How to use Safe Senders in EOP and FOPE

  • Article

In the EOP (Exchange Online Protection, our newer service) and FOPE (Forefront Online Protection for Exchange, our older service), there are some nuances that end users should be aware of when using the safe senders and blocked senders feature.

Customers who use Outlook as their mail client and sync their safe and blocked sender lists to EOP or FOPE can have their individual user lists respected by the service. However, there are some differences between FOPE and EOP:

  1. FOPE respects only safe senders. Blocked senders and domains are still blocked (deposited into Junk) by the email client. Safe domains are not respected.

  2. EOP respects safe senders and domains, and blocked senders and domains. The spam action for Blocked Senders/Domains is the same as for all other spam blocked by the content filter.

However, users who want to use safe and blocked senders need to know that if they are using EOP or FOPE, Outlook and EOP/FOPE handle it differently: EOP and FOPE respect Safe Senders and Domains by inspecting the RFC 5321.MailFrom while Outlook adds RFC 5322.From to a user’s safe sender list. EOP inspects both the 5321.MailFrom and 5322.From for Blocked Senders and Domains.

This means that what you add as a safe sender or domain in Outlook might not work the way you think!

  1. The SMTP MAIL FROM, otherwise known as the RFC 5321.MailFrom. This is the email address that is used to do SPF checks, and if the mail cannot be delivered, the path where the bounced message is delivered to. It is this email address that goes into the Return-Path in the message headers.

  2. The From: address in the message headers, otherwise known as the RFC 5322.From. This is the email address that is displayed in the mail client.

Much of the time, the 5321.MailFrom and 5322.From are the same. This is typical for person-to-person communication and what people usually want to add safe senders for. However, when email is sent on behalf of someone else, they are frequently different. This usually happens most often for Bulk Email and it is where problems can occur.

For example, suppose that the airline Oceanic Airlines has contracted out Big Communications to send out its email advertising. You then get the following message in your inbox:
 

image

 

In your email client, you see the sender is oceanic@news.oceanicairlines.com. To prevent this message from going to junk, you add it as a safe sender in Outlook. Unfortunately, the next time it comes through, it also gets filtered. What’s going on? You added it as a safe sender!

The reason is that oceanic@news.oceanicairlines.com is the 5322.From address and it is the one you see in Outlook, but EOP and FOPE do not inspect it. The 5321.MailFrom is oceanic.airlines@bigcommunications.com and that is the one FOPE and EOP inspects. But, it does not appear anywhere in the message display.

In order to have it skip filtering, you need to add the 5321.MailFrom to the safe senders manually. To do this:

  1. In the Outlook client, open up the message in a new window by double-clicking on it.

  2. On the top ribbon in Outlook, look for the Tags tab. In the bottom right corner there is a little square with an arrow pointing out of it. Click this little square. This tab is there in Outlook 2010 and 2013. I’m not sure about 2007 and 2003 but there is something similar.

  3. In the Internet Headers section there will be a Return-Path header. The value of this field is the RFC 5321.MailFrom and it is the one you want to put into your safe senders.

    It is difficult to look for this header within this popup window so you should copy-and-paste all of these headers into a text editor like Notepad. There is no way to make this window bigger within Outlook:

  4. Close this popup window and email message and open up your safe senders. To do this in Outlook 2010 and 2013, from the main Outlook window click Junk –> Junk Email Options –> Safe Senders tab.

    Click the Add… button and paste in the value from the Return-Path header. Click OK to close the dialogue window.

You have now added the correct email address to your safe senders list such that it integrates with EOP and FOPE, which will subsequently not mark messages coming from this sender as spam the next time they are delivered to you. Admittedly this is non-intuitive but in my next post I will explain why EOP and FOPE perform safe sender checks on the 5321.MailFrom email address.