After a delay to allow for the deployment of the required cmdlets, tenants can now activate Exchange Online’s external email tagging feature to mark external email (MC243047 – Microsoft 365 roadmap item 70595). The tags appear in OWA, Outlook Mobile, Outlook for Mac, and should eventually show up in Outlook desktop. External email tagging is part of Microsoft’s strategy to make email secure by default along with other features like blocking automatic mail forwarding.
External email tagging means that messages received from any domain except those registered for the tenant are marked by Exchange as “external” when they pass through the transport service on their way to user mailboxes. Figure 1 shows External tags displayed for a set of messages in my Inbox with details obscured to protect the guilty. In addition to the tag, when a message is read, the user is offered the chance to block the sender. The external tag is not displayed for messages received from external senders and forwarded by a tenant user. Protected (encrypted) messages are not affected as the tag doesn’t affect message content.
Figure 1: External email tagging in OWA
Flagging external senders with a form of mail tip and offering to block them seems a tad robust. After all, email is all about communication and even if spammers are active, I expect a minimum of spam to get past Exchange Online Protection and Microsoft 365 Defender for Office 365 (aka Advanced Threat Protection). The implementation appears to make blocking senders the norm rather than the exception, which I don’t like.
Adding Well-known Functionality
Tagging adds a feature to Exchange Online that organizations have been building for years with transport (mail flow) rules (here’s an example). Obviously, Microsoft believes that highlighting external email is something which should be available out-of-the-box. I agree. It’s just curious that it’s taken the developers 25 years to get around to implementing the features. Then again, important stuff like enabling reactions to email (MC239090 – delayed on March 2 to “evaluate feedback” like “this is a waste of time”) has got in the way.
Activating External Email Tagging
External tagging is disabled by default. This is an unusual situation for a new feature as Microsoft invariably assumes that people want to use whatever new wheeze they have dreamed up and therefore enables new features. In this instance, you’ll have to run the Set-ExternalInOutlook cmdlet to get things moving.
Leaving aside the not-very-good cmdlet name (Set-ExternalEmailTagging would have been more obvious), the process is very simple:
Connect to the Exchange Online Management endpoint (or use remote PowerShell if you must).
Run Set-ExternalInOutlook to enable external tagging. You can decide if certain domains or individual email addresses are excluded from tagging. I’m not sure when I would use individual addresses, unless you wanted to be sure that email received from someone’s (like an executive’s) personal email address was not considered external. The more I think about that idea, the less I like it.
This command means that tagging is applied to any external email except the two domains defined in the allowed list. After a moment, I decided to add another domain. Doing it this way avoids overwriting the domains already excluded:
Note: Some tenants are reporting that they see failures when running Set-ExternalInOutlook to add just one domain to the allow list. While Microsoft debugs the problem, the quick workaround is to always add at least two domains to the list.
The Get-ExternalInOutlook cmdlet reports the tagging configuration:
The identity reported is the GUID for the tenant. It’s the same as reported by Get-AzureADTenantDetail, which is my normal go-to cmdlet to find this information.
After that, it’s a matter of waiting for Exchange Online to acknowledge the configuration update and enable tagging. Microsoft says that activation should happen within 24-48 hours. The exact waiting period depends on many factors, including service load, but in my case, Exchange Online started to tag messages within a few hours.
If you enable external tagging and want to see the tags show up, make sure that your account is enabled in the Microsoft 365 admin center for targeted release. Users on targeted release see new updates for several weeks before other users do.
Tagging Threads
Interestingly, OWA highlights a thread as external if any message in the thread comes from an external domain that’s not on the excluded list. For example, I have a bunch of messages from microsoft.com addresses which are excluded from tagging. But once someone from an external address (like dell.com, for instance), joins the conference, OWA applies the external tag.
Although tagging is supposed to show up in Outlook mobile, I haven’t seen it yet despite updating to the latest TestFlight build (4.2110.0). No doubt external tags will appear in time. I just have to be patient.
Update April 22: Glen Scales explains how to use the Microsoft Graph API and EWS to work with external tags in this blog post.
To learn lots more about Exchange Online and Office 365 in general, subscribe to the Office 365 for IT Pros eBook! We probe and test new features so you don’t have to do as much work to understand and deploy them in production.
Yes, we have 5 or so domains in our O365/EXO tenant and our internal smtp relay sends as some of these. How does MS know to treat the messages from my own smtp server as “internal” but to mark external mail servers spoofing the same domain as “external”? Thx
Loading...
