How to allow an email domain without using message rule (permanently)

Brass Contributor

I read every documentation with microsoft, i feel a little bit lost :

 

https://learn.microsoft.com/fr-ca/microsoft-365/security/office-365-security/create-safe-sender-list...

 

And i find that is a little bit contradictive. It say is not recommend to use message rule for obvious reason, but provide no other way to doing it properly, only the submission that is not efficient at all because you have no choice to define a expiration date. But, Microsoft recommend to use that option to not bypass any protection....

 

If you create a message rule, it's good only because you can specify the domain and IP adresses range with a specific customer/solution that is not public, as recommend by microsoft. But, you are obligated to choose the bypass spam filtering option....

 

The tenant allow/block should be the best place to doing it, but Microsoft are blocking the allow option and redirect you to the link above saying is not recommend to use the Tenant allow/block list and the message rule but not offering an alternative...

 

Please, some one have a miracle option for us ?

 

Regards

3 Replies

Hey @EtienneFiset  - you may find my reply to this post helpful for context initially 🙂

 Re: Microsoft Defender for Email & Collaboration - "Whitelist" - Microsoft Community Hub

Allow listing something permanently is bad practice, as you're opening yourself up to attacks from people spoofing that domain, or using it for lateral movement (to you) should it get compromised. - it's something which was widely done years ago but has caused heartache for many people as attackers learned that there was an effortless way to get round filtering, just find the domains likely to be set to bypass that filtering!

If emails are not currently being blocked, great, no action needed. If they are currently being blocked, my response to the previous linked post should help, we need to fix the actual cause of the issue, which is the right way to go about this.

As you're aware - submission is the way to get an allow, but it will only work in instances where our verdicts were wrong, in cases like poor authentication, then thats something which should be fixed rather than ignored.

Hope that helps?

 

Thanks

 

Ben.

Thanks Ben, but that is not really accurate with what i wrote.... you say in another words the same thing as me but you forgot to take in consideration the rest of the text. What is the solution to allow a domain email without using message rule or submission ?

 

Regards

@EtienneFiset The correct solution is to not do it at all, as this poses a security risk to your organisation and as mentioned in the post I linked with another reply, fixing the root cause is the best way to move forward. - so, we don't have a recommendation apart from to fix the underlying reason for requiring the allow if that makes sense.

 

If you really wish to achieve this (it will not work for high confidence phish) and are happy to accept the risks of allowing a domain / sender, you should use the steps in the documentation you linked to create a transport rule, being sure to have more than one condition defined (step 2 in the "Use Mail flow Rules" section of the documentation.

Hope that helps

 

Ben.