Skip to main content

Make Sure You Get Those Emails: Whitelist Email Addresses in Microsoft Office 365

By December 27, 2017April 5th, 2023Blog, Exchange, Microsoft, Office 365, Office 365
whitelist email office 365 exchange

UPDATED: 2/18/2022

Sometimes Exchange can be a little overzealous in protecting you from spam and other unwanted email. To make sure messages get through, you can whitelist email addresses in Office 365. 

We get this question a lot from IT Pros and people just getting started in the Office 365 Admin center. The first set of instructions is for the pros–no fluff. Use the second set of instructions for a few more details. If you’re not an Office 365 admin, you can use our end-user instructions for whitelisting email addresses from Outlook, here. 

How to Whitelist Email Address in Office 365

  1. Open the Exchange Admin Center. 
  2. Click on the Mail Flow drop down and select Rules. 
  3. Add a new rule for Bypass Spam Filtering. 
  4. From the Apply this rule if… drop down, select the sender… > is this person. 
  5. In the field to the right of the Check names button, type the email address you want to allow.  
  6. Click the Check names button to move your address to the Add – > field.  
  7. Click the Ok button to exit the flyout window.  
  8. In the Do the following… field, Set the spam confidence level (SCL) to Bypass Spam Filtering should automatically be selected.  
  9. Click Save to apply the policy.

How to Whitelist an email domain in Office 365: 

  1. Open the Exchange Admin Center. 
  2. Click on the Mail Flow drop down and select Rules. 
  3. Add a new rule for Bypass Spam Filtering. 
  4. From the Apply this rule if… drop down, select the sender… > domain is. 
  5. Type the domain in the Specify Domain flyout window and click the Plus button to add the domain to your policy.  
  6. Add additional domains here or click Ok to exit the flyout window.  
  7. In the Do the following… field, Set the spam confidence level (SCL) to Bypass Spam Filtering should automatically be selected.  
  8. Click Save to apply the policy.  

Whitelisting an entire domain can leave your organization vulnerable to threats from accounts that spoof the allowed domain. To mitigate some of this risk, we recommend adding an additional condition that checks if the message was sent from the domain’s registered servers: 

  1. Click the Add Condition button under the Apply this rule if… header. 
  2. From the drop-down, select A message header… > includes any of these words. 
  3. Click the Enter text… hyperlink and specify the header name as Authentication-Results 
  4. Then select the Enter words… hyperlink and add dmarc=pass and dmarc=bestguesspass to the Specify words or phrases list as separate entries.  
  5. Click Ok to exit the flyout window and save your phrases.  
  6. Click the Save button to save your rule.  

More Detailed Instructions for Whitelisting Emails: 

  1. Sign into Office 365: Go to portal.office.com and sign in with an Office 365 admin account.  
  2. Select Admin from your list of apps. 
Select Admin from your list of apps.
  1. Click the Show All link on the right-hand navigation pane and choose Exchange from the list of admin centers. 
Choose Exchange from the list of admin centers.
  1. Click on the Mail Flow drop down and select Rules. 
  2. Click the + button to create a new rule and select Bypass Spam Filtering. 
Click the + button to create a new rule and select Bypass Spam Filtering.
  1. From here, you’ll need to decide if you’re whitelisting a single email address or an entire domain.  

Whitelisting a single email address is the safest course of action, since whitelisting an entire email domain allows malicious actors to spoofing any address on the allowed domain to deliver spam and phishing messages directly to user inboxes.  

For a Single Email Address: 

  1. From the Apply this rule if… drop down, select the sender… > is this person. 
  2. In the field to the right of the Check names button, type the email address you want to allow.  
  3. Click the Check names button to move your address to the Add – > field.  
Click the Check Names button, type the email address you want to allow. Then, click the check names button to move your address to the Add field.
  1. Click the Ok button to exit the flyout window.  
  2. In the Do the following… field, Set the spam confidence level (SCL) to Bypass Spam Filtering should automatically be selected.  
  3. Click Save to apply the policy.  
In the Do the following… field, make sure "Set the spam confidence level (SCL) to Bypass Spam Filtering" is selected. Click Save.

For an Email Domain: 

  1. From the Apply this rule if… drop down, select the sender… > domain is. 
  2. Type the domain in the Specify Domain flyout window and click the Plus button to add the domain to your policy.  
Type the domain in the Specify Domain flyout window and click the Plus button to add the domain to your policy.
  1. Add additional domains here or click Ok to exit the flyout window.  
  2. In the Do the following… field, Set the spam confidence level (SCL) to Bypass Spam Filtering should automatically be selected.  
  3. Click Save to apply the policy.  
Click the Add Condition button under the Apply this rule if… header, then select A message header… > includes any of these words and enter the correct header name.

*Whitelisting an entire domain can leave your organization vulnerable to threats from accounts that spoof the allowed domain. To mitigate some of this risk, we recommend adding an additional condition that checks if the message was sent from the domain’s registered servers: 

  1. Click the Add Condition button under the Apply this rule if… header. 
  2. From the drop-down, select A message header… > includes any of these words. 
  3. Click the Enter text… hyperlink and specify the header name as “Authentication-Results” 
Click the Enter text… hyperlink and specify the header name as Authentication-Results
  1. Then select the Enter words… hyperlink and add dmarc=pass and dmarc=bestguesspass to the Specify words or phrases list as separate entries.  
Add dmarc=pass and dmarc=bestguesspass to the Specify words or phrases list as separate entries.
  1. Click Ok to exit the flyout window and save your phrases.  
  2. Click the Save button to save your rule.  
Click "Save" to save your new rule.

That’s it! Now email from that address will be delivered to your organization’s inboxes, not marked as junk. 

Jeff Kirvin, PEI 

 

This blog was updated on 2/18/2022 to reflect changes to the Exchange Admin Center.

11 Comments

Leave a Reply