Get answers to your general questions about the Forefront Online Protection for Exchange (FOPE) service right here.

You can find more FOPE documentation at the following locations:
FOPE Technical Support FAQs - Details many troubleshooting tips for FOPE.
FOPE User Guide - In-depth documentation that covers setup, migration, best practices, and advanced features. Within the FOPE User Guide are the following FAQ topics:

Forefront Online Protection for Exchange (FOPE) FAQ in the Office 365 community - A FOPE FAQ for Office 365 customers.

Q. What is Forefront Online Protection for Exchange (FOPE)?
A. Microsoft Forefront Online Protection for Exchange (FOPE) is a hosted service that can help protect your business’ incoming and outgoing email from spam, malware, phishing scams, and email policy violations.

FOPE provides comprehensive protection, integration with Exchange Server 2010, and Forefront Protection 2010 for Exchange Server. Simple management results in peace of mind for businesses looking to secure their email infrastructure. FOPE was previously known as Microsoft Exchange Hosted Filtering (EHF) and Forefront Online Security for Exchange (FOSE).

Q. How is email protected by using FOPE?
A. The best way to protect your email is by stopping junk email and other threats before they reach your network. FOPE uses multiple antivirus engines to detect both known and unknown messaging threats. Additionally, FOPE requires that you restrict your email servers to respond only to inbound requests from the FOPE network. This means that your email server IP addresses are completely masked from the Internet. Dangerous worms, denial of service (DoS) assaults, and malicious attackers can neither detect nor reach your email servers.

Q. Can I use FOPE with a mail server other than Exchange Server?
A. Yes, FOPE can be used with any SMTP mail transfer agent. FOPE uses standard mail protocols to filter and deliver mail.

What size of organization can use the service?
A. FOPE can provide email filtering for organizations of any size, and current customers range from 5 to 500,000 users. The FOPE network has sufficient capacity to accommodate your growth, no matter how fast your organization grows.

Q. How can customers purchase FOPE?
A. FOPE can be purchased as a stand-alone service, and it is part of a number of different Microsoft product suites, including Microsoft Office 365, Microsoft Enterprise Client Access License (ECAL) Suite, Microsoft Exchange Enterprise CAL Suite, and the Microsoft Forefront Protection Suite.

Exchange Hosted Encryption is available as an add-on service to FOPE which provides policy based email encryption. Exchange Hosted Encryption is priced on a per-user/device, per-month basis.

How is FOPE priced?
A. FOPE is licensed by user or device. Please contact your Microsoft reseller or Microsoft representative for specific pricing.

Where is the Administration Center User Guide for FOPE?
A. You can access the Administration Center User Guide here.

How long does it take to put FOPE into production?
A. Enterprises, regardless of size, will be able to use FOPE within 24–48 hours after provisioning and activation. A simple MX record change is required to begin routing email through the FOPE network for filtering. No hardware or software deployments on the customer site are needed. Familiar and intuitive administrative and user interfaces help enterprises start using FOPE immediately without any lengthy training.

 How do I activate FOPE?
A. Please log on to the Volume Licensing Service Center (VLSC) site and select “Online Services” and select “Online Services” in order to activate FOPE. You will be prompted to enter your Volume Licensing agreement number, contact information, and Mail Server/Domain information for your organization. After you submit this information to Microsoft, you will receive an email confirming that FOPE has been activated. Customer information required for activation includes:

  • Volume Licensing Agreement (enrollment) number.  To Learn how to activate online services in the Volume Licensing Service Center (VLSC), click here

  • Domain Names

  • Public Inbound IP Addresses

  • Public Outbound IP Addresses 

What type of technical support is included with my FOPE license?
A. The administrator can use the web-based support incident tracking system to view and search a messaging knowledge base, create new support incidents, update existing support incidents, and track the current status of support incidents. The Support Escalation Path and Service Level Objective includes U.S. and international technical support contact information for both FOPE and Exchange Hosted Archive services along with details about when you can expect a response to your Technical Support request. This is posted on the Resource tab of the Welcome pane in the FOPE Administration Center. Phone support should be used for emergency support needs.

The ways to contact technical support are:

  • Microsoft Services Premier Support

    • For customers who have Premier support from Microsoft, please go to the Microsoft Premier Support Online Portal or the Microsoft Premier Support Web site for more information.

