Skip to content

Add tag to external emails in Microsoft 365 for extra security

You like to secure the infrastructure, and one of the places to have additional security is email. Users click too fast on hyperlinks or attachments, and it’s excellent to make them aware of double-checking the email because it’s sent from an external sender.

Microsoft listened and added a new feature in Microsoft 365 – Exchange Online. From now on, we can add a tag for external emails. It’s a welcoming new feature and only available for Exchange Online. In this article, you will learn how to enable the external tag feature.

Why you should enable external tagging

Why do you want to add a tag for external received email messages? Even that we have Exchange Online Protection or other spam filters, it’s known that you can’t completely protect the organization from spyware, malicious links. User awareness is important, and that’s what the external tag feature will do.

Microsoft is aware that even if you enable SPF, DKIM, and DMARC to prevent phishing and email spam, it’s not enough. That’s why they created a new PowerShell cmdlet for Exchange Online to enable the protections against spam & phishing threats from external senders. This will be achieved by presenting a new tag on emails called “External”.

It will show in:

  • Outlook on the web: available now
  • Outlook for Windows: available in May 2021 (starting with Insider Fast)
  • Outlook mobile (iOS & Android): version 4.2111.0 and higher
  • Outlook for Mac: version 16.47 and higher

Note: Suppose your organization already uses mail flow rules (also known as transport rules) to add text to the subject line of messages from external senders. In that case, you should disable those rules before you enable this feature to avoid duplication.

Connect to Exchange Online PowerShell

The only option to enable the tag for external email messages is with Exchange Online PowerShell. There is no option through the Microsoft 365 Exchange admin center.

Run Windows PowerShell as administrator and connect to Exchange Online PowerShell.

PS C:\> Connect-ExchangeOnline

Enable external email tag

Enable external sender identification in supported versions of Outlook. Run the Set-ExternalInOutlook cmdlet.

PS C:\> Set-ExternalInOutlook -Enabled $true

Now that it’s enabled, you can verify by running the Get-ExternalInOutlook cmdlet.

PS C:\> Get-ExternalInOutlook | Format-Table

RunspaceId                           Identity                             Enabled AllowList
----------                           --------                             ------- ---------
262c8cb4-da7e-47b0-bcb4-6ce1569061b6 fe15bfe6-36b2-4c9d-bf42-51b995f8e9af    True {}       
  • Enabled: True means the feature is enabled; False means the feature is disabled.
  • AllowList: The list of exceptions. Messages received from the specified senders or senders in the specified domains don’t receive the External icon in the area of the subject line.

Note: After you enable the cmdlet, it can take between 24-48 hours before the users see the external tag from received external emails.

Add domain to allow list

Don’t you want to add an external tag to a domain or multiple domains? Add the domains to the allow list.

PS C:\> Set-ExternalInOutlook -AllowList @{Add="contoso.com", "microsoft.com"}

Let’s see how it looks.

PS C:\> Get-ExternalInOutlook | Format-Table Identity, Enabled, AllowList

Identity                             Enabled AllowList
--------                             ------- ---------
fe15bfe6-36b2-4c9d-bf42-51b995f8e9af    True {contoso.com, microsoft.com}

Remove domain from allow list

Do you want to remove the domain or domains from the allow list?

PS C:\> Set-ExternalInOutlook -AllowList @{Remove="contoso.com", "microsoft.com"}

Exchange Online external tag enabled

After we set the external tagging feature, we had to wait for 48 hours before the external tag feature did show up. The new emails that arrive are automatically tagged. Older emails that you have do not get the external tag.

Add tag to external emails in Microsoft 365 for extra security from outside your organization

Reply to an email, and the external tag will not show up in the email message. The sender does not know you have external tagging enabled, which is excellent.

Add tag to external emails in Microsoft 365 for extra security reply

Exchange Online external tag not working

Because it’s a new feature, this can take time before it’s available in your Microsoft 365 tenant. To speed that up, you can set up the targeted release preferences in Microsoft 365.

Sign in to Microsoft 365 admin center. Go to Settings > Org settings > Organization profile > Release preferences.

Add tag to external emails in Microsoft 365 for extra security release preferences

Select Targeted release for everyone and click on Save.

Add tag to external emails in Microsoft 365 for extra security targeted release for everyone

That’s it! Did you enable the external tag feature in Exchange Online – Microsoft 365?

Read more: Save sent items in shared mailbox with PowerShell »

Conclusion

In this article, you learned how to add a tag to received external emails in Exchange Online – Microsoft 365 for extra security. Spammers will try every way possible to get that mail in your inbox. Using this new and excellent feature by Microsoft will make the users aware that the email is coming from outside the organization.

I recommend enabling this feature on every Microsoft 365 tenant. Don’t forget that the tag feature only is available for Exchange Online, and this will not work for Exchange on-premises. We may see this feature in Exchange on-premises, but there are no words about that yet.

Did you enjoy this article? You may also like Assign Microsoft 365 licenses with group-based licensing. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 15 Comments

  1. Hi Ali,

    I have enabled with Set-ExternalInOutlook -Enabled $true.
    I have added a lot of domains that we have as our own.
    I have added our internal Active directory domain domain.local in the allowlist, but even if it is in this list I get the External mark on these mails. (mails send from internal powershell scripts etc.)
    Do you know if it is possible to hav settings that does not put our internal AD domain name as External on mails in Exchange Online.?

    Best regards
    Morten

  2. Has anyone experienced e-mails not getting the external tags from domains other than .com? For example .edu or il?

    Thanks

    CF

  3. Some users saw the “External” tag in Outlook for Windows for a couple of days, then it disappears again suddenly. How could this happen?

    It seems the “External” tag in Outlook for Windows is a new feature that Microsoft is going to release soon, what is the timeline and based on what will it be rolled out?

    Can we or the end-user control the look and feel of the “External” tag in Outlook for Windows?

Leave a Reply

Your email address will not be published. Required fields are marked *