Your cold email looks fine in the sent folder and never shows up in the recipient's inbox. If that recipient runs on Microsoft 365, the thing standing between you and their attention is Exchange Online Protection, and it made its decision before a human ever saw the subject line. Microsoft and Google route roughly 90% of business inboxes between them, so understanding how the Office 365 spam filter reads your mail is half the deliverability battle.
How does the Office 365 spam filter work?
The Office 365 spam filter is Exchange Online Protection (EOP), Microsoft's built-in mail gateway that scores every inbound message and routes it to the inbox, the Junk folder, or quarantine based on that score. It runs on every Microsoft 365 tenant by default, before the message reaches the mailbox.
EOP assigns each message a spam confidence level, the SCL, on a scale that runs from -1 (skip filtering, trusted) up through the higher numbers that mean "this is junk." Cross that threshold and the message gets stamped as spam and dropped into Junk. The admin can tune where the line sits, but most tenants run the default.
Two layers feed that score. Connection filtering looks at the sending IP itself, checking it against Microsoft's reputation data and block lists before the message content is even read. Content filtering then reads the message, weighing authentication results, the body, the links, and how the sender has behaved historically.
The signals EOP weighs most:
- Authentication — whether SPF, DKIM, and DMARC pass for your sending domain. A failure here is one of the fastest routes to Junk.
- IP and domain reputation — how the sending IP and domain have behaved over time. A clean history helps; a history of complaints or block-list hits hurts.
- Recipient engagement — whether people at that organization open, reply to, or delete your mail without reading it. Microsoft watches this at the tenant level.
- Complaint rate — how often recipients hit "report junk." A handful of complaints across a campaign moves the needle fast.
- Content patterns — spammy phrasing, link-heavy bodies, mismatched display names, and message bodies that look identical across thousands of sends.
EOP doesn't publish the exact weights, and it adjusts them. What stays constant is the shape of the decision. Authentication and reputation get you in the door, and engagement decides whether you stay there.
Why does my cold email land in Office 365 spam?
Your cold email lands in Office 365 spam when EOP reads your send as a low-reputation, low-engagement message, usually because of broken authentication, a young or burned domain, or volume patterns that look like bulk mail. Cold outbound trips more of these signals than ordinary business mail because it's unsolicited, sent at volume, and lands on recipients who've never engaged with you.
The most common cause is an authentication gap. A missing or misconfigured DKIM record, an SPF record that doesn't cover your actual sending source, a DMARC policy that's failing silently. EOP reads any of these as a reason to distrust the message.
Domain reputation is the next one. A brand-new domain has no sending history, so EOP treats it cautiously. A domain that's been pushed too hard, too fast, picks up a bad reputation that follows it. If your reply rate crashed overnight, that's the signature of a burned domain. If it's been trending down slowly, that's copy fingerprinting, where the same message body hits enough inboxes that filters start recognizing the pattern. EOP responds to both, and each one needs its own fix.
Then there's volume and engagement. Push thousands of near-identical messages from one domain and you look like a bulk sender. Google and Yahoo enforce bulk-sender rules around 5,000 daily messages, and Microsoft watches the same kind of pattern. Layer on low engagement, where recipients delete without reading or report junk, and EOP has everything it needs to start filtering you by default.
How do you stop legitimate email from going to O365 spam?
You stop legitimate email from going to Office 365 spam by fixing it from both sides: the sender locks down authentication and protects domain reputation, and the recipient's admin allowlists trusted senders at the tenant level. The inbound fix and the outbound fix are different jobs, and which one applies depends on whether you control the sending domain or the receiving tenant.
On the receiving side, if you're an admin and good mail from a known partner keeps hitting Junk, the fix lives in the Microsoft 365 Defender portal. You can add the sender to the allowed senders list, adjust the anti-spam policy, or set up connection filtering to trust a specific IP range. This is the right tool when you've vetted the sender and want their mail to skip the filter. It is not a tool for forcing your own cold outbound past someone else's filter, since you don't control their tenant.
On the sending side, the work is authentication and reputation. Get the auth stack right first:
- SPF tells receiving servers which IPs are allowed to send for your domain. It has to cover every source you actually send from.
- DKIM signs each message cryptographically so the receiver can confirm it wasn't tampered with and really came from your domain.