  • For customers who do not have Premier support:

    • Online/web support:

    • Phone support:

      • U.S. toll-free: 866.291.7726

    • International Numbers

      • Australia. 0011 800-00000060

      • Austria. 00 800-00000060

      • Belgium. 0800-75013

      • China Netcom (N). 00 800-00000060

      • China Telcom (S). 00 800-00000060

      • Costa Rica. 00 800-00000060

      • Denmark. 00 800-00000060

      • Finland. 00 800-00000060

      • France. 00 800-00000060

      • Germany. 00 800-00000060

      • Hong Kong. 001 800-00000060

      • India. 000 800 440 1820

      • Indonesia. 001 803 44 21 01

      • Italy. 00 800-00000060

      • Japan – IDC. 0061 800-00000060

      • Japan – ITJ. 0041 800-00000060

      • Japan – KDD. 010 800-00000060

      • Japan – NTT. 0033 800-00000060

      • Korea. 02-3483-7331

      • Korea North. 00 800-00000060

      • Korea South – Dacom. 002 800-00000060

      • Korea South – NT. 001 800-00000060

      • Luxembourg. 00 800-00000060

      • Malaysia. 362-074365

      • Mexico. 001-8885086467

      • Netherlands. 00 800-00000060

      • Norway. 00 800-00000060

      • Philippines. 00 800-00000060

      • Singapore. 65 6622 1617

      • Switzerland. 00 800-00000060

    • For Provisioning and Activations Escalations:

    • For MVLS orders, billing, and invoice escalations:

Is a partner demo account for FOPE available?
A. Currently there is not a specific demo account set up for FOPE. However, you can sign up for a trial account

What email address can customers using FOPE send false negatives/positives to?
A. Spam: False positives:

How do I know my data and private information are safe?
A. FOPE datacenters are managed by GFS and our datacenters are SAS 70 Type II and ISO 27001 certified. FOPE is also ISO 27001 certified as a service.

For more information, refer to the GFS security policies and certifications here.

FOPE SLA Terms and Conditions
FOPE Acceptable Use Policy
FOPE Privacy Policy

Q. I'm a Live@edu customer. Where can I find out about specific FOPE features for Live@edu customers?
The following blog post, FAQs about FOPE administration, on the Outlook Live Blog answers a series of technical questions regarding FOPE for Live@edu. Additionally, Feature Set Comparison for FOPE Deployments describes FOPE features that are available for the different Microsoft email hosting products including Microsoft Office 365.

Q. What’s the largest message I can send if I’m using FOPE for outbound mail protection?
150MB. This is also the limit for inbound messages. More information regarding message-size limits can be found in Policy Rules.

Q. What is the maximum number of recipients I can send a message to?

Q. When I run the Message Trace tool in the FOPE Administration Center, it returns rule ID-1. What does this mean?
A. Rule ID-1 is returned when the Message Trace tool encounters a policy rule that no longer exists. (The policy rule could have been modified or deleted after the original message was sent.) 

Run a Message Trace shows how to run a message trace.

Q. I can't sign in to the FOPE Administration Center. How do I troubleshoot that?
 Sign in and out of the Administration Center contains detailed information about FOPE Administration Center access and troubleshooting, including password retrieval.

Q. If FOPE sees a sudden burst of outbound mail from a customer using us to send outbound, will FOPE throttle their mail? 
A. Throttling is the process of slowing down outbound mail such that a sending organization can only send a certain number of messages within a specific timeframe.  For example, if the rate limit is 2500 messages per hour and the organization wants to send 25,000, throttling would slow down their connection speed and it would take them 10 hours to send out their entire email campaign.  In a similar manner, FOPE is frequently asked if we will block their mail if we detect a sudden burst in traffic due to an email campaign, the idea being that spammers are known for bursty mail behavior and this technique could potentially make them look like spammers.

In FOPE, throttling is not a mechanism that has been found to have extensive value beyond our existing anti-abuse techniques.  However, elsewhere within Microsoft, particularly Hotmail and Exchange, throttling is used quite a bit.  By contrast, FOPE is more
content driven – as long as your email isn’t spam, then we will relay it.  The idea is that we try very hard not to interfere with legitimate mail flow.  If it is illegitimate mail, then we will interfere with it.  We take action very quickly.

Q. How long will FOPE queue messages when a customer is offline?
Five days.

Q. What are a set of best outbound mailing practices that will ensure that mail gets delivered?
A. FOPE does not use throttling to rate limit messages, how can senders ensure that mail they send, in bulk, arrives at the destination?  The guidelines presented below are equally well applicable for customers when they send mail from their own servers, or through our FOPE’s servers.

