Understanding High-Risk Delivery Pool in Exchange Online

When an outbound email is sent out from an M365 hosted tenant, Exchange Online scans the email and determines which server routes the email.

An Office 365 tenant may have one or several of their accounts compromised and used to send spam emails or some attacker may use O365 email forwarding to send malicious bulk emails with malware to avoid being detected which makes the recipient servers add the connecting Microsoft IP address added to their low IP reputation list or block lists. This could significantly harm other Microsoft 365-hosted tenants who send legitimate emails through those servers, as their emails might get blocked or relegated to the recipients' junk folders. To prevent this, Microsoft employs specific methods to manage outbound emails.

The High-Risk delivery Pool is a secondary IP address pool for outbound emails that is used to send low quality messages. This helps to prevent the normal email addresses from sending spam emails.

When sending emails, Microsoft scans the email and determines if the quality of email is low or high. If the email seen as bulk, contain malware or seen as a spam message, Microsoft routes the email through the High-Risk delivery pool (HDRP) to avoid normal IP address from being blacklisted.

Also know that messages from domains with no valid A records or MX records are routed through the high-risk delivery Pool IP address. NDRs generated are also routed through the HDRP.

To determine if your email was routed through the HDRP, check the message header for the X-Forefront-Antispam-Report-untrusted tab. If it includes the value SFV: SPM, an SCL of 5 or higher, and SPF: 1501, then it has been routed accordingly. You can also confirm from Extended Message Trace if you see this value SFV: SPM, SCL:5 or higher. Please note that emails routed through this HDRP might not be delivered.

How do you prevent your emails from being routed through the HDRP?

• You can prevent this by ensuring that your tenant maintains a good security posture. Always do regular checks to ensure your domains and IP addresses are not used to send spam emails. You can employ the email authentication framework, SPF, DMARC and DKIM to enhance email delivery and IP reputation.
• Educate your users on best practices of email security. Teach them how to spot spam emails and not to click on emails they are unsure about to avoid being compromised and account used to send malware. Suspicious emails should be reported as junk or phishing. You can also turn on First Contact policy tips in your anti-phishing policy to inform users about emails coming from someone they have not received an email from before.
• In the Defender portal, you can set a sending limit and configure alert notifications within the outbound anti-spam policy. This applies when a user's outbound email is detected as spam. Additionally, you can prevent the user from sending any emails for 24 hours if they have been flagged for sending bulk emails or for exceeding their sending restrictions.

To summarize all that has been said, Office 365’s sophisticated algorithms identify and segregate these risky emails into a separate delivery pool. This ensures that the integrity and reputation of the primary sending servers remain intact, preventing potential blacklisting by email providers. It is crucial to understand this mechanism to avoid legitimate emails being mistakenly categorized as high risk. Regular monitoring and good email practices are key to maintaining a trustworthy sender reputation within Office 365.

Blazon Globe ?? Technology offers professional consulting services for Microsoft 365 business solutions. We deeply care about our business and consumer clients. Feel free to direct message us or email [email protected] for assistance.