Part of our expanding list of Self-help diagnostics for issues in Exchange Online and Outlook, we’re happy to announce a new tool, which can help address or explain issues related to Microsoft 365 safe/blocked sender lists. It is designed to assist administrators in resolving these problems independently, without needing to contact support.
Allowing or blocking senders in Microsoft 365
Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) provide methods for users to ensure that they receive emails from trusted senders, and block emails from unwanted senders. Collectively, these options are known as safe sender lists and blocked sender lists. Users (recipients) manage their safe/blocked Senders lists at the mailbox level, affecting only their specific mailbox. A mailbox safelist collection includes the Safe Senders list, the Safe Recipients list, and the Blocked Senders list.
How safelists collections work:
Safelist collection entries are hashed (SHA-256) before they are stored as array sets across user object attributes in the mailbox. When a message is received, Exchange hashes the sender's email address and compares it to the hashes that are stored on behalf of the destination mailbox. If the sender matches the safe senders hash, the message bypasses content filtering (allowed). If the sender matches the blocked senders hash, the message is blocked.
- Users configure the safelist collection in Outlook or Outlook on the web for their own mailboxes.
- Admins run the Get-/Set-MailboxJunkEmailConfiguration PowerShell cmdlets to view and configure the safelist collection on any user’s mailbox.
New: Mailbox Safe/Blocked Sender List Diagnostic
Requirements: recipient email address, sender email address or sender domain
The Mailbox Safe/Block List diagnostic provides comprehensive details on whether a sender's SMTP address is listed in the trusted or blocked senders list, powered by the Get-MailboxJunkEmailConfiguration PowerShell cmdlet. For Exchange Online, it also verifies the accuracy and presence of these values in Microsoft Entra ID (formerly, Azure Active Directory or AAD). If any discrepancies are detected, a synchronization (sync) of the values will be initiated.
The diagnostic can be used to:
- Confirm if a sender is allowed or blocked by a recipient
- Confirm if an allow or a block is due to the lists being out of sync with Microsoft Entra ID
- The diagnostic will attempt to sync the safe/block list to the safe/block sender hash value in Microsoft Entra ID.
- Provide insights on configuration issues preventing a sync, such as when the size safe/block lists or the Microsoft Entra ID hash are too large.
Important: Both individual addresses and domains are accepted parameters. If you enter the sender domain, the diagnostic will perform all the checks listed above, but only the block list domains will sync to Microsoft Entra ID. Syncing allowed domains may lead to the delivery of potentially harmful or unwanted messages.
Running the Diagnostic
As a Global, Exchange, or Help Desk Administrator, run the Mailbox Safe/Block List diagnostic in any admin portal (Microsoft 365 Admin Center, Microsoft Defender XDR, Exchange Admin Center, Purview compliance, etc.).
Use the quick link https://aka.ms/safeblockdiag to:
- Open the Microsoft 365 Admin Center.
- Prepopulate the Get Help field with the diagnostic query.
Provide a recipient email address and sender email address or domain to check if a sender's SMTP address is on the trusted or blocked senders list or if there are any discrepancies in Microsoft Entra ID.
Examples and Scenarios
Example 1: Check the list for sync issues
Your organization’s recipient@fabrikam.com listed the sender joe@contoso.com as an allowed sender. However, emails from this sender are getting blocked as spam. We will need these two pieces of input:
Sender email address: Joe@contoso.com Recipient mailbox address: Recipient@fabrikam.com
|
Output:
|
The results indicate that although the sender was included in the recipient's Allowed Sender lists, there was a synchronization issue between the mailbox block/allow lists and Microsoft Entra ID. Once the lists have been re-synced successfully, the issue was resolved. Subsequent testing shows that when joe@contoso.com sends an email to recipient@fabrikam.com, the messages are no longer marked as spam.
Example 2: Check the mailbox safe/block list for limit issues
Your organization has a mailbox at recipient@fabrikam.com. The administrator has recently used PowerShell to add the sender address alex@contoso.com to the safelist using the Set-MailboxJunkEmailConfiguration cmdlet. We will use this sender and recipient pair as input for this process and review the output:
There are two key results: the mailbox block/allow list is synced with Microsoft Entra ID, and the Mailbox allow sender list is nearing its maximum limit of 1024 entries. Currently, it has 1002 entries, so reducing the number is advisable to prevent issues.
Example 3: Check the list for hash sync issues to Microsoft Entra ID
In another example, your organization’s recipient@fabrikam.com had blocked sam@contoso.com, but emails from the sender are still reaching the recipient's inbox. You enter the sender/recipient as input and find that the issue is that the Blocked Sender hash value isn't synced to Microsoft Entra ID due to exceeding the 1000-entry limit (currently at 1004). To ensure synchronization, remove redundant entries and limit the list to under 1000 entries, and re-run the diagnostic.
Example 4: Check the list for domain sync issues
Your organization’s recipient@fabrikam.com listed the sender domain contoso.com in their Allowed Domains list. However, emails from this sender domain keep getting quarantined as high confidence spam. You enter the recipient address and the sender domain as diagnostic inputs, and review the results:
As noted earlier, when it comes to domains, the diagnostic will sync only those in the block list to Microsoft Entra ID, and the recipient can allow the sender email address to allow the sender’s email through.
We hope this diagnostic helps you evaluate and diagnose issues with Mailbox Safe sender and Block sender lists more effectively. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
Important resources:
Configure junk email settings on Exchange Online mailboxes
Get-MailboxJunkEmailConfiguration
Add recipients of my email messages to the Safe Senders List
Block or unblock senders in Outlook
Outlook error indicates that you are over the Junk E-mail list limit
Order and precedence of email protection
Self-help diagnostics for issues in Exchange Online and Outlook
Blog Post Authors:
Alex Hudish is a Senior Supportability Program Manager in the Customer Service & Support (CSS) Supportability Team focused on Security and Microsoft Defender for Office 365.
Mithun_Rathinam is a Senior Technical Support Escalation Engineer in Customer Service & Support (CSS) Beta Team focused on Security and Microsoft Defender for Office 365.
Marc Nivens is a Senior Technical Support Embedded Escalation Engineer on the Microsoft Defender for Office 365 Team.
Updated Feb 05, 2025
Version 1.0alexhudish
Microsoft
Joined July 16, 2016
Microsoft 365 Blog
and learn about best practices directly from the product teams.