We did configure an Exchange Hybrid configuration and now want to let the organization use…
Add tag to external emails in Microsoft 365 for extra security
You like to secure the infrastructure, and one of the places to have additional security is email. Users click too fast on hyperlinks or attachments, and it’s excellent to make them aware of double-checking the email because it’s sent from an external sender.
Microsoft listened and added a new feature in Microsoft 365 – Exchange Online. From now on, we can add a tag for external emails. It’s a welcoming new feature and only available for Exchange Online. In this article, you will learn how to enable the external tag feature.
Table of contents
Why you should enable external tagging
Why do you want to add a tag for external received email messages? Even that we have Exchange Online Protection or other spam filters, it’s known that you can’t completely protect the organization from spyware, malicious links. User awareness is important, and that’s what the external tag feature will do.
Microsoft is aware that even if you enable SPF, DKIM, and DMARC to prevent phishing and email spam, it’s not enough. That’s why they created a new PowerShell cmdlet for Exchange Online to enable the protections against spam & phishing threats from external senders. This will be achieved by presenting a new tag on emails called “External”.
It will show in:
- Outlook on the web: available now
- Outlook for Windows: available in May 2021 (starting with Insider Fast)
- Outlook mobile (iOS & Android): version 4.2111.0 and higher
- Outlook for Mac: version 16.47 and higher
Note: Suppose your organization already uses mail flow rules (also known as transport rules) to add text to the subject line of messages from external senders. In that case, you should disable those rules before you enable this feature to avoid duplication.
Connect to Exchange Online PowerShell
The only option to enable the tag for external email messages is with Exchange Online PowerShell. There is no option through the Microsoft 365 Exchange admin center.
Run Windows PowerShell as administrator and connect to Exchange Online PowerShell.
PS C:\> Connect-ExchangeOnline
Enable external email tag
Enable external sender identification in supported versions of Outlook. Run the Set-ExternalInOutlook cmdlet.
PS C:\> Set-ExternalInOutlook -Enabled $true
Now that it’s enabled, you can verify by running the Get-ExternalInOutlook cmdlet.
PS C:\> Get-ExternalInOutlook | Format-Table
RunspaceId Identity Enabled AllowList
---------- -------- ------- ---------
262c8cb4-da7e-47b0-bcb4-6ce1569061b6 fe15bfe6-36b2-4c9d-bf42-51b995f8e9af True {}
- Enabled: True means the feature is enabled; False means the feature is disabled.
- AllowList: The list of exceptions. Messages received from the specified senders or senders in the specified domains don’t receive the External icon in the area of the subject line.
Note: After you enable the cmdlet, it can take between 24-48 hours before the users see the external tag from received external emails.
Add domain to allow list
Don’t you want to add an external tag to a domain or multiple domains? Add the domains to the allow list.
PS C:\> Set-ExternalInOutlook -AllowList @{Add="contoso.com", "microsoft.com"}
Let’s see how it looks.
PS C:\> Get-ExternalInOutlook | Format-Table Identity, Enabled, AllowList
Identity Enabled AllowList
-------- ------- ---------
fe15bfe6-36b2-4c9d-bf42-51b995f8e9af True {contoso.com, microsoft.com}
Remove domain from allow list
Do you want to remove the domain or domains from the allow list?
PS C:\> Set-ExternalInOutlook -AllowList @{Remove="contoso.com", "microsoft.com"}
Exchange Online external tag enabled
After we set the external tagging feature, we had to wait for 48 hours before the external tag feature did show up. The new emails that arrive are automatically tagged. Older emails that you have do not get the external tag.
Reply to an email, and the external tag will not show up in the email message. The sender does not know you have external tagging enabled, which is excellent.
Exchange Online external tag not working
Because it’s a new feature, this can take time before it’s available in your Microsoft 365 tenant. To speed that up, you can set up the targeted release preferences in Microsoft 365.
Sign in to Microsoft 365 admin center. Go to Settings > Org settings > Organization profile > Release preferences.
Select Targeted release for everyone and click on Save.
That’s it! Did you enable the external tag feature in Exchange Online – Microsoft 365?
Read more: Save sent items in shared mailbox with PowerShell »
Conclusion
In this article, you learned how to add a tag to received external emails in Exchange Online – Microsoft 365 for extra security. Spammers will try every way possible to get that mail in your inbox. Using this new and excellent feature by Microsoft will make the users aware that the email is coming from outside the organization.
I recommend enabling this feature on every Microsoft 365 tenant. Don’t forget that the tag feature only is available for Exchange Online, and this will not work for Exchange on-premises. We may see this feature in Exchange on-premises, but there are no words about that yet.
Did you enjoy this article? You may also like Assign Microsoft 365 licenses with group-based licensing. Don’t forget to follow us and share this article.
Hi Ali,
I have enabled with Set-ExternalInOutlook -Enabled $true.
I have added a lot of domains that we have as our own.
I have added our internal Active directory domain domain.local in the allowlist, but even if it is in this list I get the External mark on these mails. (mails send from internal powershell scripts etc.)
Do you know if it is possible to hav settings that does not put our internal AD domain name as External on mails in Exchange Online.?
Best regards
Morten
Hi Morten,
That’s unfortunately not possible.
The best way is to adjust all the applications/printers to use the primary domain instead of the internal domain.
I would like know, can we add allow list to external email address instead of entire domain
Yes, you can. Just add the email address instead of the domain.
Has anyone experienced e-mails not getting the external tags from domains other than .com? For example .edu or il?
Thanks
CF
yes, we have domains in the allowlist with .dk, .no, .fi and it works fine.
Thank you for this document, very useful.
Can this feature be disabled?
Yes.
Connect to Exchange Online PowerShell and run the command:
Try Set-ReadTheArticle = $true
Some users saw the “External” tag in Outlook for Windows for a couple of days, then it disappears again suddenly. How could this happen?
It seems the “External” tag in Outlook for Windows is a new feature that Microsoft is going to release soon, what is the timeline and based on what will it be rolled out?
Can we or the end-user control the look and feel of the “External” tag in Outlook for Windows?
Hi,
Can I change the color of the external tags?
No, that is not possible.
Hi
Looks great, but why its not available on Outlook?
Microsoft needs more time.
You can track the feature in the Microsoft 365 roadmap: Exchange: Online – Tag for external email messages received.