Adding an internal Accepted Domain to Safe Senders list for Outlook, messages originate from outside O365

Question

My organization email marketing platform called Vuture (similar to Mailchimp or Salesforce )

We sometimes use this platform to send emails to internal staff. When we send emails to internal staff, the emails come from addresses that match an internal Accepted Domain (e.g. our O365 domain is myOrg.com, and the Vuture emails are spoofed so they come from ******@myOrg.com, even though they originate from Vuture). We have a rule to bypass spam filtering from the email marketing platform and ensure they the messages are not blocked. We also have SPF records etc configured.

The problem is that when emails from are sent to internal staff, the emails are received fine but images do not load by default within Outlook destop or web. Instead users get the 'to help protect privacy, Outlook prevented automatic download of some pictures in the message.' I am trying to resolve this problem.

1) If i use Group Policy to populate Safe Senders for the Outlook desktop app. the Accepted domains do not appear in the Outlook junk email UI as Safe Senders. Other domains work fine, but if i add the internal Accpeted Domains they do not appear.
2) If i use the set-mailboxJunkEmailConfiguration powershell command to add the Accepted Domain, it works for a few minutes, and then stops. If i then run get-mailboxJunkEmailConfiguration I can see that the internal Accepted Domain has disappeared.

I have logged this with MS support and they have told me this is expected behaviour and cannot be changed. They have told me that it is not possible to make an email that matches the address of an Accepted Doamin have images that load without user interaction. This does not seem correct to me, hence this post.

Answer 1

Below is the resolution, however this will not work for internal domains. Since, you are using a third party server and internal custom domain you cannot bypass outlook blocking image.

If it was internal email i.e o365 internal server then image wont get block.

Also there is no way in Outlook to bypass email through IP address else you could have added your external third service /server IP address.

Resolution:

https://learn.microsoft.com/en-us/answers/questions/1193965/unblock-automatic-picture-downloads-in-email-messa

Get-Mailbox -ResultSize Unlimited | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Add="******@Contoso.com"}

So the solution is not to use internal email address so that you can add the account in Safe list of Outlook client app.

Else wait until MS bring a feature in outlook to bypass image download by putting external Server ips or internal domains.

Answer 2

Yea, thats actually the issue I am afraid from what I have seen and since you are using Exchange Online, you don't have the option to treat those external emails as externally authenticated like you would if this were Exchange on-prem.

I was under the impression a GPO would work here, but doesnt sound like it.

Some have suggested that embedding the images works better linking them as well.

Answer 3

Hi @Adam313

Yes, we could refer to the introduction in the official document: Use allowed sender lists or allowed domain lists

And since I'm not very familiar with the email marketing platform you noticed above, is this similar to the scenario introduced here: How to set up a multifunction device or application to send email using Microsoft 365 or Office 365, if yes, please check did you apply any option in your environment. And if I have any misunderstanding about your environment, please correct me timely.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.