security policy: Deliver the message to recipient junk email folders. | Use of spam-trigger keywords, high image-to-text ratio, poor email formatting or coding; frequent sending of similar messages; links to questionable domains |
7, 8 or 9 | Spam filtering marked the message as High-confidence spam | Default anti-spam policy and new anti-spam policies: Deliver the message to recipient junk email folders. | Blacklisted senders, use of deceptive headers or subject lines, inclusion of malware or suspicious attachments, phishing attempts, email spoofing |
As you can see, strict anti-spam policies are quite stringent and will quarantine any email marked as spam or high-confidence spam, whereas default or standard policies will move emails marked as spam to the junk folder and quarantine emails marked as high-confidence spam.
Your managed service provider can alter these settings based on your preferences. Just like the algorithm for the junk folder, the quarantine algorithm isn’t perfect and might quarantine an email that should not be quarantined. In that case, you can release the email from the Microsoft Defender page, and the email — along with future emails like it — will show up in your inbox.
It’s important to note that phishing emails still can slip through the cracks and find their way into your inbox. Microsoft’s spam filter cannot guarantee 100% protection, so you’ll still need to look out for signs of phishing when reviewing emails.
Quarantined emails will stay in quarantine for 30 days, after which they will be automatically deleted.
Managed IT Services in West Michigan
Looking to keep your business running smoothly while increasing productivity, security and profitability? Contact us here for all your information technology needs.