Outlook spam filter: built-in settings, what they miss, and when to upgrade

Outlook’s spam filter is on by default. 

Most people never touch it. Most people also complain that junk keeps getting through.

That’s not a coincidence.

The built-in filter is more capable than it looks—but it ships with conservative settings and almost no guidance on what to change. 

This guide covers exactly that: how to configure what you have, what it still won’t catch, and when it’s worth adding something on top.

In short
Outlook includes a free Junk Email Filter—it’s already running, but defaults to “standard” protection. Bumping it to “strict” and using “safe” and “blocked sender” lists makes a significant difference for most users. Blocking individual senders won’t stop persistent spam, though—spammers rotate domains and spoof addresses constantly. For individuals, SPAMfighter or MailWasher fills the gaps in the built-in filter.

At a glance: which spam filter is right for you?

Use case	Best option	What it costs
Personal—want something free and simple	SPAMfighter	Free (home users)
Personal—want to preview mail before it downloads	MailWasher	Starting from $42 per year
Personal (Mac)	SpamSieve	$40 per license
Business—SMB, Microsoft 365	SpamTitan	Contact vendor
Business—needs advanced phishing/BEC protection	Proofpoint Essentials	Contact vendor
Business—API-based, stays inside 365 environment	Check Point (Avanan)	Contact vendor
Business—advanced filtering at gateway level for large organisations	Mimecast
Microsoft 365 users wanting native upgrade	Microsoft Defender Plan 1	Add-on to M365

Note: If you’re managing email on an iPhone rather than a desktop PC, the approach is different—here’s how spam filtering works on iOS.

What Outlook’s Junk Email Filter actually does

Outlook’s Junk Email Filter assigns every incoming email a “risk” score based on a set of criteria like sender reputation, message content, and authentication checks. Cross the threshold, and it lands in the Junk folder instead of your inbox.

The filter has two protection levels. Here’s what each one actually means:

1) Standard—catches obvious junk: known spammer addresses, messages with classic spam signals. Misses sophisticated phishing attempts.

2) Strict—the most aggressive option. Everything goes to Junk unless the sender is on your Safe Senders list. Good for inboxes with a stable, known set of contacts. Too blunt for anyone who regularly receives email from new senders.

For most people: if you train your filters appropriately, the “standard” protection level should be more than sufficient.

How to change your protection level:

• Outlook web app: “settings” → “mail” → “junk email” → choose your level → “save.”

Beyond protection levels: fine-tuning what Outlook blocks

Adjusting the protection level is step one. These settings add real precision on top of it.

1) Safe Senders List

Emails from senders listed as “safe” always land in your inbox, no matter what the filter scores them. Add trusted contacts, newsletters you actually want, and any address that keeps hitting Junk by mistake. 

• For the Outlook web app:

Go to “settings” → “mail” → “junk email” → “safe senders and domains” → “add safe sender” → type in the address → “ok” → “save.”

2) Blocked Senders List

Anything from these addresses or domains goes straight to Junk. Useful for recurring offenders—or if you want to block a sender across other email clients too, not just Outlook. Less useful for spammers who change addresses constantly—which most of them do.

• For the Outlook web app:

Go to “settings” → “mail” → “junk email” → “blocked senders and domains” → “add blocked sender” → type in the address → “ok” → “save.”

3) Blocked Domains

This is the one most people don’t know exists. Instead of blocking individual email addresses, you can block the domain where these addresses are hosted.

Suppose you receive a lot of spam emails from different addresses, [email protected], [email protected], etc. For the regular blocked senders, you can add only specific addresses—but that won’t solve the problem.

Instead, take the domain “spam.com” and add it to the blocked list. You only need to include what comes after the “@” symbol. 

For example: [email protected] → spam.com

• For the Outlook web app:

Go to “settings” → “mail” → “junk email” → “blocked senders and domains” → “add blocked sender” → type in the domain →“ok” → “save.”

4) Inbox rules for keyword filtering

For spam that consistently slips through with the same phrasing, like “lottery,” “reward,” “you’ve won,” and similar, you can create a custom filter that’ll apply to any emails containing these keywords in the subject or body:

• For the Outlook web app:

Go to “settings” → “mail” → “rules” → “add new rule” → “add a condition” → “subject or body includes” → “add action” → “move to” → “move to a different folder” → “junk email.”

You can also add another rule where the action would be to “mark as junk” to teach your filters at the same time.

Manual, but effective for patterns the filter consistently misses.

Why spam still gets through after all that

You’ve set the filter right. You’ve blocked the sender. But the junk mail keeps arriving.

Why? Because malicious spammers often change their addresses to get through your filters.

This is sender spoofing and domain rotation—the core reasons address-based blocking has limits. Spammers constantly rotate sending domains; blocking one address only catches that address. The next campaign arrives from a new one the filter has never seen.