If the domains are accepted by Office 365, they are internal. Anything else is external.
Loading...
Hello Tony,
We have a need to test this out on certain email addresses (in IT Dept.) before we enable for the entire domain. Microsoft told me they are still developing this feature, and the Office 365 Roadmap site (https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595) says it is still in development. Also, our Office 365 environment is hybrid, and we are concerned it could cause internal emails to be incorrectly tagged. We just want to see it in action before we push it out to the entire organization.
How is the Set-ExternalInOutlook command used to only enable certain email addresses, and not the entire domain? I am guessing it is:
I’ve turned this on as it’s a great new feature to help protect data.
Some observations – after turning on and waiting 24 hours I can see it in Outlook on The Web and also on Mobile app (latest version) . My Outlook desktop client does not display ithe external tag though despite being on Insider/preview update channel – running version Outlook 365 Pro plus 2105 14026.20202 – perhaps being in hybrid mode may be impacting this or we are not allowing traffic from client to a required endpoint due to firewall config. How does the Outlook client know to start using this tagging? I’m wondering if it sits in the autodiscover response?
I reinstalled O365 at the beginning of the month to forces a refresh on my build (preview channel specified in the setup xml) – the process upgraded me to Office v365 v2107 and I started seeing external mail tags. Pleased to see this feature – hopefully it will help users and improve general system/information security.
Loading...
This feature (ID# 70595) is still “in development” according to the Microsoft Office 365 Roadmap site here:
Make sure to click on the description text (“Exchange Online – Tag for external email messages received”) to see the details of the update, including the last time Microsoft modified the page (for this feature). I have been checking this page every few weeks to see when it shows as “launched.”
I am surprised it’s still being developed, considering Microsoft added this feature to its roadmap on January 28, 2021. They still haven’t completed development after 6 months??!! This doesn’t make sense.
I don’t think it’s ready for Outlook desktop yet. Back in early May, I opened a ticket with Microsoft to ask them about this feature and if it is ready for our hybrid environment. The tech said no and to wait. My boss doesn’t want me to turn on this feature until Microsoft says it is launched (and no longer in development).
Does anybody here have any insider intel on this?
Loading...
Another observation, in hybrid mode our on-prem Exchange server users were displaying without the ‘external’ tag correctly. However, we had some servers that relay some email notifications through the on-prem Exchange servers – these emails had the sender address set to our on-prem email domain, when received by O365 migrated users the message was tagged as external – I believe the reason for this is that our on-prem send/receive connector used to relay the emails was not configured to be recognised as internal.
It seems that the feature does not recognise tenant related communication (eg. sharepointonline.com). Does anyone know if it’s planned for it to have it? Simply adding relevant Microsoft domains would otherwise open an opportunity (miss the external label) for anyone running O365 account sending malicious content. Also, adding “microsoft.com” to the allow list sort of defeats the purpose of “internal” vs “external” imho. Thoughts?
SharePointOnline.com is not a domain registered to the tenant so it’s always going to be an external domain unless Microsoft excludes it. I will pass on the suggestion, thanks!
I am wondering what exactly counts as an “external” email for this feature?
Sometimes emails “received from outsidide the organisation” is also called external emails, but I suppose this is not the same?
Does it depend solely on the domains registered in the tenant and the exception list?
So if someome sends an email from an arbitrary mail server in the internet and pretends to be a sender from an registered domain the mails will not be marked es external?
Hi,
Thank you for the bunch a useful info in here.
Is there a way to get the full list of domains that we’ve excluded from external tagging? I only get the fist 4 to be displayed when using the command “Get-ExternalInOutlook”
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Might be worth adding that this will extend to Outlook Desktop from May 2021 (see https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098)
Done!
How are messages sent as my primary domain from an on prem SMTP server treated?
Is it an accepted domain for Office 365? If so, it won’t be deemed external.
Yes, we have 5 or so domains in our O365/EXO tenant and our internal smtp relay sends as some of these. How does MS know to treat the messages from my own smtp server as “internal” but to mark external mail servers spoofing the same domain as “external”? Thx
If the domains are accepted by Office 365, they are internal. Anything else is external.
Hello Tony,
We have a need to test this out on certain email addresses (in IT Dept.) before we enable for the entire domain. Microsoft told me they are still developing this feature, and the Office 365 Roadmap site (https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595) says it is still in development. Also, our Office 365 environment is hybrid, and we are concerned it could cause internal emails to be incorrectly tagged. We just want to see it in action before we push it out to the entire organization.
