Bypass spam filtering for an email address or domain in Office 365

Exchange Online Protection (EOP) is a cloud based email filtering service which is a part of Microsoft 365. Using EOP, organizations can protect against spam, malware, phishing attacks and other email threats by scanning inbound and outbound emails. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.

Microsoft 365 email protection works by using its In-built algorithm and AI to detect if the email is considered as spam or Phishing email or if it contains a malware.

Whitelisting an email address or domain means that you are putting a particular email address or domain in the Allow list. Which is sometimes refers to as a Safe senders list.

There are various ways to whitelist a sender or domain in Office 365. However, none of the options are recommended by Microsoft because it overrides the verdict that is set by Microsoft 365 threat protection. If you create rules to bypass the threat protection filters then you are letting potentially harmful messages to pass through.

Still if you have to bypass a sender or domain from threat protection checks. You should do this on a temporary basis.

You can allow a sender or domain in Office 365 by using any of below methods:

1. Using Tenant Allow/Block List.
2. Create a Transport rule in Exchange Online.
3. Outlook Safe Senders list.
4. IP Allow List in Anti-spam policy.
5. Allow or Block List of Anti-Spam or Anti-Phishing Policies.

Option 1 – Using Tenant Allow/Block List

If you want to bypass a sender or domain from threat protection checks then you can use Tenant Allow/Block list from Microsoft 365 Defender portal.

You can add any domain or email address into the Block list without the need of Submitting a sample email message to Microsoft. But for adding a sender to allow list, you need to Submit a copy of email message to Microsoft team.

Microsoft will analyse the email header information along with other attributes in the email to check if the email is a false positive or false negative. Depending upon the options selected at the time of sample submission, the email will be allowed for specified number of days.

You cannot allow a sender or domain from Tenant Allow list for unlimited time. Once the deadline expires, the Allowed sender will be removed from the rule.

Steps to add a sender to Tenant Allow list in Office 365

• Login on Microsoft 365 Defender portal as Security administrator or Global administrator.

• Under Email & collaboration > Policies & rules.

• Click on Threat policies.

• Under Rules > Tenant Allow/Block Lists.

• Click on Submitting the email link which will open Submissions Page.

• On Submissions page, click on + Submit to Microsoft for analysis.

• On Submit to Microsoft for analysis page. Select below information:
  • Select the submissions type: Email
  • Click on Browse files and select the saved email .msg file.
  • Choose a recipient who had an issue: Provide the email address of the recipient who reported this issue.
  • Select Should not have been blocked (False positive)
  • Check the box Allow emails with similar attributes (URL, sender, etc.).
  • Remove allow entry after: From the drop down Select the number of days after the whitelisting should be removed.

• Wait for the verdict from Microsoft. Once the analysis has been completed you will see the sender is added to the Tenant Allow/Block list. You can check the status from Email & collaboration > Policies & rules > Threat policies > Tenant Allow/Block Lists.

Option 2 – Create a Transport rule in Exchange Online to bypass SPAM filtering

I understand that creating a Tenant Allow list is not that straightforward and quick process. However, thats the recommended option by Microsoft. If you do not want to use Option 1, then you can create a Transport rule in Exchange Online to bypass SPAM filtering checks for a sender or domain.

To create a Transport rule or mail flow rule in Exchange Online, Please follow below steps:

• Login on Microsoft Exchange admin center using Exchange administrator role or Global administrator role.

• Go to Mail flow > Rules > click on + Add a rule.

• Set below rule conditions and click Next. You should add more rule conditions if applicable to make it more strict. For example: If you know the IP address of the source email server then you should add another condition in “Apply this rule if” and provide a source email address IP address. This will make sure that this bypass SPAM filtering rule will only be applied for a particular email server only.
  • Name: Bypass <domainname> domain from SPAM filtering
  • Apply this rule if: The sender domain is <provide the domain name value>
  • AND The Sender is Outside the organization.
  • AND The message headers .. Include any of these words: Header name: Authentication-Results and Words:  ‘dmarc=pass’ or ‘dmarc=bestguesspass’   
  • Do the following: Modify the message properties to Set the spam confidence level (SCL) to -1.
  • AND Modify the message properties to set a message header: X-ETR and value as ‘Bypass spam filtering for authenticated sender <domain name>’   

Header name: Authentication-Results and Words: ‘dmarc=pass’ or ‘dmarc=bestguesspass’
This condition checks the email authentication status of the sending email domain to ensure that the sending domain is not being spoofed.

• Set below rule settings and Click on Next.
  • Rule mode: Enforce.
  • Keep the rest of the settings as default.

• Review and click on Finish to create the rule.

