Skip to main content

How to add sender domains to the safe senders list in Outlook?

K
Written by Karthek S
Updated over a week ago

Table of contents

Overview

Outlook in Microsoft 365 will tag a sender as “Unverified” (often showing a red question mark icon) when it can’t confirm that the email came from the claimed sender. The "Unverified Sender" tag is a built-in Microsoft feature, and there is no direct option to enable or disable it.

This new Microsoft feature can cause errors, such as the “We can’t verify the sender's identity” message. This error occurs when customers use sender domains that RH does not control and that do not have valid SPF records.

Step-by-Step Solution

The Microsoft recommended solution is provided below.

This document aims to automate the process of whitelisting RH domains or custom sender domains in Office 365.

The script already includes a list of RH domains. If you're using multiple custom sender domains, simply update the domain.txt file with all the domains you use.

To find your sender email domain, log in to the Right-Hand portal and navigate to Phishing Readiness > Sender Profiles. Click Edit on the sender profile you want to use, and look for the domain name that appears after the @ symbol.

Requirements

  • Operating System: Windows (Professional or Server editions)

  • Tool: PowerShell (must be run as Administrator)

  • Credentials: A valid Office 365 account

  • Authorization: Access to Exchange Online

Roles that would be required to execute operations:

  • Compliance Management

  • Organization Management

  • Records Management

  • Security Administrator

  • Hygiene Management

Note: The Office 365 user executing this script should be a “Global Administrator” or one of the above-listed roles.

How to Use the PowerShell Script

1. Extract the Script Package

  1. Download the provided ZIP file: TenantDomainWhitelist.zip

  2. Right-click the ZIP file and select "Extract All..."

  3. Choose a location you can easily find later (for example: D:\TenantDomainWhitelist\)

  4. Make sure all files are fully extracted and accessible in the selected folder.

    2. Open PowerShell as an Administrator

  1. Click the Start menu and type PowerShell in the search bar.

  2. Right-click on Windows PowerShell and choose Run as Administrator.

  3. In the PowerShell window, navigate to the folder where you extracted the script. For example:

    powershellCopyEditcd 'D:\TenantDomainWhitelist\'

    3. Run the below commands separately to sign the script digitally first.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

4. Execute the Script

Option 1: Default Execution

  1. In the PowerShell window (with Administrator rights), run the script without any parameters:

    powershellCopyEdit.\TenantDomainWhitelist.ps1
  2. By default, the script will:

    • Use the domain list from the file domainlist.txt, which is included in the extracted ZIP package.

Option 2: Custom Execution with Parameters

If you prefer to use a custom domain list file, you can specify the file path when running the script.

Example:

powershellCopyEdit.\TenantDomainWhitelist.ps1 -DomainListFilePath "C:\MyFiles\custom_domainlist.txt"

This allows you to use a different domain list without modifying the default domainlist.txt file.

5. Authentication

When you run the script, you’ll be prompted to sign in with your Office 365 credentials.

If your account uses Multi-Factor Authentication (MFA), you’ll also need to complete an extra verification step, such as:

  • Entering a 6-digit code from the Microsoft Authenticator app

  • Approving a text message or mobile notification sent to your registered device

Tip: Make sure you have access to your MFA device before starting the script.

6. Script Execution Time

The script usually completes within 1 to 3 minutes, depending on the number of domains being processed.

When the script runs successfully, you'll see confirmation messages displayed in the PowerShell window.

These messages indicate that the domains have been successfully added to your Office 365 allow list.

7. Post-Execution Results

Once the script has run successfully:

  • The RH domains and any custom sender domains you included will be added to the Tenant Allow/Block List.

  • This list is located under the Threat Policies section in Microsoft 365 Security Center.

This ensures that emails from these domains are trusted and not flagged or blocked by Microsoft 365 security filters.

Conclusion

This PowerShell script simplifies the process of whitelisting domains in Microsoft Defender.

Make sure you use the correct Office 365 credentials when prompted.
✅ After the script runs, it’s a good idea to verify the updated allow policy within the Microsoft Exchange admin center or Microsoft 365 Security Center.

Did this answer your question?