Our mail domain isn't safe by default for Exchange Online users
Hello all, Our PR Team requested to force automatic download of pictures for internal letters that are sent by the team. We decide to use GP setting "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" from Office an administrative template. It works fine for users with on-prem mailboxes because our mail domain is in the Safe Senders by default, but it doesn't work for users with mailboxes in Exchange Online. For EO mailboxes, pictures of internal letters are not downloaded automatically in classic Outlook. They have to add "@<our mail domain" to Safe Senders list to download pictures automatically. Any attempts to add the same domain by using Set-MailboxJunkEmailConfiguration fail because "the domain is the default mail domain"! (And should be treated as safe). Headers show that letters are not "Anonymous" but internal. It looks like a bug, or we missed something in our Hybrid configuration. Any ideas? King regards, Dmitry Horushin
How do you identify the "You've joined the xxx group" emails?
When you join a microsoft 365 group via Outlook you get an email (apparently from yourself) to say you have joined it. How do you actually identify these emails on Exchange? I've looked at the headers but nothing really stands out. I need to exclude these types emails from rules.
Exchange 2016 to SE and Exchange Online questions
Hi, We're currently in the process of migrating from Exchange 2016 to Exchange Subscription Edition (SE), along with moving a portion of our mailboxes to Exchange Online. We have approximately 3,000 mailboxes, and around 2,000 of those will eventually end up in Exchange Online—for various reasons (don’t ask why…). I have a few questions I'd like to clarify and hope you can assist: Exchange On-Premises Questions: If a user mailbox is moved to Exchange SE, can they still access shared or user mailboxes that remain on Exchange 2016? Do we need to migrate them in the same batch to preserve access/permissions? (should't be an issue in the same Exchange Org right?) If a shared mailbox is migrated to Exchange SE while the user mailbox remains on Exchange 2016, will access still work? Do we need to point the Hardware Load Balancer (HLB) to the new Exchange SE servers before mailbox moves to allow proper client connectivity and proxying back to Exchange 2016? Or is it okay to keep the HLB pointed to the Exchange 2016 servers until all migrations are complete and then switch it over? Proxy upwards from Exchange 2016 to Exchange SE? What’s the best practice here? Pros/cons? Exchange Online Questions: If we want all outbound mail to go through the on-prem Exchange environment—even for Exchange Online mailboxes—is this configured via the Hybrid Configuration Wizard (HCW)? Is the Litigation Hold status preserved when migrating a mailbox to Exchange Online? Can a mailbox hosted in Exchange Online access a shared mailbox still residing on-prem? (Should't be an issue right?) Can an on-prem mailbox access a shared mailbox that has been migrated to Exchange Online? For mailboxes with Full Access or Send As permissions (e.g. user mailboxes tied to shared mailboxes), do they need to be migrated together in the same batch to retain functionality? We’ll be using native Microsoft migration tools (no 3rd-party solutions). If I recall correctly, separate migrations will still allow Full Access?!?, but Send As may not work properly unless migrated together. Is that still accurate?
External tag applied to internal users hidden from GAL
We have noticed our users who are hidden from the GAL have the external tag applied to their Profile Card as well as mail sent to other internal users. I suspect this may be related to the recent roadmap item, https://www.microsoft.com/en-us/microsoft-365/roadmap?id=498231. Was this an expected behavior for internal users?Exchange Outlook Cache mode
Hi ladies and gents, We have a requirement to set Outlook cache mode set to download 3 months of emails. The environment consists of Exchange Online, Intune and M365 and the devices are cloud native Win 11. Could you please advise the best way to achieve this. GPO is not an option, and Intune does not have a policy for this.External tag in Cards
After the rollout of the https://www.microsoft.com/en-us/microsoft-365/roadmap?id=498231 our users who are hidden from the GAL have the External tag applied when sending internally, as well as the external tag on their profile cards. Was this an expected behavior with this change?Change Coming for How Outlook Extracts Events from Email
The Outlook events from email feature changes from January 31, 2026. Events will only be created if notifications support the properties for events defined by schema.org. Seeking consistency is a good idea, especially if it means that Outlook can process notifications sent by airlines, car hire companies, and other event providers in a way that doesn’t happen today. However, some disruption is likely. https://office365itpros.com/2025/09/30/events-from-email-schema/How to extract domain of the original link from a SafeLink
I'm trying to extract the original domain from the links that are warped by Microsoft SafeLinks I use the Nager.publicsuffix library in C# to parse domains, but with SafeLink's it only returns the SafeLink domain instead of the real one Example: https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstspg.io%2Fn504fyn3g38x... https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fentra.microsoft.com%2Fdemodomain.cf%23blade... I've tried writing custom logic for SafeLink pattern, but Microsoft seems to use different formats, so it's not reliable Question: What's the best way in C# to reliably detect and unwrap these SafeLink's (or other tracking URLs) so I can extract the original domain before passing it to Nager.PublicSuffixHow to consistently differentiate Microsoft service notification emails from normal user emails?
I receive a large number of notification mails from Microsoft services (SharePoint, Teams, etc.) and they clutter my mailbox. I’ve tried: Inbox rules filtering by sender (e.g., email address removed for privacy reasons) → doesn’t work since Microsoft uses many changing domains. Filtering by Microsoft IP ranges → some internal org mails also get caught. Filtering by domains from Microsoft endpoint list → works, but the list updates monthly, so not reliable. Question: Is there a consistent way (e.g., via Internet message headers or any other property) to reliably identify Microsoft-generated notification emails vs normal user emails?
