Skip to content

How to Allowlist domain in Microsoft 365

How to Allowlist a domain in Microsoft 365 and bypass the spam filtering service? An issue that a lot of companies are facing is SPAM. We all have heard about it. However, sometimes you get a request to bypass specific domains. This article will teach you how to Allowlist a domain in Microsoft 365 to bypass SPAM filtering.

Before you start

Before you immediately start and add a domain to the Allowed list in Microsoft 365, it’s important that you take the following precautions:

  • Never put domains that you own onto the Allow and Blocklists
  • Never put common domains, such as microsoft.com and office.com, onto the Allow and Blocklists
  • Don’t keep domains on the lists permanently unless you disagree with the verdict of Microsoft

Allowlist domain in Microsoft 365 with Mail flow rule

The preferred method is to use a mail flow rule, also known as transport rule, with Authentication-Results for dmarc=pass and dmarc=bestguesspass or bare minimum spf=pass if the incoming domain hasn’t updated their domain protection.

Note: You can’t use message headers and mail flow rules to designate an internal sender as a safe sender. The procedures in this section work for external senders only.

To allowlist a domain in Microsoft 365 with a mail flow rule (recommended), follow these steps:

  1. Sign in to Exchange admin center
  2. Click on Mail flow > Rules in the menu
  3. Click Add a rule > Create a new rule
How to Allowlist domain in Microsoft 365 add rule
  1. Give the new rule a name and set the below conditions
  2. Click Next
How to Allowlist domain in Microsoft 365 set rule conditions
  1. Fill in the comments section with the current date and the link to the article so you or your colleagues are always up to date
  2. Click Next
How to Allowlist domain in Microsoft 365 set rule settings
  1. Click Finish
How to Allowlist domain in Microsoft 365 review transport rule
  1. Click in the Rules list on the rule and enable the rule
How to Allowlist domain in Microsoft 365 enable transport rule

Now that you set up a mail flow rule to bypass Microsoft 365 spam filtering, we recommend you send a message and check the message headers (see the last step).

Allowlist domain in Microsoft 365 with Anti-spam policy

The least desirable option is to use the allowed sender list or allowed domain list in anti-spam policies. You should avoid this option if possible because senders bypass all spam, spoof, phishing protection (except high confidence phishing), and sender authentication (SPF, DKIM, DMARC).

Note: The below method is not recommended, and you should only use this temporarily for testing. This creates a high risk of attackers successfully delivering emails to the Inbox that would otherwise be filtered.

To Allowlist a domain in Microsoft 365, follow these steps:

  1. Sign in to Microsoft 365 Defender portal
  2. Click on Email & collaboration > Policies & rules in the menu
  3. Choose Threat policies in the list
Threat policies
  1. Select Anti-spam
Anti-spam
  1. Select Anti-spam inbound policy (Default)
How to Allowlist domain in Microsoft 365 anti-spam inbound policy (default)
  1. Scroll down and click on Edit allowed and blocked senders and domains
How to Allowlist domain in Microsoft 365 edit allowed and blocked senders and domains
  1. There are two options to bypass SPAM filtering in Office 365:
  • Senders: Fill in the sender email address
  • Domains: Fill in the sender domain

In our example, we will click on Allow domains.

How to Allowlist domain in Microsoft 365 allow domains
  1. Click on Add domains.
How to Allowlist domain in Microsoft 365 add domains
  1. Fill in the domain that you want to allow
  2. Confirm the entered domain
  3. Click Add domains
Add custom domain
  1. Click Done
Manage allowed domains
  1. Click on Save
Save Anti-spam inbound policy (default)

The domain is added to the Microsoft 365 Anti-spam inbound policy allowed domain list. From now on, all emails with that domain will bypass the spam filtering and not be marked as SPAM.

Now that you did configure Microsoft 365 Anti-spam inbound policy to bypass Microsoft 365 spam filtering, we recommend you send a message and check the message headers (see the next step).

Verify message headers

After configuring one of the above methods, send a test email from the domain you added.

Important: Give it 15 minutes before you test the mail filtering, as it needs time to propagate the changes in the Microsoft cloud servers.

Copy the email headers and insert them in the Microsoft Message Header Analyzer.

Without any modifications

It will show the Spam Filtering Verdict as NSPM.

By default, if you didn’t add the sender to the allowed senders list or allowed domains list in an anti-spam policy or mail flow rule. Meaning that the spam filtering marked the message as nonspam, the message was sent to the intended recipients.

How to Allowlist domain in Microsoft 365 NSPM

With mail flow rule

It shows the Spam Filtering Verdict as SKN.

The message was marked as nonspam before processing by spam filtering because the message was marked as SCL -1 or Bypass spam filtering by a mail flow rule.

How to Allowlist domain in Microsoft 365 SKN

The X-ETR header with the value that you added will appear.

How to Allowlist domain in Microsoft 365 X-ETR

With Anti-spam policy

It will show the Spam Filtering Verdict (SFV) as SKA.

The message skipped spam filtering and was delivered to the Inbox because the sender was in the allowed senders list or allowed domains list in an anti-spam policy.

How to Allowlist domain in Microsoft 365 SKA

To get all the fields and their description in a table overview, go to Anti-spam message headers in Microsoft 365.

That’s it!

Note: An excellent way to check if your Microsoft 365 tenant is set up correctly is to run the Office 365 Recommended Configuration Analyzer and get a report with Microsoft’s recommendation.

Read more: Verify DNS SRV records for Office 365 »

Conclusion

You learned how to Allowlist a domain in Microsoft 365 to bypass SPAM filtering. It’s recommended to create a mail flow rule and configure the conditions to skip spam filtering. From now on, the sender domain will not be flagged as SPAM in Exchange Online Protection (EOP).

Did you enjoy this article? You may also like Add domain to Office 365 tenant. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 3 Comments

  1. I checked my tenant and I see a whole list of domains added to the allow list. This is not good!! I will remove it ASAP and share this with the team.

    Thanks Ali and keep updating us with the best recommendations!

  2. Thank you so much for keeping everything up to date as Microsoft always change stuff around in the cloud.

    Method 1 with the mail flow rule applied and everything works.

Leave a Reply

Your email address will not be published. Required fields are marked *