Office 365, Safe Senders List and You

Mark Berry September 13, 2011

Since moving to Office 365, I’ve been having trouble getting Outlook to treat mail from my own address as safe. Mail sent from my own address (e.g. from server monitoring scripts) keeps landing in my Junk E-Mail folder.

The obvious solution would seem to be adding the sending email address to the Safe Senders list in Outlook. But whenever I did that, after a short while, it would disappear again. Then when I tried it from OWA, I got this message:  “’User01@mydmain.com’ is your e-mail address or domain and can’t be added to your Safe Senders and Recipients list.”

Safe Senders 1

Unfortunately there is no Why Not? button, and when I followed Click here for help, no help was available for Error ID: Ex60EC60.

Forefront and SPF Changes

I thought maybe if Forefront cleared the mail, it would be accepted by Outlook. With the help of Forefront support, I set up my third-party SMTP server’s IP address as a permitted Inbound Connector, setting Spam Filtering: Disabled.

At the suggestion of Forefront support, I also added the SMTP server’s IP address to the SPF record at my domain host.

In the email headers, I see X-Safelisted-IP: <SMTP server IP> and Received-SPF: pass, confirming that these changes are working. In fact, if Outlook is not running on my desktop, the mail is not treated as junk (as viewed in OWA). But as soon as I start Outlook, the mail is moved to Junk E-Mail.

Exchange 2010 Blocks Safe Senders

The Exchange Team published this article that explains the problem:  Exchange 2010 doesn’t allow adding your own domain to the Safe Senders list. The article says you can add your own email address, but in Office 365, even that is not allowed. The article also says to use Add-IPAllowListEntry to configure safe IPs, but that command is not supported by Office 365.

Force Spam Confidence Level

The article does hint at a workaround:  if the Spam Confidence Level (SCL) of the email is –1, Outlook will not treat it is spam.

Currently the SCL on the email that Outlook is treating as junk is 0:

Safe Senders 2

MS Partner Support provided the command that I needed to force the SCL to –1:  New-TransportRule. First, start PowerShell and connect to Office 365. Then run commands like this (copy to Notepad to edit and eliminate line breaks):

# List transport rules
Get-TransportRule
# Add transport rule
New-TransportRule -Name "Allow User01@mydomain.com" -Comments "Force SCL -1 on mail from User01@mydomain.com so Outlook will not move to Junk E-Mail" -FromAddressContainsWords "User01@mydomain.com" -SetSCL -1
# List transport rules
Get-TransportRule
# List new transport rule details
Get-TransportRule "Allow User01@mydomain.com" | Format-List

After running the New-TransportRule command, the SCL was in fact set to –1, and the mail no longer landed in the Junk E-Mail folder.

Safe Senders 3

Note According to MS Partner Support, I could actually create a rule for my entire domain:

New-TransportRule -Name "Allow mydomain.com" -FromAddressContainsWords "mydomain.com" -SetSCL -1

Since adding the entire domain could potentially allow spammers to use spoofed headers, I decided to just go with the single address.

Update December 13, 2011

I’ve discovered that you can view the spam confidence rules from within the Outlook web app:

  1. From the Office 365 Admin Overview page, under Exchange Online, click on Manage.
  2. On the Exchange Server 2010 options, page, make sure it says Options: Manage My Organization at the top.
  3. In the left column, click on Mail Control.
  4. Make sure the Rules tab is shown.
  5. Highlight each rule to see the conditions and action in the right column.

Safe Senders 4

You can delete rules here, and probably even add conditions to a rule. Unfortunately, you cannot create a new rule for setting the Spam Confidence Level—that’s not one of the options in the drop-down list when creating a rule.



15 Comments

  1. Rachel M   |  January 19, 2012 at 9:11 am

    You can actually create an rule to set the SCL from the ECP, but it only gives you a range of 0-10. No -1. Thanks for the article!

  2. Carms   |  February 08, 2012 at 1:49 pm

    I’ve tried the powershell commands but it just” hangs” and not complete the setting. Are there any commands that I’m missing?

    Thanks!

    C

  3. Mark Berry   |  February 08, 2012 at 1:58 pm

    Carms – hard to say. You do have to start an Office 365 PowerShell session first–see the “connect to Office 365″ link in the article. I’m not sure if a PowerShell connection is possible with all levels of Office 365. I have an Enterprise subscription.

  4. Carms   |  February 08, 2012 at 4:12 pm

    Never mind, I corrected the error. It worked. Thanks a lot!

