Table of Contents
Available for Activation Now
After a delay to allow for the deployment of the required cmdlets, tenants can now activate Exchange Online’s external email tagging feature to mark external email (MC243047 – Microsoft 365 roadmap item 70595). The tags appear in OWA, Outlook Mobile, Outlook for Mac, and should eventually show up in Outlook desktop. External email tagging is part of Microsoft’s strategy to make email secure by default along with other features like blocking automatic mail forwarding.
External email tagging means that messages received from any domain except those registered for the tenant are marked by Exchange as “external” when they pass through the transport service on their way to user mailboxes. Figure 1 shows External tags displayed for a set of messages in my Inbox with details obscured to protect the guilty. In addition to the tag, when a message is read, the user is offered the chance to block the sender. The external tag is not displayed for messages received from external senders and forwarded by a tenant user. Protected (encrypted) messages are not affected as the tag doesn’t affect message content.
Flagging external senders with a form of mail tip and offering to block them seems a tad robust. After all, email is all about communication and even if spammers are active, I expect a minimum of spam to get past Exchange Online Protection and Microsoft 365 Defender for Office 365 (aka Advanced Threat Protection). The implementation appears to make blocking senders the norm rather than the exception, which I don’t like.
Adding Well-known Functionality
Tagging adds a feature to Exchange Online that organizations have been building for years with transport (mail flow) rules (here’s an example). Obviously, Microsoft believes that highlighting external email is something which should be available out-of-the-box. I agree. It’s just curious that it’s taken the developers 25 years to get around to implementing the features. Then again, important stuff like enabling reactions to email (MC239090 – delayed on March 2 to “evaluate feedback” like “this is a waste of time”) has got in the way.
Activating External Email Tagging
External tagging is disabled by default. This is an unusual situation for a new feature as Microsoft invariably assumes that people want to use whatever new wheeze they have dreamed up and therefore enables new features. In this instance, you’ll have to run the Set-ExternalInOutlook cmdlet to get things moving.
Leaving aside the not-very-good cmdlet name (Set-ExternalEmailTagging would have been more obvious), the process is very simple:
- Connect to the Exchange Online Management endpoint (or use remote PowerShell if you must).
- Run Set-ExternalInOutlook to enable external tagging. You can decide if certain domains or individual email addresses are excluded from tagging. I’m not sure when I would use individual addresses, unless you wanted to be sure that email received from someone’s (like an executive’s) personal email address was not considered external. The more I think about that idea, the less I like it.
For my tenant, I ran:
Set-ExternalInOutlook -AllowList "quest.com", "microsoft.com" -Enabled $True
This command means that tagging is applied to any external email except the two domains defined in the allowed list. After a moment, I decided to add another domain. Doing it this way avoids overwriting the domains already excluded:
Set-ExternalInOutlook -AllowList @{Add="Practical365.com"}
Note: Some tenants are reporting that they see failures when running Set-ExternalInOutlook to add just one domain to the allow list. While Microsoft debugs the problem, the quick workaround is to always add at least two domains to the list.
The Get-ExternalInOutlook cmdlet reports the tagging configuration:
Get-ExternalInOutlook
Identity : s662313f-14fc-43a2-9a7a-d2e27f4f3478
Enabled : True
AllowList : {quest.com, microsoft.com, Practical365.com}
The identity reported is the GUID for the tenant. It’s the same as reported by Get-MgOrganization, which is my normal go-to cmdlet to find this information. You can also find the tenant identifier in the overview section of the Entra ID admin center.
After that, it’s a matter of waiting for Exchange Online to acknowledge the configuration update and enable tagging. Microsoft says that activation should happen within 24-48 hours. The exact waiting period depends on many factors, including service load, but in my case, Exchange Online started to tag messages within a few hours.
If you enable external tagging and want to see the tags show up, make sure that your account is enabled in the Microsoft 365 admin center for targeted release. Users on targeted release see new updates for several weeks before other users do.
Tagging Threads
Interestingly, OWA highlights a thread as external if any message in the thread comes from an external domain that’s not on the excluded list. For example, I have a bunch of messages from microsoft.com addresses which are excluded from tagging. But once someone from an external address (like dell.com, for instance), joins the conference, OWA applies the external tag.
Although tagging is supposed to show up in Outlook mobile, I haven’t seen it yet despite updating to the latest TestFlight build (4.2110.0). No doubt external tags will appear in time. I just have to be patient.
Update April 22: Glen Scales explains how to use the Microsoft Graph API and EWS to work with external tags in this blog post.
To learn lots more about Exchange Online and Office 365 in general, subscribe to the Office 365 for IT Pros eBook! We probe and test new features so you don’t have to do as much work to understand and deploy them in production.
Might be worth adding that this will extend to Outlook Desktop from May 2021 (see https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098)
Done!
How are messages sent as my primary domain from an on prem SMTP server treated?
Is it an accepted domain for Office 365? If so, it won’t be deemed external.
