- Alternatives to RBAC application impersonation in Exchange Online - Fri, Apr 26 2024
- Alternatives to the Microsoft 365 search-mailbox command - Wed, Apr 17 2024
- Whitelist a domain in Microsoft 365 - Wed, Nov 29 2023
Prerequisites
You must have access to the following:
- Microsoft 365 tenant with Exchange Online licenses
- Exchange admin rights over a tenant
- Windows PowerShell version 5.1 or PowerShell 7
- Exchange Online V3 module (Steps to connect to your tenant)
Ways to whitelist a domain
We can whitelist domains in M365 in three different places:
- Mail flow rules in the Exchange Online portal
- Antispam policies in Microsoft Defender for Office 365 (MDO)
- Whitelist IP addresses using the connection filter policy in MDO
In the following sections, you will learn the details of each method.
Whitelist a domain using mail flow rules
This is a common method used to whitelist domains. First, access the Mail Flow tab in the Microsoft 365 portal via this link.
There, click Add Rule, and then select New Rule. This brings you to the following page. Enter a name for the rule, and then select the options, as shown in the screenshot below.
Sections to consider:
- Apply this rule if: Here, we will select the sender domain we want to whitelist.
- Second condition: Instead of only whitelisting a domain and exposing ourselves to spoofed emails, we will create the rule with an additional condition to check the authentication results. Enter the details shown in the screenshot above.Click the + symbol to enter the second condition for this rule to be applied to an email. In the second condition, select The message headers in the first field and include any of these words in the next field.Enter the Message header name as Authentication-Results. In the Enter words section, add these two words: dmarc=pass and dmarc=guestpass.
- Action/Do the following:
- Set SCL Value: The next action is to set the spam confidence level (SCL) to -1 to bypass spam filtering in Exchange Online Protection (EOP). An SCL value of -1 means that the emails being processed by this transport rule will skip spam filtering. For more information on SCL values, refer to this link.
- Modify message header: When you're troubleshooting mail flow issues, it would be useful if the message header also mentioned the name of the mail flow rule that handled the email. To do so, we can add another action to our rule. This would be to modify the header of the email that is being processed by this rule to include a specific entry to identify the rule.As seen in the screenshot above, we have set the header name to X-ETR and value to Bypass spam filtering for authenticated sender <domain name>. Now, for every email handled by this mail flow rule, the email message header will contain the values we have set. This will make it easy for admins to check whether an email was processed by this rule.
On the next page, we will choose some more settings for this rule.
This section has the following settings:
Mode: We can enable the rule immediately by choosing the enforce option. However, if you want to test the new rule, you can choose Test with Policy Tips or Test without Policy Tips. Policy tips warn or inform end users about possible actions on an email when they send it. Refer to this link for more on policy tips.
Severity: There are five severity levels: low, medium, high, not audit, and not specified. By default, the not specified option is selected. If you set a severity level for a rule, then all the emails handled by that rule are grouped in the Exchange Transport Rule report. This makes it easy to understand how many emails are processed by a specific rule when viewing the report. This link contains more details about this report.
Dates: If you want this rule to be activated or deactivated on specific dates, set those dates in these fields.
Rule Processing: While processing an email, Microsoft 365 checks whether the email meets the criteria set for all the mail flow rules. Even if an email meets the criteria set for one rule, Microsoft 365 will check for other rules that might match the email. If you do not want this, select the Stop processing more rules option. Now, Microsoft 365 will not weigh the email against any other rules.
Defer rule processing: If a mail flow rule doesn't apply to an email, it will be ignored by Microsoft 365. This works fine for the most part; however, it sometimes leads to a small percentage of emails leaking through. If you are concerned or if you notice any inconsistencies in the way a rule is being applied, you can select the Defer the message if rule processing doesn't complete option. This will ensure that the email is resubmitted for processing if the rule isn't applied to it the first time. This increases the chances of an email being handled by the rule.