    Carms

  5. Carms   |  February 08, 2012 at 4:14 pm

    There are several users with the same issue so I created a rule for the entire domain.

    C

  6. Carms   |  February 09, 2012 at 1:08 pm

    Hi Mark,

    You know, the SCL -1 didn’t work for the issue we are having. When a user get replies or forwards from an internal domain usre the messages go to the Junk folder.

    Any ideas or know of another workaround

    Thanks!
    Carms

  7. Mark Berry   |  February 09, 2012 at 2:30 pm

    Carms,

    - Check the headers of a mail in the Junk E-mail folder to make sure you are getting SCL -1 and no other headers identifying the mail as spam. Maybe you will also need to make Forefront changes.
    - Try the SCL -1 setting for an individual user as described in the article. I haven’t tried it at the domain level.

    It that doesn’t help, maybe Office 365 support can diagnose the problem.

  8. Carms   |  February 14, 2012 at 9:09 pm

    I did both per user and per domain SCL -1 and this particlar user still getting all internal emails to her Junk folder. I’m working with Microsoft support. I tried all Outlook swicthes to clean rules, recreating the Outlook profile and checking Inbox rules using PowerShell. They also asked me to use a mcfimapi tool to delete a folder and that didn’t work.

    These are the switches I tried:

    /cleanclientrules
    /cleanconvongoingactions
    /cleanroamedprefs
    /cleanrules
    /cleanserverrules

    I also use the mcf1mapi.exe tool, but the file they asked me to delete wasn’t there.
    1. http://support.microsoft.com/kb/924297
    2. Download mfcmapi.exe.
    3. Turn off cache mode in outlook: File->Acct Settings->mailbox->change->uncheck cache mode-> Close Outlook.
    4. When tool is open go to session->logon.
    5. Pick profile.
    6. Mailbox list right click on mailbox->open store.
    7. Expand Root Container.
    8. Expand Top Of Information Store.
    9. Right click Inbox.
    10. Open Contents Table.
    11. Under Message Class look for IPM.Rule.Message.
    12. Click delete.
    13. Drop list select Permanent delete passing DELETE_HARD_DELETE (unrecoverable).
    14. Open outlook follow step 3 and check cache mode.

    I was thinking to uninstall Outlook and reinstall it. Do you know where I can download Outlook 2007? This user doesn’t have a copy of the software but have the product key. Microsoft only has Outlok 2010 for download.

    Thanks for all your help!

    Carms

  9. Mark Berry   |  February 14, 2012 at 10:10 pm

    Carms, you don’t mention whether SCL -1 is actually getting set in the email headers.

    Sorry I have hard media for Office 2007 so I don’t know about downloads. MS should be able to sell you media.

    You could try Outlook safe mode. Surprised they didn’t suggest that.

    BTW I’m using Outlook 2010. Don’t know if Outlook 2007 manages SCL differently.

    If you’re talking to the Outlook team and they can’t solve it, ask to have the case transferred to the Exchange team.

  10. Carms   |  February 15, 2012 at 4:55 am

    Thanks MArk,

    I’m talking to the Exchange team actually. Yes the SCL -1 is in the message header.

    I’ll recomend they get Outlok 2010.

    Thanks again for your help!!!

    Carms

  11. Mark Berry   |  February 23, 2012 at 10:55 pm

    Carms – any resolution on this? A thought just occurred to me. If Outlook 2007 isn’t treating SCL -1 properly, and Outlook 2010 is, then maybe there was a bug fix along the way, and maybe the latest Office 2007 service pack includes it. If they haven’t upgraded to 2010 yet, make sure they have the latest 2007. The service packs are usually optional updates so they wouldn’t be installed even if Automatic Updates are enabled.

  12. Richard Neal   |  June 16, 2012 at 1:38 am

    This is a great article – thank you. However, there’s a slight typo in the PowerShell command. You need to add a closing ["] at the end of the email address after [-FromAddressContainsWords].

  13. Mark Berry   |  June 16, 2012 at 9:15 am

    Richard, thanks for catching that. I noticed that the last command (“create a rule for my entire domain”) was also missing a closing quotation mark after the domain name. I’ve updated both.

  14. Doug   |  May 08, 2013 at 8:54 am

    I have been having this issue and have tried getting it corrected with your article. When i enter the Get-TransportRule it tells me it is not valid. Any ideas

  15. Mark Berry   |  May 08, 2013 at 9:11 am

    Doug, maybe in PowerShell you didn’t connect to Office 365 first? See the link in the article.

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.