Forum Discussion

Dmitry_Horushin_Data's avatar
Dmitry_Horushin_Data
Copper Contributor
Sep 12, 2025

Our mail domain isn't safe by default for Exchange Online users

Hello all,
Our PR Team requested to force automatic download of pictures for internal letters that are sent by the team. We decide to use GP setting "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" from Office an administrative template.
It works fine for users with on-prem mailboxes because our mail domain is in the Safe Senders by default, but it doesn't work for users with mailboxes in Exchange Online.

For EO mailboxes, pictures of internal letters are not downloaded automatically in classic Outlook. They have to add "@<our mail domain" to Safe Senders list to download pictures automatically. Any attempts to add the same domain by using Set-MailboxJunkEmailConfiguration fail because "the domain is the default mail domain"! (And should be treated as safe).

Headers show that letters are not "Anonymous" but internal.

It looks like a bug, or we missed something in our Hybrid configuration.

 

Any ideas?

 

King regards,

Dmitry Horushin

hybrid
outlook

3 Replies

  • Obel's avatar
    Obel
    Copper Contributor
    Oct 09, 2025

    You'll need to configure a policy through Microsoft 365 Apps Admin Center. My org just had this same conversation regarding New Outlook, which at this time does not have a policy associated with it all outside of "end users have to add the email address to their Safe Senders list" and this is done either by them or programmatically through PowerShell.

    However, EXO mailboxes using Classic Outlook can have this policy configured to automatically download pictures using the Apps Admin Center. You'll need the Office Apps Admin role though if you aren't a GA by default.

  • Russean's avatar
    Russean
    Iron Contributor
    Sep 12, 2025

    Yeah, this is a known gap between on-prem and Exchange Online. In EXO, your own domain isn't automatically treated as "safe Sender" the same way it is on prem, which is why the GP setting doesn't behave consistently.  

    Test : 

    1. Add your PR team's distribution address or specific sender addresses to the safe  senders list via policy, instead of the whole domain. 

Resources