In Office 365, how do you whitelist a domain?

By Liam Author

Updated - February 11, 2022

In Office 365, how do you whitelist a domain?

When valid email is mistakenly designated as spam by Exchange Online, it can wind up in the garbage folder. Of course, this is undesirable, so how can you whitelist a domain in Office 365? And how can we do it in a secure manner without exposing ourselves to phishing emails?

Spam email filtering is critical for preventing malware and phishing emails from reaching your users' inboxes. However, when emails from trusted senders are designated as spam, we must discover a means to bypass this and get the message to the user's inbox safely.

In this article, we'll look at the various methods for whitelisting a domain in Office 365.

What you should know

There are several ways to whitelist a domain in Office 365, but it's critical that you understand what each approach entails. An email can be designated as spam for a variety of reasons. It might be because the email was sent from an untrustworthy source, it failed the SPF or DMARC verification, or it could even be because of the email's content.

On a tenant level, the two most frequent approaches to whitelist a domain are to use a mail flow rule (which is encouraged) or to add the domain to the approved sender list in the anti-spam policy. Other options include whitelisting by IP address in Office 365 or using Outlook's safe sender list.

It's critical to be as detailed as possible about the source when eliminating a site from spam filtering. Because filtering based just on a domain name opens the door to spoofed phishing emails for that domain.

As a result, using mail flow rules to whitelist a domain is advised.

Using Mail Flow Rules in Office 365, whitelist a domain.

We'll start with the preferred method, which is to use mail flow rules. The benefit of mail flow rules is that they allow us to whitelist a domain while simultaneously adding additional checks. Part of the subject, DMARC result, or even a specific IP address are all examples.

When you have a web application that sends an automatically generated email that you want to whitelist, you need to whitelist it. After that, you may define a mail flow rule that filters messages based on sender or domain. Filter on IP Address as an extra check. Because you're presumably aware of the IP address from which the email was sent.

We must first access the Exchange Admin Center in order to whitelist a domain with a mail flow rule.

1.Expand Mail Flow and select Rules from the drop-down menu.

2.Select Bypass Spam Filtering from the + icon.


3.Give your rule a name.

4.Select Domain is under Apply this rule if.

5.Fill in the domain you want to whitelist.


6.Add a condition by selecting IP Address is in one of these ranges.

7.Enter the application's IP address.


8.There are also some extra conditions that apply to usage.

  • Any of these words can be found in the Subject or Body > Subject. You can further filter emails based on a word in the subject line in this way.
  • Any of these words can be found in a message header. Filtering on the DMARC result is an excellent approach to keep a whitelisted domain from being spoofed. Add Authentication-Results to the "Enter text" section and dmarc=pass to the "Enter words..." section.

9.Add an action by clicking Add Action > Create a heading for your message


10.Set the value to something like: Bypass spam screening for stonegrovebank.com and the header to X-ETR.

To whitelist a domain in Office 365, the mail flow rule's end output should look like this:


To apply the changes, click Save.

Whitelist Domains in Office 365 with Allowed Domains

Previously, we could whitelist a domain using the Exchange Online admin center's permitted sender list. However, we must now employ the Microsoft 365 Security Center (Microsoft 365 Defender). Keep in mind that this is the least secure method of adding a domain to your whitelist. Because senders for this domain will be able to get through spam protection and sender authentication this way.

We'll need to change the inbound spam policy to allow a certain site or sender.

1.Select Policies & Rules from the drop-down menu.

2.Threat Policies to Consider

3.Anti-Spam software should be installed. (It may take a few seconds for the policies to load)

4.Select the Anti-spam inbound policy from the drop-down menu (Default)


5.Scroll all the way down to Edit authorised and blocked senders and domains in the fly-out.


6.Select Allow domains.

7.Add the domains you want to whitelist to the list.

8.Save your work by clicking Done.

9.Emails sent from this site should now go straight to the inbox, bypassing the spam filter. However, keep in mind that if you whitelist a domain this way, faked email will go unnoticed.

IP Addresses in the Office 365 Whitelist

The ability to whitelist an IP address in Office 365 is the final option I'd like to share with you. Personally, I prefer to utilise a mail flow rule for this, which allows us to combine, for example, an IP Address with a domain. However, we can entirely whitelist an IP address.

We'll need to change the Connection Filter Policy in the security centre to accomplish this (Microsoft 365 Defender).

1.Activate the Security Center (Microsoft 365 Defender)

2.Select Policies and Rules > Threat Rules from the drop-down menu.

3.Select Anti-Spam from the drop-down menu.

4.Select Connection Filter Policy from the drop-down menu (Default)

5.In the fly-out menu, select Edit connection filter policy.

6.Copy the URL by clicking on it.

7.Type upgrade in the PowerShell Windows and paste the URL we just copied:

8.The access point will download and upgrade the firmware. You won't be able to connect to the access point during the upgrading. It could take a few minutes to finish.

When the upgrade is complete and the status light is solid white, you should be able to use the Unifi Access point.


Final Thoughts

I hope this essay was helpful in resolving the Unifi adoption failure problem. Most of the time, a factory reset is required, and you should double-check your firmware versions. Make sure the relevant ports are forwarded if you're running the controller in a docker container.

The —net=host argument to the docker run command can be useful in docker.

Please leave a remark below if you have any questions.


You May Also Like!