Whitelist a domain in Microsoft 365

Home Blog Whitelist a domain in Microsoft 365

4sysops - The online community for SysAdmins and DevOps

    ,   0
Defender for Office 365 and Exchange Online Protection monitor all emails hitting your domain and block harmful messages and spam. However, emails from legitimate sources can sometimes also be blocked for various reasons. In this scenario, as an admin, you want to whitelist the sender or the domain. In this post, you will learn how to whitelist a domain in Microsoft 365 and the necessary precautions you must take while doing so.
Contents
  1. Prerequisites
  2. Ways to whitelist a domain
  3. Whitelist a domain using mail flow rules
  4. Whitelist a domain in Microsoft Defender for Office 365 (MDO)
  5. Whitelist a domain using its IP address
  6. Testing the mail flow rule
  7. Conclusion
Vignesh Mudliar
Latest posts by Vignesh Mudliar (see all)

Prerequisites

You must have access to the following:

  • Microsoft 365 tenant with Exchange Online licenses
  • Exchange admin rights over a tenant
  • Windows PowerShell version 5.1 or PowerShell 7
  • Exchange Online V3 module (Steps to connect to your tenant)

Ways to whitelist a domain

We can whitelist domains in M365 in three different places:

  • Mail flow rules in the Exchange Online portal
  • Antispam policies in Microsoft Defender for Office 365 (MDO)
  • Whitelist IP addresses using the connection filter policy in MDO

In the following sections, you will learn the details of each method.

Whitelist a domain using mail flow rules

This is a common method used to whitelist domains. First, access the Mail Flow tab in the Microsoft 365 portal via this link.

There, click Add Rule, and then select New Rule. This brings you to the following page. Enter a name for the rule, and then select the options, as shown in the screenshot below.

Enter a name for the rule and then select the options mentioned in the screenshot here

Enter a name for the rule and then select the options mentioned in the screenshot here

Sections to consider:

  • Apply this rule if: Here, we will select the sender domain we want to whitelist.
  • Second condition: Instead of only whitelisting a domain and exposing ourselves to spoofed emails, we will create the rule with an additional condition to check the authentication results. Enter the details shown in the screenshot above.Click the + symbol to enter the second condition for this rule to be applied to an email. In the second condition, select The message headers in the first field and include any of these words in the next field.Enter the Message header name as Authentication-Results. In the Enter words section, add these two words: dmarc=pass and dmarc=guestpass.
  • Action/Do the following:
    1. Set SCL Value: The next action is to set the spam confidence level (SCL) to -1 to bypass spam filtering in Exchange Online Protection (EOP). An SCL value of -1 means that the emails being processed by this transport rule will skip spam filtering. For more information on SCL values, refer to this link.
    2. Modify message header: When you're troubleshooting mail flow issues, it would be useful if the message header also mentioned the name of the mail flow rule that handled the email. To do so, we can add another action to our rule. This would be to modify the header of the email that is being processed by this rule to include a specific entry to identify the rule.As seen in the screenshot above, we have set the header name to X-ETR and value to Bypass spam filtering for authenticated sender <domain name>. Now, for every email handled by this mail flow rule, the email message header will contain the values we have set. This will make it easy for admins to check whether an email was processed by this rule.

On the next page, we will choose some more settings for this rule.

Here we provide the settings for the new mail flow rule

Here we provide the settings for the new mail flow rule

This section has the following settings:

Mode: We can enable the rule immediately by choosing the enforce option. However, if you want to test the new rule, you can choose Test with Policy Tips or Test without Policy Tips. Policy tips warn or inform end users about possible actions on an email when they send it. Refer to this link for more on policy tips.

Severity: There are five severity levels: low, medium, high, not audit, and not specified. By default, the not specified option is selected. If you set a severity level for a rule, then all the emails handled by that rule are grouped in the Exchange Transport Rule report. This makes it easy to understand how many emails are processed by a specific rule when viewing the report. This link contains more details about this report.

Dates: If you want this rule to be activated or deactivated on specific dates, set those dates in these fields.

Rule Processing: While processing an email, Microsoft 365 checks whether the email meets the criteria set for all the mail flow rules. Even if an email meets the criteria set for one rule, Microsoft 365 will check for other rules that might match the email. If you do not want this, select the Stop processing more rules option. Now, Microsoft 365 will not weigh the email against any other rules.

Defer rule processing: If a mail flow rule doesn't apply to an email, it will be ignored by Microsoft 365. This works fine for the most part; however, it sometimes leads to a small percentage of emails leaking through. If you are concerned or if you notice any inconsistencies in the way a rule is being applied, you can select the Defer the message if rule processing doesn't complete option. This will ensure that the email is resubmitted for processing if the rule isn't applied to it the first time. This increases the chances of an email being handled by the rule.

