Process - Adding Emails to Anti-Spam Exception Lists
Cyber Security may receive tickets asking to Whitelist/Allowlist emails to ensure we successfully receive emails such as 3rd party emails. Cyber Security needs to first analyze the blocked/dropped/quarantined emails to see why they are blocked to ensure we make the necessary changes.
Initial Analysis:
1. Go to Message Trace in the Exchange Admin Centre - https://admin.exchange.microsoft.com/#/messagetrace
2. Start a new trace and fill out the search criteria. Please note that for the Time Range if the received date is later or equal to 10 days, Microsoft generates a report and then emails you the report when it is ready.
a. Helpful Search Criteria: Recipient, Sender, Status, Time Range
3. Click on the found email and it will show you if it was delivered, if it was sent to junk, if it was sent to quarantine and the reasons why it failed.
Additional Analysis:
1. Search for the email in 365 Defender Threat Explorer and open the email https://security.microsoft.com/threatexplorerv3?tid=36d575c3-7153-4aa2-be33-f562de6d63d9
a. Helpful Search Criteria: Recipients, Sender, Latest Delivery Location (Quarantine, Junk, Blocked, Failed)
2. Click on Analysis, and analyse the email properties
a. Helpful Areas to look: All Overrides, Exchange Transport Rules, BCL, SCL, Policy, Policy Action.
3. If the email is quarantined you can also click on the top right 3 dots, and then go to the quarantine email.
a. Then you can click on the quarantine email, and it will give you additional information on why it is in quarantine.
Process to add to Whitelist/Allowlist
1. Go to 365 Defender -> Email & Collaboration -> Policies & Rules ->Threat Policies https://security.microsoft.com/threatpolicy?tid=36d575c3-7153-4aa2-be33-f562de6d63d9
2. Go to Anti-spam
3. Select “main MC policy”
4. Select “Edit allowed and blocked senders and domains”
5. Select under Allowed, either “Manage Senders” or “Allow Domains” depending on scenario
6. Add the Sender email address/ email domain to be added to the “Whitelist/Allowlist”
7. Save your changes.
8. Repeat steps 4-7 for anti-spam policy “Anti-spam inbound policy (Default)”
If this does not work and emails are still being blocked for their Spam Confidence Level (SCL) follow these steps (IMPORTANT: This is only to be used as a last resort and for BUSINESS CRITICAL emails as this process will overwrite the SCL to (-1) which overrides all SPAM protection):
1. Go to Exchange Admin Center -> Mail Flow -> Rules
2. Select “Safe Senders - Individual Email - Complete SCL Bypass (-1)”
3. Edit Rule Conditions and click on the pencil.
4. Add Email Address and Save
