Whitelisting Email Address in Office 365

Are you waiting on that purchase order email, but it ended up in quarantine or was rejected by Office 365 entirely? False-positive spam detection happens all the time. It’s a fact that anti-spam technology is reactive and isn’t always 100% accurate.

So what can you do to avoid false-positive spam detection on messages from a trusted organization—whitelist a domain in Office 365.

Whitelisting a domain ensures that Office 365 anti-spam will bypass the messages but still go through other email hygiene processes like anti-virus and content filtering. And if you don’t know how, you came to the right place.

How to Whitelist a Sender Domain in Office 365: Requirements

Before you begin, you must have at least a Hygiene Management role in Exchange Online. You must also install the latest Exchange Online Management module (EXO v2) on your computer.

Create the O365 Whitelist Domain Transport Rule

We can create the transport rule to whitelist a domain in office 365 using the Exchange admin center (EAC). But in this post, I’ll show you how you can accomplish the same using PowerShell instead, and the command we’ll use is the New-TransportRule cmdlet.

Once the rule is created, we’ll examine it using the EAC to see what the rule looked like in the GUI.

The following steps take you through defining the transport rule parameters and values into variables. Afterward, you’ll create the transport rule by supplying these variables.

Now, let’s define the rule parameters in a table for easy understanding.

ItemValueRemarksCommand Parameters
Rule nameO365 Whitelist Domain – icuc.mlMake the rule name as descriptive as possible to make it easily recognizable. This example rule name denotes that it is an O365 Whitelist Domain rule for the sender icuc.ml.Name
Condition 1The sender is from Outside the organizationThis condition ensures that the rule only applies to messages from external senders.FromScope
Condition 2The Authentication-Results message header includes any of the following values: dkim=pass, dmarc=pass, dmarc=bestguesspass.This condition checks whether the message origin passed the DKIM and DMARC tests. These header items indicate that the source is an authorized sender on behalf of the sender domain.HeaderContainsMessageHeader HeaderContainsWords
Condition 3The sender domain is icuc.mlThe sender domain you want to whitelist.SenderDomainIs
Action 1Set the Spam Confidence Level (SCL) value to -1.Setting the SCL to -1 means the message will bypass the anti-spam detection.SetSCL
Action 2Set the message header X-ETR-SafeSenderDomain value to O365 Whitelist Domain – icuc.mlThis action is optional but recommended. Adding this header gives you a way to identify that a message was processed by this transport rule. The ETR part of the header stands for Exchange Transport Rule. It is not a requirement, but a nice way of making a header name recognizable.SetHeaderName SetHeaderValue

The rule definition table above is the bare minimum when you want to whitelist a domain in Office 365. Now that you know the rule you want to make, how do you translate this into a PowerShell command? Let me show you.

First, connect to the Exchange Online PowerShell.


The command we’ll use to create the O365 Whitelist Domain rule is the New-TransportRule cmdlet. But first, we’ll use splatting to compose the required parameters.

Note. A ‘splat’ is a hashtable containing the parameter names and their values.

The below code creates the splat and stores it in the $etr variable. Make sure to replace the values based on your rule definition table.

 $etr = @{ 
Name = 'O365 Whitelist Domain - icuc.ml' ## Rule name 
FromScope = 'NotInOrganization' ## Condition 1 
HeaderContainsMessageHeader = 'Authentication-Results' ## Condition 2a 
HeaderContainsWords = 'dkim=pass', 'dmarc=pass', 'dmarc=bestguesspass' ## Condition 2b 
SenderDomainIs = 'icuc.ml' ## Condition 3 
SetSCL = '-1' ## Action 1 
SetHeaderName = 'X-ETR-SafeSenderDomain' ## Action 2a 
SetHeaderValue = 'O365 Whitelist Domain - icuc.ml' ## Action 2b 

Copy the code above and run it in PowerShell like so.

whitelisting email address in office 365

Before you run the command to create the rule, here are a few considerations.

  • By default, the rule will be assigned the least priority. Meaning, that if there are 5 existing rules, your new rule will become the 6th. So if you have existing rules, evaluate what priority should the new rule be. To set the priority, append the parameter: -Priority <integer>. The highest priority is 0.
  • For example, if you want to make the new rule the 3rd highest priority, the parameter should be -Priority 2.
  • The rule will be enabled immediately after its creation. If you want to create the rule in disabled mode, append the parameter: -Enabled:$false

When ready, run the below command to create the O365 Whitelist Domain rule. As explained above, this rule will be created with the highest priority (priority 0) and in the enabled state.

New-TransportRule @etr -Priority 0

The result below shows that we’ve successfully created the O365 Whitelist Domain transport rule.

outlook whitelist domain

So you’ve created the O365 Whitelist Domain rule. I’m sure you’re curious about what it looks like in the EAC, so let’s check it out.

Open your browser and log in to the Exchange admin center. Expand Mail flow and click Rules. On the Rules list, double-click the one you just created to open it in another window.

whitelist email domain office 365

And you can confirm that the rule is as you intended to create in PowerShell.

microsoft 365 whitelist email address

Test the O365 Whitelist Domain Rule Result

How do you know the O365 Whitelist Domain rule works? Start by asking your external sender from the whitelisted domain to send you an email, and you can go from there.

Analyze the Message Header

Suppose the external sender dummy@icuc.ml sent a message to the internal user dummy@lzex.ga. The example below shows the message is open in the Outlook Web App.

Click More options (…)ViewView message details.

o365 whitelist sender

Select the entire message header contents and copy it to the clipboard.

outlook 365 whitelist email address

Using your browser, open the Message Header Analyzer website. Paste the message header content into the box and click Analyze headers.

office 365 whitelist email domain

Look for the X-MS-Exchange-Organization-SCL and X-ETR-SafeSenderDomain headers in the results. This example shows that the SCL value is -1, and the X-ETR-SafeSenderDomain value is O365 Whitelist Domain – icuc.ml, your custom header value.

This result confirms that you’ve successfully whitelisted a sender domain in Exchange Online.

o365 whitelist email domain

Note. If you do the same test on a non-whitelisted sender domain, you should not see the X-ETR-SafeSenderDomain header in the message header.

Run a Mail Trace

Another way to confirm that the rule was applied to the external message is by performing a message trace.

First, run a message trace for messages received from dummy@icuc.ml to dummy@lzex.ga.

# Run a message trace 
$mailTrace = Get-MessageTrace -SenderAddress dummy@icuc.ml -RecipientAddress dummy@lzex.ga 
# Get the latest message received 

office365 whitelist sender

Next, get the message trace details. Filter the results by event (Transport rule).

-MessageTraceId $($mailTrace[-1].MessageTraceId) -RecipientAddress dummy@lzex.ga | 
Where-Object { $_.Event -eq 'Transport rule' } | 
Select-Object Date, Action, Detail

The result below shows you the transport rule events and what actions the rule took. Each action has its own entry in the trace.

office 365 whitelist email domain

There you go! You’ve completed the steps to whitelist a domain in Office 365. If you have more domains to whitelist, you only need to repeat the same steps with new values.

Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published.