So, you have decided to use the Exchange Online Protection (EOP) quarantine and have enabled End user Spam Notifications (ESN). Great choice! Now, after a couple of days have passed, you are wondering if everything is working as it should. How can you verify that ESNs are being delivered to your users? That is a great question and one that is easy to answer! First though, let’s review what an ESN is.
End user Spam Notification refresher
An ESN is a method by which end users can manage their own spam quarantine. When enabled, ESNs are sent out at most once a day (can be configured to be less frequent) and will contain a digest of messages that have been placed in the users quarantine since the last ESN was sent out. If no messages have been directed to an end users quarantine they will not receive an ESN.
The following is an example of an ESN.
Note: Messages that are diverted to the quarantine through a transport rule will not appear in an ESN. Only messages placed in the quarantine by the spam engine will appear in an ESN.
ESNs can be enabled on the Default Content Filter along with any custom Content Filter that is scoped to a domain. ESNs cannot be enabled on custom Content Filters that have been scoped to either individuals or groups.
To enable ESNs, highlight a Content Filter and click the Configure end-user spam notifications link on the right side of the page.
Verify ESNs are being sent
ESNs are always sent from email@example.com which makes them easy to track. In the Exchange Admin Center, select Mail Flow and then Message Trace. Filter on the ESN sending address like so.
Now run the message trace to see all ESNs that have been delivered in the specified time frame.
EOP spam filters will sometimes mark an ESN as spam based on the contents of the message. If you experience this, create a transport rule that will white list messages from firstname.lastname@example.org. The rule would look something like this.
This works because ESNs are sent through your tenant and so are subject to EOP transport rules.