Table of contents
Overview
Outlook in Microsoft 365 will tag a sender as “Unverified” (often showing a red question mark icon) when it can’t confirm that the email came from the claimed sender. The "Unverified Sender" tag is a built-in Microsoft feature, and there is no direct option to enable or disable it.
This new Microsoft feature can cause errors, such as the “We can’t verify the sender's identity” message. This error occurs when customers use sender domains that RH does not control and that do not have valid SPF records.
Step-by-Step Solution
The Microsoft recommended solution is provided below.
This document aims to automate the process of whitelisting RH domains or custom sender domains in Office 365.
The script already includes a list of RH domains. If you're using multiple custom sender domains, simply update the domain.txt
file with all the domains you use.
To find your sender email domain, log in to the Right-Hand portal and navigate to Phishing Readiness > Sender Profiles. Click Edit on the sender profile you want to use, and look for the domain name that appears after the @ symbol.
Requirements
Operating System: Windows (Professional or Server editions)
Tool: PowerShell (must be run as Administrator)
Credentials: A valid Office 365 account
Authorization: Access to Exchange Online
Roles that would be required to execute operations:
Compliance Management
Organization Management
Records Management
Security Administrator
Hygiene Management
Note: The Office 365 user executing this script should be a “Global Administrator” or one of the above-listed roles.
How to Use the PowerShell Script
1. Extract the Script Package
Download the provided ZIP file:
TenantDomainWhitelist.zip
Right-click the ZIP file and select "Extract All..."
Choose a location you can easily find later (for example:
D:\TenantDomainWhitelist\
)Make sure all files are fully extracted and accessible in the selected folder.
2. Open PowerShell as an Administrator
Click the Start menu and type PowerShell in the search bar.
Right-click on Windows PowerShell and choose Run as Administrator.
In the PowerShell window, navigate to the folder where you extracted the script. For example:
powershellCopyEditcd 'D:\TenantDomainWhitelist\'
3. Run the below commands separately to sign the script digitally first.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
4. Execute the Script
Option 1: Default Execution
In the PowerShell window (with Administrator rights), run the script without any parameters:
powershellCopyEdit.\TenantDomainWhitelist.ps1
By default, the script will:
Use the domain list from the file
domainlist.txt
, which is included in the extracted ZIP package.
Option 2: Custom Execution with Parameters
If you prefer to use a custom domain list file, you can specify the file path when running the script.
Example:
powershellCopyEdit.\TenantDomainWhitelist.ps1 -DomainListFilePath "C:\MyFiles\custom_domainlist.txt"
This allows you to use a different domain list without modifying the default domainlist.txt
file.
5. Authentication
When you run the script, you’ll be prompted to sign in with your Office 365 credentials.
If your account uses Multi-Factor Authentication (MFA), you’ll also need to complete an extra verification step, such as:
Entering a 6-digit code from the Microsoft Authenticator app
Approving a text message or mobile notification sent to your registered device
✅ Tip: Make sure you have access to your MFA device before starting the script.
6. Script Execution Time
The script usually completes within 1 to 3 minutes, depending on the number of domains being processed.
When the script runs successfully, you'll see confirmation messages displayed in the PowerShell window.
✅ These messages indicate that the domains have been successfully added to your Office 365 allow list.
7. Post-Execution Results
Once the script has run successfully:
The RH domains and any custom sender domains you included will be added to the Tenant Allow/Block List.
This list is located under the Threat Policies section in Microsoft 365 Security Center.
✅ This ensures that emails from these domains are trusted and not flagged or blocked by Microsoft 365 security filters.
Conclusion
This PowerShell script simplifies the process of whitelisting domains in Microsoft Defender.
✅ Make sure you use the correct Office 365 credentials when prompted.
✅ After the script runs, it’s a good idea to verify the updated allow policy within the Microsoft Exchange admin center or Microsoft 365 Security Center.