- DMARC tells receivers what to do when SPF or DKIM fails, and gives you reporting on who's sending as you. (If you've ever asked what is DMARC, that's the short version: the policy layer that ties SPF and DKIM together.)
Add RFC 8058 one-click unsubscribe if you're sending at bulk volume, since Google and Microsoft now expect it. Then protect reputation: keep roughly a 2:1 warmup-to-cold traffic ratio so the domain has engagement signals behind its cold sends, clean catch-all addresses out of your list (they run about 20% of any B2B list and inflate bounce risk), and monitor sender reputation as the operating asset it is rather than checking it after replies have already dried up.
Office 365 vs Google: do they filter differently?
Office 365 and Google filter on the same fundamentals but apply them differently, with Microsoft leaning harder on IP and domain reputation and connection-level filtering, and Google leaning harder on engagement signals and content analysis. Both want the same auth stack, and both punish the same bad behavior, so the baseline work is identical even though the emphasis shifts.
Google's filtering is heavily engagement-driven. Gmail watches what recipients do with your mail closely, and a message that gets opened and replied to earns inbox placement quickly. Microsoft weighs engagement too, but its connection filtering and reputation scoring carry more of the decision, which is part of why a young or low-reputation IP struggles more on Microsoft than on Google.
The practical takeaway: you can't optimize for one and ignore the other. Since the two providers route around 90% of business inboxes between them, any real cold email list hits both, and a send that's clean enough for Gmail but throws bad reputation signals at Microsoft still loses half your audience. Build for the stricter reading of each signal and you cover both.
How to keep cold outbound out of O365 spam at scale (checklist)
You keep cold outbound out of Office 365 spam at scale by treating deliverability as a standing operation rather than a one-time setup, working through authentication, reputation, volume, and list quality on a recurring basis. Here's the sequence.
- Lock down authentication on every domain. SPF, DKIM, and DMARC configured correctly on each sending domain, plus RFC 8058 one-click unsubscribe for bulk volume. One misconfigured record routes good mail to Junk.
- Send from secondary domains, not your main one. Cold outbound burns reputation. Run it from dedicated sending domains kept separate from the domain your business actually relies on, so a burned domain never takes your real mail down with it.
- Spread volume across many domains. Keep each domain well under the ~5,000 daily bulk-sender threshold by carrying a small slice of total volume on each. That's horizontal scaling, with many domains each handling a fraction instead of one domain doing all the work and tripping every reputation alarm.
- Hold the warmup-to-cold ratio. Roughly 2:1 warmup to cold, run inside your sequencer. Push too much cold volume before the domain has engagement behind it and you torch its reputation early.
- Clean the list before every send. Catch-all addresses run about 20% of a typical B2B list and inflate bounce risk, which feeds straight into reputation. Verify first.
- Diagnose by the decay pattern. A reply rate that crashed overnight is domain burn, so replace the domain. A reply rate sliding down gradually is copy fingerprinting, so change the copy. Replacing a domain won't fix a message filters have already learned to recognize.
- Monitor reputation continuously. Sender reputation decays. Check it on a schedule and run a free deliverability check to see where your domains stand, plus a blacklist check to catch IPs that landed on a block list before EOP does.
Run that list and you'll keep most cold outbound landing in the inbox rather than Junk. The catch is that none of it runs itself. Every item is recurring work, and across a growing pool of domains it becomes a full-time job. The full setup is laid out in our cold email infrastructure guide, and if you'd rather not run it yourself, an email deliverability consultant can diagnose a one-time problem.
At ScaledMail, we provision and manage the sending infrastructure underneath cold outbound, built for exactly the signals Exchange Online Protection reads. That means secondary sending domains kept separate from your main business domain, real Google Workspace and Microsoft 365 inboxes, authentication configured correctly across SPF, DKIM, and DMARC on every domain, IP rotation, continuous reputation monitoring, and domain replacement when one gets burned. Real people run it, with US-based support, and you keep your own sequencer. Warmup runs inside that sequencer (Smartlead, Instantly, EmailBison, PlusVibe), where the engagement signals live, so we stay in the infrastructure lane and don't double-charge for what your sequencer already covers. If you need to send immediately, pre-warmed and pre-aged domains are available as a separate add-on. ScaledMail runs this at 230,000+ inboxes across 1,600+ subscribers, on a month-to-month subscription with volume discounts at the $1K and $5K monthly tiers. See the setup, or book a call to talk through your sending operation.