How is the Set-ExternalInOutlook command used to only enable certain email addresses, and not the entire domain? I am guessing it is:
Set-ExternalInOutlook email address; email address; email address; -Enabled $true
Please verify. I also looked at Microsoft’s site here, but examples are lacking:
https://docs.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps
Thanks!
David
I think this is an organization wide setting which cannot be restricted to a set of users. You either turn it on or off,
To prevent tagging in some mailbox you can use this free Power Automate flow:
https://ivasoft.com/disabletaggingflow.shtml
I’ve turned this on as it’s a great new feature to help protect data.
Some observations – after turning on and waiting 24 hours I can see it in Outlook on The Web and also on Mobile app (latest version) . My Outlook desktop client does not display ithe external tag though despite being on Insider/preview update channel – running version Outlook 365 Pro plus 2105 14026.20202 – perhaps being in hybrid mode may be impacting this or we are not allowing traffic from client to a required endpoint due to firewall config. How does the Outlook client know to start using this tagging? I’m wondering if it sits in the autodiscover response?
I’m not seeing the external tags in Outlook desktop (Version 2105, build 14026.20202) either. Might have been delayed. Who knows in the cloud!
I reinstalled O365 at the beginning of the month to forces a refresh on my build (preview channel specified in the setup xml) – the process upgraded me to Office v365 v2107 and I started seeing external mail tags. Pleased to see this feature – hopefully it will help users and improve general system/information security.
This feature (ID# 70595) is still “in development” according to the Microsoft Office 365 Roadmap site here:
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595
Make sure to click on the description text (“Exchange Online – Tag for external email messages received”) to see the details of the update, including the last time Microsoft modified the page (for this feature). I have been checking this page every few weeks to see when it shows as “launched.”
I am surprised it’s still being developed, considering Microsoft added this feature to its roadmap on January 28, 2021. They still haven’t completed development after 6 months??!! This doesn’t make sense.
I don’t think it’s ready for Outlook desktop yet. Back in early May, I opened a ticket with Microsoft to ask them about this feature and if it is ready for our hybrid environment. The tech said no and to wait. My boss doesn’t want me to turn on this feature until Microsoft says it is launched (and no longer in development).
Does anybody here have any insider intel on this?
Another observation, in hybrid mode our on-prem Exchange server users were displaying without the ‘external’ tag correctly. However, we had some servers that relay some email notifications through the on-prem Exchange servers – these emails had the sender address set to our on-prem email domain, when received by O365 migrated users the message was tagged as external – I believe the reason for this is that our on-prem send/receive connector used to relay the emails was not configured to be recognised as internal.
It seems that the feature does not recognise tenant related communication (eg. sharepointonline.com). Does anyone know if it’s planned for it to have it? Simply adding relevant Microsoft domains would otherwise open an opportunity (miss the external label) for anyone running O365 account sending malicious content. Also, adding “microsoft.com” to the allow list sort of defeats the purpose of “internal” vs “external” imho. Thoughts?
SharePointOnline.com is not a domain registered to the tenant so it’s always going to be an external domain unless Microsoft excludes it. I will pass on the suggestion, thanks!
If you do not want to use PowerShell, use this tool to modify the configuration of external sender identification:
https://www.ivasoft.com/setexternalinoutlook.shtml
I am wondering what exactly counts as an “external” email for this feature?
Sometimes emails “received from outsidide the organisation” is also called external emails, but I suppose this is not the same?
Does it depend solely on the domains registered in the tenant and the exception list?
So if someome sends an email from an arbitrary mail server in the internet and pretends to be a sender from an registered domain the mails will not be marked es external?
Any email received from a domain that is not registered for the tenant is external.
Hi,
Thank you for the bunch a useful info in here.
Is there a way to get the full list of domains that we’ve excluded from external tagging? I only get the fist 4 to be displayed when using the command “Get-ExternalInOutlook”
Get-ExternalInOutlook | Select-Object -ExpandProperty AllowList
Hi Tony,
Thank you for your swift response.
My dear friend chatGPT helped me out also with following cmd:
(Get-ExternalInOutlook).AllowList
It seems to provide the same visual result.
It’s the same functional PowerShell code…
Is adding domains as exceptions safe? Could they be spoofed or is it looking at the actual sending domain and not the reply to domain?