Match sender address: If your rule contains conditions to check for the email's sender address, you can specify where in the email you want Microsoft 365 to search for the sender's email address. By default, the sender is verified against the values of From, Sender, and Reply-to in the message header. The second option is an envelope, which means that the sender is searched in the Mail-From (return to) value. The third option is to look for the sender address in either the message header or envelope. This is the recommended approach.

Click Next, review the rule settings, and click Finish.

It may take a few hours for the rule to be effective.

Whitelist a domain in Microsoft Defender for Office 365 (MDO)

Whitelisting a domain through Microsoft 365 Defender is the recommended approach compared to creating mail flow rules for the same purpose. A high number of mail flow rules might slow down email delivery, as Exchange Online verifies emails against all the rules.

Access the Anti-spam policy page and select the anti-spam inbound policy for your tenant.

Whitelisting a domain in the antispam policy

Whitelisting a domain in the antispam policy

Scroll to the bottom, and click Edit allowed and blocked senders and domains. On the next page, click Allow domains, and then add the domain you wish to whitelist. Then click Save.

Here we add the domain we wish to whitelist in the anti spam policy

Here we add the domain we wish to whitelist in the anti spam policy

Whitelist a domain using its IP address

The last option is to whitelist the domain's IP address. This can be achieved through the Connection filter policy in MDO.

Again, access the Anti-spam page and select the connection filter policy in effect on your tenant. On the following page, you can click the Edit option.

Editing a connection filter policy to add the domains IP addresss

Editing a connection filter policy to add the domains IP addresss

On the next page, add the IP addresses you want to whitelist in the Allow messages field. Then click Save.

Allow list in the Connection filter

Allow list in the Connection filter

Microsoft has its own list of IPs obtained from third parties, which it considers safe. If you select this option, then those IPs bypass the security checks in your tenant. This list is maintained by Microsoft, and you won't be able to add anything to it.

Testing the mail flow rule

After whitelisting the domain, there are several ways to verify that it is indeed allowed.

Message trace

The easiest way to track emails from the whitelisted domain is to run a message trace either from the portal or through PowerShell. The message trace result below shows that the email was handled by a mail rule named Whitelist Domain. This is the rule we created.

Message trace from the portal showing the new rule in effect

Message trace from the portal showing the new rule in effect

M365 Defender Threat Explorer

You can also check the effectiveness of the new mail flow rule in the Threat Explorer. You can access it via this link. While whitelisting the domain in the antispam policy in the earlier section of the article, you specified the sender's domain. Use the sender's domain to search for all emails from that domain. Refer to this article for more information.

The following example confirms that the domain whitelisting done through the antispam policy is in effect.

Email has been allowed by the policy we edited

Email has been allowed by the policy we edited

PowerShell

The third option is to use good old PowerShell.

Run the following command to find the email you wish to trace:

Get-MessageTrace -SenderAddress <emailaddress> -RecipientAddress <emailaddress>-StartDate <date> -EndDate<date> | select Received, senderaddress, recipientaddress, subject, status, *id

Note the messagetraceid of the email you wish to investigate from the output.

Run the following command with the message trace ID noted from the above command's output:

Get-MessageTraceDetail -MessageTraceId <TraceID> -RecipientAddress [email protected] | Select-Object message*,date,event,action,detail
The email was handled by our new transport rule and the required actions were taken

The email was handled by our new transport rule and the required actions were taken

Message header

Analyzing a message header will not only help you to verify that your rule is in effect, but also aid you in troubleshooting issues. The first task is to obtain the message header. This can be found in the email in Outlook or in OWA. Check here for the steps.

You can search the email in Threat Explorer and click it. The following screen pops up, allowing you to read the message header depending on the permissions you have in the tenant.

View a message header from the Threat Explorer

View a message header from the Threat Explorer

After obtaining the header, head to exrca.com to analyze it. The SCL value is -1, as seen in the screenshot below in field number 43. The message header screenshot below shows the X-ETR value in field number 44 as Bypass spam for authenticated sender. This is the value we set in the mail flow rule we created in the earlier section. This reaffirms that your mail flow is alive and kicking.

Subscribe to 4sysops newsletter!

The header was modified as stated in the mail flow rule

The header was modified as stated in the mail flow rule

Conclusion

Domains should be whitelisted only when there is no other alternative. Emails from such domains will bypass your security mechanisms, exposing your users to spoofed emails. All whitelisted domains should be the ones you trust, and the list must be frequently vetted.

avataravatar
Leave a reply

Related Articles
0 Comments

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2024

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending
WindowsUpdatePreventer

Log in with your credentials

or    

Forgot your details?

Create Account