Match sender address: If your rule contains conditions to check for the email's sender address, you can specify where in the email you want Microsoft 365 to search for the sender's email address. By default, the sender is verified against the values of From, Sender, and Reply-to in the message header. The second option is an envelope, which means that the sender is searched in the Mail-From (return to) value. The third option is to look for the sender address in either the message header or envelope. This is the recommended approach.
Click Next, review the rule settings, and click Finish.
It may take a few hours for the rule to be effective.
Whitelist a domain in Microsoft Defender for Office 365 (MDO)
Whitelisting a domain through Microsoft 365 Defender is the recommended approach compared to creating mail flow rules for the same purpose. A high number of mail flow rules might slow down email delivery, as Exchange Online verifies emails against all the rules.
Access the Anti-spam policy page and select the anti-spam inbound policy for your tenant.
Scroll to the bottom, and click Edit allowed and blocked senders and domains. On the next page, click Allow domains, and then add the domain you wish to whitelist. Then click Save.
Whitelist a domain using its IP address
The last option is to whitelist the domain's IP address. This can be achieved through the Connection filter policy in MDO.
Again, access the Anti-spam page and select the connection filter policy in effect on your tenant. On the following page, you can click the Edit option.
On the next page, add the IP addresses you want to whitelist in the Allow messages field. Then click Save.
Microsoft has its own list of IPs obtained from third parties, which it considers safe. If you select this option, then those IPs bypass the security checks in your tenant. This list is maintained by Microsoft, and you won't be able to add anything to it.
Testing the mail flow rule
After whitelisting the domain, there are several ways to verify that it is indeed allowed.
Message trace
The easiest way to track emails from the whitelisted domain is to run a message trace either from the portal or through PowerShell. The message trace result below shows that the email was handled by a mail rule named Whitelist Domain. This is the rule we created.
M365 Defender Threat Explorer
You can also check the effectiveness of the new mail flow rule in the Threat Explorer. You can access it via this link. While whitelisting the domain in the antispam policy in the earlier section of the article, you specified the sender's domain. Use the sender's domain to search for all emails from that domain. Refer to this article for more information.
The following example confirms that the domain whitelisting done through the antispam policy is in effect.
PowerShell
The third option is to use good old PowerShell.
Run the following command to find the email you wish to trace:
Get-MessageTrace -SenderAddress <emailaddress> -RecipientAddress <emailaddress>-StartDate <date> -EndDate<date> | select Received, senderaddress, recipientaddress, subject, status, *id
Note the messagetraceid of the email you wish to investigate from the output.
Run the following command with the message trace ID noted from the above command's output:
Get-MessageTraceDetail -MessageTraceId <TraceID> -RecipientAddress [email protected] | Select-Object message*,date,event,action,detail
Message header
Analyzing a message header will not only help you to verify that your rule is in effect, but also aid you in troubleshooting issues. The first task is to obtain the message header. This can be found in the email in Outlook or in OWA. Check here for the steps.
You can search the email in Threat Explorer and click it. The following screen pops up, allowing you to read the message header depending on the permissions you have in the tenant.
After obtaining the header, head to exrca.com to analyze it. The SCL value is -1, as seen in the screenshot below in field number 43. The message header screenshot below shows the X-ETR value in field number 44 as Bypass spam for authenticated sender. This is the value we set in the mail flow rule we created in the earlier section. This reaffirms that your mail flow is alive and kicking.
Subscribe to 4sysops newsletter!
Conclusion
Domains should be whitelisted only when there is no other alternative. Emails from such domains will bypass your security mechanisms, exposing your users to spoofed emails. All whitelisted domains should be the ones you trust, and the list must be frequently vetted.
IT Administration News
- Eight newspaper publishers sue Microsoft and OpenAI over copyright infringement NBC Los Angeles
- Whats New in Microsoft Teams | April 2024 – Microsoft Community Hub
- Microsoft SharePoint Roadmap Update – May 2024 – Microsoft Community Hub
- Microsoft Intune Gets New Device Management Capabilities
- Highlights from Git 2.45 – The GitHub Blog
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.