The built-in filter works on what it already knows. It’s reactive by design. Sophisticated phishing attempts, spoofed sender addresses, and newly registered spam domains arrive before Outlook’s blocklists can catch up.

This is when third-party tools become worth considering.

Spam filter vs email security: an important distinction

Most people use “spam filter” to mean “the thing that stops junk.” But there’s a meaningful gap between removing junk and stopping threats.

A spam filter routes unwanted email. 

Email security tools—like Microsoft Defender for Office 365—go further and protect against what spam filters weren’t designed to catch:

• Safe Links: checks URLs at the time you click them, not just at delivery. A link can be clean when the email arrives and weaponized hours later. Safe Links catches that.
• Safe Attachments: opens attachments in a sandbox before they reach you. If a file contains ransomware or a zero-day exploit, it’s detonated in an isolated environment before landing in your inbox.

Outlook’s built-in filter protects you from junk. It doesn’t protect you from a convincing-looking invoice carrying malware—and if you’ve already opened something suspicious, the steps you take next matter.

For anyone using Microsoft 365 who handles sensitive data or operates in a business context, Defender Plan 1 is the argument to make to whoever controls the budget. 

It’s the line between spam filtering and actual email security—and for most organizations, that line matters.

For anyone handling sensitive data, encrypting your emails adds a layer of protection that filtering alone can’t provide.

Third-party spam filters for Outlook: who needs what

The right tool depends entirely on your situation. Let’s go through some of the options.

For individuals and small teams

SPAMfighter

Installs as an Outlook plugin and runs quietly in the background. 

The way it works: when enough users flag the same message as spam, it gets blocked for everyone. 

Free for home users, and there’s nothing to configure—just install and go.

---

MailWasher

Checks your mail on the server before it downloads to Outlook, so you can preview and delete messages before they ever hit your inbox. 

Good for anyone who likes to stay hands-on with what comes through—especially if you’re being targeted individually rather than just caught in a mass spam campaign.

---

SpamBully

Uses adaptive AI that watches how you interact with your email over time and adjusts its filtering accordingly. Around $29.95/year, Windows only. 

Worth considering if you want a filter that learns your habits specifically—rather than relying on what everyone else is flagging.

---

SpamSieve

The go-to pick for Outlook on Mac. 

Uses Bayesian filtering to personalize detection based on your own email patterns. Frequently recommended in the Microsoft community for Mac users who find the built-in filter isn’t cutting it.

For businesses on Microsoft 365

Microsoft Defender for Office 365 Plan 1

The logical first upgrade if you’re already on Microsoft 365. 

It adds Safe Links and Safe Attachments—the two features covered above that take you from spam filtering into actual email security.

---

SpamTitan

A cloud gateway that integrates with Microsoft 365. 

SpamTitan claims a 99.97–99.99% spam catch rate (vendor-reported figure, not independently verified), along with dual antivirus engines (Kaspersky + ClamAV) and greylisting to screen unknown senders. 

A better fit than Defender if you want more control over configuration or prefer not to be locked into the Microsoft ecosystem.

---

Check Point (formerly known as Avanan)

API-based rather than gateway-based, which means it doesn’t intercept mail before it arrives—it sits inside your 365 mailbox and scans after delivery. 

That gives it the full context of your mailbox, including internal emails that gateways typically never see. 

The tradeoff: it catches threats after they land, not before. Still, it’s a frequent recommendation among IT professionals for Microsoft 365 environments.

---

Proofpoint Essentials

The enterprise option. 

Specializes in Business Email Compromise (BEC) and advanced phishing, using behavioral analysis to catch what simpler filters miss. 

A frequent recommendation in IT communities for larger organizations. Contact the vendor for pricing.

---

Mimecast

A cloud gateway with a long track record in corporate environments. 

Claims 99% spam protection and a 0.0001% false-positive rate (both vendor-reported figures.) 

Stands out for spear-phishing and Business Email Compromise protection, and comes with an Outlook plugin that keeps things familiar for end users. 

A better fit for larger organizations that need more advanced threat management than SpamTitan covers.

Plugins vs gateways: a quick distinction

A plugin (SPAMfighter, SpamBully, MailWasher) installs on your machine and works inside Outlook. Personal—it filters your inbox, no one else’s. Setup takes minutes.

A gateway (SpamTitan, Mimecast) intercepts mail at the network level—before it ever reaches Outlook. It covers every address on your domain, but it requires an MX record change and some IT involvement to set up. This is a company-level tool, not something you’d deploy as an individual.

→ If you’re a solo user frustrated with junk mail: plugin or built-in settings improvement. 

→ If you’re an IT admin managing a domain: gateway.

---

---

FAQ