Sometimes legitimate email ends up in the junk folder after being marked as spam by Exchange Online. This is of course unwanted, so how do you whitelist a domain in Office 365? And how can we do it safely without opening the doors for phishing emails?
Filtering out spam emails is important to prevent malware and phishing emails from ending up in your user’s mailboxes. But when emails from trusted senders are marked as spam we need to find a way to override this and safely deliver the mail into the user’s inbox.
In this article, we are going to take a look at the different options to whitelist a domain in Office 365.
What you need to know
There are multiple ways to whitelist a domain in Office 365, but it’s important that you understand the implications of the different methods. There are various reasons why an email is marked as spam. It can be that it’s sent from an untrusted source, failed the SPF or DMARC check, or even based on the content of the email.
The two most common ways to whitelist a domain on a tenant level are by either using a mail flow rule (recommended) or by adding the domain to the allowed sender list in the anti-spam policy. Other options are to whitelist on IP Address in Office 365 or use the safe sender list in Outlook.
When it comes to excluding a domain from spam filtering, it’s important to be as specific as possible about the source. Because when filtering simply on a domain name alone, you also set the door open for spoofed phishing emails for that domain.
That is why mail flow rules are the recommended way to whitelist a domain.
Whitelist a Domain in Office 365 with Mail flow rules
We are going to start with the recommended method, with mail flow rules. The advantage of mail flow rules is that we can whitelist a domain and also add some additional checks to it. Like part of the subject, DMARC result, or even a specific IP Address.
When you have a web application, for example, that sends an automatically generated email that you want to whitelist, then you can create a mail flow rule, and filter on the sender or domain. As an extra check, you can add another filter on the IP Address, because you probably know from which IP Address the mail is sent.
To whitelist a domain with a mail flow rule we first need to open the Exchange Admin Center.
- Expand Mail flow and click on Rules
- Click on the Plus icon to create a new rule
- Enter a name for the rule
- Under Apply this rule if, select The Sender > Domain is
- Enter the domain that you want to whitelist
- Click on the Plus icon to add a condition
- Select The Sender > IP Range is any of these
- Enter the IP Address of the application.
- Under Do the following, select Modify the message properties > Set the Spam confidence level
- Select Bypass spam filtering (-1)
- Click on the Plus icon to add an action
- Choose Modify the message properties > Set a message header
- Set the header to
X-ETRand the value to something like:Bypass spam filtering for stonegrovebank.com
Other additional conditions that you can use are:
- The Subject or Body > Subject includes any of these words. This way you can further filter the emails based on a word in the subject line.
- A Message header > includes any of these words. Filter on DMARC result is a good way to prevent spoofing of a whitelisted domain. Add Authentication-Results under “Enter text” and dmarc=passunder “Enter words…”
Click Next when done.
In the Set Rule Settings, you can set the rule in Test mode first if you want. Otherwise, set the severity to Not Audit and click on Next and Finish
Office 365 Whitelist Domain with Allowed Domains
Before we could use the allowed sender list in the Exchange Online admin center to whitelist a domain. But now we need to use the Microsoft 365 Security Center (Microsoft 365 Defender). Keep in mind that this is the least secure option to whitelist a domain. Because this way senders for this domain will bypass spam protection and sender authentication methods.
To allow a complete domain or specific sender, we need to modify the inbound spam policy.
- Click on Policies & Rules
- Select Threat Policies
- Open Anti-Spam (it can take a couple of seconds to load the policies)
- Click on the Anti-spam inbound policy (Default)
- Scroll all the way down in the fly-out and click on Edit allowed and blocked senders and domains
- Click on Allow domains
- Add the domains that you want to whitelist
- Click Done and Save
Mails sent from this domain should now arrive in the inbox and completely bypass the spam filter. But keep in mind, when you whitelist a domain this way, that spoofed email won’t be noticed as well.
Office 365 Whitelist IP Address
The last option that I want to share with you is the ability to whitelist an IP Address in Office 365. Personally, I prefer to use a mail flow rule for this, which allows us to combine an IP Address with a domain for example. But we can whitelist an IP address completely as well.
For this, we need to modify the Connection Filter Policy in the security center (Microsoft 365 Defender).
- Open the Security Center (Microsoft 365 Defender)
- Navigate to Policies and Rules > Threat Rules
- Click on Anti-Spam
- Click on Connection Filter Policy (Default)
- Click Edit connection filter policy in the fly-out
- Add the IP Address that you want to whitelist
- Enable Turn on safe list
- Click Save and Close to apply the settings.
Wrapping Up
Try always to be as specific as possible when whitelisting a domain in Office 365. If you know that a part of the subject is always the same, make sure you add it as a condition. Enable the DMARC header to check if SPF and DMARC are configured for the sending domain.
Whitelisting a domain through the allowed domains list in the anti-spam policy should only be used as a temporary solution. When you whitelist a domain that way, you bypass all the security checks that will help with preventing phishing mails.
If you have any questions, just drop a comment below.