Guidelines for Best Practices

1.       The sending domain of the email should have forward-confirmed DNS.  This means that if the sender is, and does not actually exist or resolve in DNS, they will have problems delivering to a lot of places since many spam filters consider that in their weighting.   For example, if the sending domain has no A-record or MX record in DNS, there are some large ISPs that will reject the mail or at least throttle mail from that IP.  It is a common spamming tactic to fill in the sending email address with non-existent domains.

If a sending domain has no A-record or MX record in DNS, FOPE will route the mail through its higher risk delivery pool regardless of whether or not the content of the email is spam.

2.       The sending IP of the outbound mail server should have a reverse DNS entry.  For example, is  A lot of senders do not have a reverse DNS entry for the IP.  Adding this in DNS makes it easier for spam filters to know who the mail is coming from.  It is common for spammers to send from IPs with no reverse DNS entries (ie, PTR records).

3.       The HELO/EHLO and MAIL FROM should be consistent and be present in the form of a domain name rather than an IP address.   The HELO/EHLO should be configured to match the reverse DNS of the mailing IP so that the domain remains the same across the various parts of the message headers.

4.       Ensure that proper SPF records set up in DNS.  SPF records are a mechanism for making certain that mail coming from a domain really is coming from that domain.  In other words, it is an anti-spoofing mechanism, and helps in the delivery of mail in some cases because it allows the receiver to verify the sender and build up a reputation on it.

-          Open SPF wizard

-          Microsoft’s SenderID wizard

-          FOPE Online Help SPF Recommendations (


5.       If a sender wishes to sign their messages using DKIM and they want to send outbound mail through FOPE, they should sign using the relaxed header canonicalization algorithm.

6.       Domain owners should have accurate information in the WHOIS database.  This identifies the owners of the domain and how to contact them by entering the stable parent company, point of contact and name servers.

7.       For bulk mailers, the From: name should reflect who is sending the message, while the subject line of the message should be a brief summary on what the message is about.  The message body should have a clear indication of the offering, service or product.

For example, if you are sending out mail for the Contoso company, here is what you should do:

Subject: New updated catalog for the Christmas season!

Here is what you should not do:


Subject: Catalogs

The easier you make it for people to know who you are and what you are doing, the less difficulty you will have delivering through spam filters around the Internet.


8.       If sending mail in bulk (ie, emailing lots of recipients) and the message is in newsletter format, there should be a way of unsubscribing at the bottom of the email.  It would look something like the following:

This email was sent to by
Update Profile/Email Address | Instant removal with SafeUnsubscribe™ | Privacy Policy

Some mailers require you to send an email to a certain email alias with “Unsubscribe” in the subject.  This is less preferable to the one-click example above.  If you do choose to do it this way, make it such that when the link is clicked on, all the required fields are pre-populated.


9.       If you are a bulk mailer, double opt-in is an industry best practice.  Here is how it works: sometimes, users download software or sign up for a website and at the bottom of the signup or download page, there is a little checkbox saying “Yes, please sign me up for more offers”.  Often times, it is checked by default, and often in small text.  These are built on the assumption that people simply don’t notice that it is checked and it’s an easy avenue for mailers to harvest email addresses.  In the world of email security, it is considered a grey marketing technique.

Double opt-in is different.  The check box for offers like this are
unchecked by default, so the user has to select it.  Secondly, once they submit the form, an email is sent to the end user with a link saying “Please click on the link below to verify that you really want to hear from us.”  That forces the user to opt into announcements but it gives the mailer a good reputation.

10.   Bulk senders should create transparent content for which they can be held accountable.

a.       Verbiage requesting that recipients add the sender to the address book should clearly state that such action is not a guarantee of delivery.

b.      When constructing redirects in the body of the message, they should be similar and consistent and not multiple and varied.

c.       Refrain from sending large images and attachments, or creating messages that are solely composed of an image.

d.      When employing tracking pixels (web bugs or beacons), clearly state their presence in your public privacy or P3P settings.


11.   When generating delivery status notification messages, senders should follow the format of a bounce as specified in RFC 3464.

12.   Senders should process bounces and remove non-existent email aliases from their lists.  Email addresses change over time, and people sometimes discard them.  Companies delete non-existent accounts and when you send mail to them, they will bounce it back to you.

13.   Windows Live Mail (Hotmail) is somewhat different to deliver to than other large mail services like Yahoo, Gmail or AOL.  It has a program set up called Smart Network Data Services.  To summarize, they allow senders to sign up and if they agree to be good senders, it improves their deliverability to Hotmail.  It also involves checking complaints submitted by end users.