Microsoft, Google, and other major mail providers are strengthing their mail security. They only allow…
How to Allowlist domain in Microsoft 365
How to Allowlist a domain in Microsoft 365 and bypass the spam filtering service? An issue that a lot of companies are facing is SPAM. We all have heard about it. However, sometimes you get a request to bypass specific domains. This article will teach you how to Allowlist a domain in Microsoft 365 to bypass SPAM filtering.
Table of contents
Before you start
Before you immediately start and add a domain to the Allowed list in Microsoft 365, it’s important that you take the following precautions:
- Never put domains that you own onto the Allow and Blocklists
- Never put common domains, such as microsoft.com and office.com, onto the Allow and Blocklists
- Don’t keep domains on the lists permanently unless you disagree with the verdict of Microsoft
Allowlist domain in Microsoft 365 with Mail flow rule
The preferred method is to use a mail flow rule, also known as transport rule, with Authentication-Results for dmarc=pass and dmarc=bestguesspass or bare minimum spf=pass if the incoming domain hasn’t updated their domain protection.
Note: You can’t use message headers and mail flow rules to designate an internal sender as a safe sender. The procedures in this section work for external senders only.
To allowlist a domain in Microsoft 365 with a mail flow rule (recommended), follow these steps:
- Sign in to Exchange admin center
- Click on Mail flow > Rules in the menu
- Click Add a rule > Create a new rule
- Give the new rule a name and set the below conditions
- Click Next
- Fill in the comments section with the current date and the link to the article so you or your colleagues are always up to date
- Click Next
- Click Finish
- Click in the Rules list on the rule and enable the rule
Now that you set up a mail flow rule to bypass Microsoft 365 spam filtering, we recommend you send a message and check the message headers (see the last step).
Allowlist domain in Microsoft 365 with Anti-spam policy
The least desirable option is to use the allowed sender list or allowed domain list in anti-spam policies. You should avoid this option if possible because senders bypass all spam, spoof, phishing protection (except high confidence phishing), and sender authentication (SPF, DKIM, DMARC).
Note: The below method is not recommended, and you should only use this temporarily for testing. This creates a high risk of attackers successfully delivering emails to the Inbox that would otherwise be filtered.
To Allowlist a domain in Microsoft 365, follow these steps:
- Sign in to Microsoft 365 Defender portal
- Click on Email & collaboration > Policies & rules in the menu
- Choose Threat policies in the list
- Select Anti-spam
- Select Anti-spam inbound policy (Default)
- Scroll down and click on Edit allowed and blocked senders and domains
- There are two options to bypass SPAM filtering in Office 365:
- Senders: Fill in the sender email address
- Domains: Fill in the sender domain
In our example, we will click on Allow domains.
- Click on Add domains.
- Fill in the domain that you want to allow
- Confirm the entered domain
- Click Add domains
- Click Done
- Click on Save
The domain is added to the Microsoft 365 Anti-spam inbound policy allowed domain list. From now on, all emails with that domain will bypass the spam filtering and not be marked as SPAM.
Now that you did configure Microsoft 365 Anti-spam inbound policy to bypass Microsoft 365 spam filtering, we recommend you send a message and check the message headers (see the next step).
Verify message headers
After configuring one of the above methods, send a test email from the domain you added.
Important: Give it 15 minutes before you test the mail filtering, as it needs time to propagate the changes in the Microsoft cloud servers.
Copy the email headers and insert them in the Microsoft Message Header Analyzer.
Without any modifications
It will show the Spam Filtering Verdict as NSPM.
By default, if you didn’t add the sender to the allowed senders list or allowed domains list in an anti-spam policy or mail flow rule. Meaning that the spam filtering marked the message as nonspam, the message was sent to the intended recipients.
With mail flow rule
It shows the Spam Filtering Verdict as SKN.
The message was marked as nonspam before processing by spam filtering because the message was marked as SCL -1 or Bypass spam filtering by a mail flow rule.
The X-ETR header with the value that you added will appear.
With Anti-spam policy
It will show the Spam Filtering Verdict (SFV) as SKA.
The message skipped spam filtering and was delivered to the Inbox because the sender was in the allowed senders list or allowed domains list in an anti-spam policy.
To get all the fields and their description in a table overview, go to Anti-spam message headers in Microsoft 365.
That’s it!
Note: An excellent way to check if your Microsoft 365 tenant is set up correctly is to run the Office 365 Recommended Configuration Analyzer and get a report with Microsoft’s recommendation.
Read more: Verify DNS SRV records for Office 365 »
Conclusion
You learned how to Allowlist a domain in Microsoft 365 to bypass SPAM filtering. It’s recommended to create a mail flow rule and configure the conditions to skip spam filtering. From now on, the sender domain will not be flagged as SPAM in Exchange Online Protection (EOP).
Did you enjoy this article? You may also like Add domain to Office 365 tenant. Don’t forget to follow us and share this article.
I checked my tenant and I see a whole list of domains added to the allow list. This is not good!! I will remove it ASAP and share this with the team.
Thanks Ali and keep updating us with the best recommendations!
Real practical knowledge shared for free. Thank you so much for all the information!
Thank you so much for keeping everything up to date as Microsoft always change stuff around in the cloud.
Method 1 with the mail flow rule applied and everything works.