• When you create any Transport rule in Exchange Online, by default its created in disabled state. Click on the Rule and toggle the switch to Enable.

Option 3 – Outlook Safe Senders list to bypass spam filtering

Users can use their Outlook for Desktop or Outlook on the web (Outlook Web App) to create a safe sender list. By creating a safe sender list, the email or domain will bypass content filtering and the email will be delivered to users Inbox.

Admins an also configure the Safe Sender list by using Powershell cmdlets. The cmdlet which can be used is Set-MailboxJunkEmailConfiguration.

To check the Blocked or allowed senders configured on any User mailbox. you can use below cmdlet.

Get-MailboxJunkEmailConfiguration -Identity "<MailboxIdentity>" | Format-List trusted*,contacts*,blocked*

Option 4 – IP Allow List to bypass Spam Filtering

You can skip spam filtering for all Inbound emails from a particular email server(s) by adding its IP address in the Allow IP list. You can also provide a range of IP address in CIDR format for example: 10.2.4.1/24.

You can add an IP address in the Allow IP list using default connection filter policy which already exists on Microsoft 365 defender portal under Anti-spam policies. To be able to edit the policy, you should have Security administrator rights or you should be a member of Organization Management group.

Here’s are the steps to add an IP address into the Allow list:

• Login on Microsoft 365 Defender portal as Security administrator or Global administrator.

• Under Email & collaboration > Policies & rules.

• Click on Threat policies.

• Click on Anti-spam under Policies.

• Select the Connection filter policy (Default) and then click on Edit connection filter policy.

• Add the IP addres or IP address range to “Always allow messages from the following IP addresses or address range:” Click on Save to complete the configuration.

Option 5 – Allow or Block List of Anti-Spam Policies

This is the least recommended option as per Microsoft because sender will bypass all spam checkes, spoofing checks, Phishing protection but not sender authentication (SPF, DKIM, DMARC). Sender authentication checks must be passed to skip anti-spam filtering.

You should use it on temporary basis or white testing the email flow. The maximum entires which can be added here is 1000 and if its more than 30, it can only be done using powershell.

If you are adding any domain or sender to Allow list in Anti-Spam Inbound (default) policy. Please make sure to review it every couple of weeks to check if the domain or sender should still be in Allow list. As the system will learn about the sender or domain, there may not be a need to bypass a domain or sender from content filtering.

Let’s see how to whitelist a domain or sender in Anti-Spam Inbound policy:

• Login on Microsoft 365 Defender portal as Security administrator.

• Under Email & collaboration > Policies & rules.

• Click on Threat policies.

• Click on Anti-spam under Policies.

• Select the Anti-spam inbound policy (Default) and scroll down to the bottom of the policy to Select “Edit Allowed and blocked senders and domains“

• Under Allowed section, you will find Manage Senders and Allow domains link.
  • Manage senders – Add sender’s email address to whitelist.
  • Allow Domains – Add a domain to whitelist.

• I have clicked on Allow domains link and then clicked on + Add domains to add a domain for example: cloudinfra.net.

Bonus – Allow or Block list of Anti-Phishing Policies

If you want to bypass Anti-phishing protection for a particular trusted sender or domain. You can use Allow list of Anti-phishing policy to bypass this protection. Let’s check the steps for the same:

• Login on Microsoft 365 Defender portal as Security administrator or Global administrator.

• Under Email & collaboration > Policies & rules.

• Click on Threat policies.

• Click on Anti-phishing under Policies.

• Select the Office365 AntiPhish Default (Default) or if you have created any custom policy which is protecting the all users then select that policy.

• Click on Edit protection settings.

• On Edit protection settings. Click on “Manage trusted sender(s) and domain(s)” to whitelist a sender or domain.

• Click on either the Sender tab to whitelist a sender email address and Click on Domain tab to add a domain to whitelist.

Conclusion

In this blog post, we have seen different ways to whitelist a sender or domain in Office 365 for bypassing SPAM filtering. You can also bypass Phishing protection if you want in addition to bypassing Spam filtering.

If you do not have a requirement to bypass content filtering for the whole domain then you should only add the particular sender who reported this issue. Also, carefully monitor any of the allow list and remove the sender or domain from it when its no longer require whitelisting.

READ NEXT

• 3 Ways To Find Email Header Information In Office 365.
• Block Emails Based On File Attachment Extension In Office 365.
• How To Perform Clean Uninstall Of Microsoft Office / Microsoft 365 Apps For Enterprise.
• Exclude Files Or Folders From Microsoft Defender Antivirus Scan Using Intune.
• How To Deploy Fonts Using Intune.