Working with Spam Whitelists in the Updated Office 365 Console

Working with Spam Whitelists in the Updated Office 365 Console

Working in email environments, more often than not, I find myself looking at spam filter configurations and asking myself, “why is this random domain in the whitelist?” It could be a “kitten of the day” email list or a random wine giveaways website, or newsletter for scrabble enthusiasts, or worse. You get the idea. It generally has nothing to do with the business, so I’ll typically ask around to see if anyone knows anything about it. Invariably, the response is something along the lines of “oh yeah – the kitten of the day newsletter is absolutely critical for so-and-so to do their job, so make sure it stays in the list.”

As long as it helps the business, who am I to judge? I just make sure the email gets delivered, and getting that done in Office 365 has changed slightly as of late.

Over the past several months, Microsoft has been upgrading its Office 365 service. While there are many technical details behind-the-scenes, the upgrades are essentially shifting the services from an Exchange 2010-based platform to an Exchange 2013-based platform.

Included in this upgrade is the transition of the new Outlook Web App interface, which follows Microsoft’s new “modern” design aesthetic, now common across Microsoft products.  The updated Office 365 Admin Center also uses this new interface, thus common tasks from the earlier version of Office 365 may now be found in new locations.

I encountered one of these instances recently when I went to “whitelist” an email domain. In short, I had a userbase expecting email from a certain sender, but all of the messages were ending up in the Spam quarantine instead of being delivered properly. I needed to whitelist this sending domain so the messages would get delivered to my users.

In the previous version of Office 365, I would have resolved this by using the whitelist features in the Forefront Online Protection for Exchange (FOPE) console, which is a separate console from the regular Office 365 console. But in this new/upgraded version of Office 365, this functionality is now consolidated into the single Office 365 Admin Center interface. I appreciate the consolidation, but it took me a few minutes to figure it out so I thought I’d share how it’s done.

  • Open a web browser to
  • Log in to your Office 365 with an account that has the necessary administrative credentials.
  • After logging in, click the Admin dropdown in the upper right corner and select Exchange.  (See  Fig. 1 below).

Fig 1. – Admin Dropdown

  • Select mail flow from the left hand column as shown in Fig. 2.
Fig 2. – Mail Flow Admin
  • In the resulting screen, shown in Fig. 3, ensure that rules is highlighted from the options across the top of the admin center. Click the “+” and select “Bypass spam filtering” from the resulting dropdown.

Fig 3. – Bypass Spam Filtering

  • A new rule window (shown in Fig. 4) will pop-up. Specify a name for your rule. As shown below, I am using the generic name “Spam Whitelist” since I envision using this list to allow delivery from multiple different domains eventually.
  • In the Apply this rule if… dropdown, select “The sender…” which will cascade further selection options. From that resulting menu, select domain is. (The example that I’m outlining here is to whitelist an entire domain, but take note of the other options available in this menu if you’d prefer to do a different or more granular type of whitelisting).

Fig 4. – New Rule

  • The specify domain box will present itself as shown in Fig. 5. In that window, type the domain you wish to whitelist and then click the “+” sign. (You can add multiple domains to this list if you wish.)

Fig 5. – Specify Domain

  • Fig. 6 shows what’ the specify domain box should look like if you’ve added the domain(s) correctly.

Fig 6. – Specify Domain – Finished

  • At this point, you are done. You can simply click save and the whitelisting rule will go into effect.
  • If you wish, you can review how the rule is modifying the message properties to bypass the spam filter, however since “bypass spam filtering” was already specified earlier (Fig. 3), the specific configurations required to bypass filtering are already complete.
  • For the curious, Figs. 7 and 8 below show the details of this spam bypass policy.


Fig 7. – Set SPL


Fig 8. – Bypass Spam Filtering

  • Fig. 9 shows the completed rule in its final/enabled state in the Exchange admin center. Simply return to this part of the console to adjust this ruleset, disable/enable it, or build other similar rules if you need some sort of customized email routing. 

Fig 9. – Completed Rule

While the process to implement a spam whitelist inside of Office 365 has somewhat changed in the last year, the learning curve should be relatively minimal since the underlying technology is still familiar. This consolidated administration console is a nice step in the right direction in terms of centralizing all of the administration for its cloud platforms, and I’ll continue posting guides like this one as I uncover common admin tasks that have been slightly adjusted.


  • Raj July 14, 2014 12:48 pm

    In my environment MS Forefront Protection have 50 different domains white listed (allowed sender). In EOP we have to add the domain one by one. Do we have any option to add the all domain at once like separating through coma (,) or any other method?

  • Bob Rice July 14, 2014 8:53 pm

    Unfortunately, the Office 365 Admin Center doesn’t provide the ability to import a list of domains via the GUI. With that said, this type of bulk-import can be done with Windows PowerShell for Exchange Online. See the following Microsoft Office 365 Community post for instructions on how to connect to Powershell and perform a bulk import:

Phone: 312-602-4000
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons