How does Office365’s security layer affect bulk mailers?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If a good chunk of your list works at corporate companies, chances are they're using Microsoft 365 (formerly Office 365). And that means your emails aren't just hitting a spam filter. They're going through a whole stack of security tools before they ever reach an inbox.
Here's what that stack looks like in practice.
Exchange Online Protection (EOP) is the baseline filter that every Microsoft 365 mailbox gets automatically. It handles spam scoring, connection filtering, and content rules. But unlike a consumer inbox, corporate IT admins can tune these settings however they like. That's the tricky part. One company might let your emails through without issue. Another might have stricter spam thresholds, blocked sender lists, or custom content rules that catch your campaigns.
Microsoft Defender for Office 365 (what used to be called Advanced Threat Protection or ATP) adds another layer on top. It scans every URL in your email by running them through a sandbox. It scans attachments. It looks for phishing patterns. And it can delay delivery while it does all of this. A marketing link that's totally safe can still get flagged if it redirects through a tracking domain that Microsoft doesn't recognize or trust yet.
The practical impact on bulk senders is real. You might see your emails arrive in the recipient's junk folder even though the same message reaches consumer Outlook inboxes just fine. You might see delayed delivery on certain domains. You might see click tracking behave oddly because Microsoft's Safe Links system rewraps your URLs before the recipient ever clicks them (which can also mess with your click reporting).
What actually helps here is proper authentication. SPF, DKIM, and DMARC all pass signals to EOP that say your email is legitimate. Microsoft weighs authentication heavily for corporate filtering decisions. Without a clean auth setup, your emails look indistinguishable from spoofed or phished messages, and EOP treats them accordingly.
But a few other things worth knowing if you send B2B regularly:
- Each organization configures Microsoft 365 differently. There's no universal corporate Outlook. A small startup might run defaults. A financial firm might have locked down every setting.
- Tracking links that redirect through third-party domains can trigger Safe Links warnings or outright blocks. Some senders switch to branded tracking domains (a subdomain of their own domain) to reduce this.
- Attachments are almost always scanned, and some file types get quarantined by default. If you're sharing files, link to them in cloud storage rather than attaching them directly.
- Testing with real contacts at a few target companies is the only way to know what a specific organization's setup is doing to your mail. Send a test to someone at a company you care about and ask them to check headers.
If you're regularly landing in junk at corporate Microsoft 365 accounts and can't figure out why, the RME Email Header Analyzer can help you read what Microsoft's filters actually decided about your message. Or if it's more urgent than that, drop us a line and we'll take a look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.