Yes, we have 5 or so domains in our O365/EXO tenant and our internal smtp relay sends as some of these. How does MS know to treat the messages from my own smtp server as “internal” but to mark external mail servers spoofing the same domain as “external”? Thx
If the domains are accepted by Office 365, they are internal. Anything else is external.
Hello Tony,
We have a need to test this out on certain email addresses (in IT Dept.) before we enable for the entire domain. Microsoft told me they are still developing this feature, and the Office 365 Roadmap site (https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595) says it is still in development. Also, our Office 365 environment is hybrid, and we are concerned it could cause internal emails to be incorrectly tagged. We just want to see it in action before we push it out to the entire organization.
How is the Set-ExternalInOutlook command used to only enable certain email addresses, and not the entire domain? I am guessing it is:
Set-ExternalInOutlook email address; email address; email address; -Enabled $true
Please verify. I also looked at Microsoft’s site here, but examples are lacking:
https://docs.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps
Thanks!
David
I think this is an organization wide setting which cannot be restricted to a set of users. You either turn it on or off,
To prevent tagging in some mailbox you can use this free Power Automate flow:
https://ivasoft.com/disabletaggingflow.shtml
I’ve turned this on as it’s a great new feature to help protect data.
Some observations – after turning on and waiting 24 hours I can see it in Outlook on The Web and also on Mobile app (latest version) . My Outlook desktop client does not display ithe external tag though despite being on Insider/preview update channel – running version Outlook 365 Pro plus 2105 14026.20202 – perhaps being in hybrid mode may be impacting this or we are not allowing traffic from client to a required endpoint due to firewall config. How does the Outlook client know to start using this tagging? I’m wondering if it sits in the autodiscover response?
I’m not seeing the external tags in Outlook desktop (Version 2105, build 14026.20202) either. Might have been delayed. Who knows in the cloud!
I reinstalled O365 at the beginning of the month to forces a refresh on my build (preview channel specified in the setup xml) – the process upgraded me to Office v365 v2107 and I started seeing external mail tags. Pleased to see this feature – hopefully it will help users and improve general system/information security.
This feature (ID# 70595) is still “in development” according to the Microsoft Office 365 Roadmap site here:
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70595
Make sure to click on the description text (“Exchange Online – Tag for external email messages received”) to see the details of the update, including the last time Microsoft modified the page (for this feature). I have been checking this page every few weeks to see when it shows as “launched.”
I am surprised it’s still being developed, considering Microsoft added this feature to its roadmap on January 28, 2021. They still haven’t completed development after 6 months??!! This doesn’t make sense.
I don’t think it’s ready for Outlook desktop yet. Back in early May, I opened a ticket with Microsoft to ask them about this feature and if it is ready for our hybrid environment. The tech said no and to wait. My boss doesn’t want me to turn on this feature until Microsoft says it is launched (and no longer in development).
Does anybody here have any insider intel on this?
Another observation, in hybrid mode our on-prem Exchange server users were displaying without the ‘external’ tag correctly. However, we had some servers that relay some email notifications through the on-prem Exchange servers – these emails had the sender address set to our on-prem email domain, when received by O365 migrated users the message was tagged as external – I believe the reason for this is that our on-prem send/receive connector used to relay the emails was not configured to be recognised as internal.
It seems that the feature does not recognise tenant related communication (eg. sharepointonline.com). Does anyone know if it’s planned for it to have it? Simply adding relevant Microsoft domains would otherwise open an opportunity (miss the external label) for anyone running O365 account sending malicious content. Also, adding “microsoft.com” to the allow list sort of defeats the purpose of “internal” vs “external” imho. Thoughts?
SharePointOnline.com is not a domain registered to the tenant so it’s always going to be an external domain unless Microsoft excludes it. I will pass on the suggestion, thanks!
If you do not want to use PowerShell, use this tool to modify the configuration of external sender identification:
https://www.ivasoft.com/setexternalinoutlook.shtml
I am wondering what exactly counts as an “external” email for this feature?
Sometimes emails “received from outsidide the organisation” is also called external emails, but I suppose this is not the same?
Does it depend solely on the domains registered in the tenant and the exception list?
So if someome sends an email from an arbitrary mail server in the internet and pretends to be a sender from an registered domain the mails will not be marked es external?
Any email received from a domain that is not registered for the tenant is external.
Hi,
Thank you for the bunch a useful info in here.
Is there a way to get the full list of domains that we’ve excluded from external tagging? I only get the fist 4 to be displayed when using the command “Get-ExternalInOutlook”
Get-ExternalInOutlook | Select-Object -ExpandProperty AllowList
Hi Tony,
Thank you for your swift response.
My dear friend chatGPT helped me out also with following cmd:
(Get-ExternalInOutlook).AllowList
It seems to provide the same visual result.
It’s the same functional PowerShell code…
Is adding domains as exceptions safe? Could they be spoofed or is it looking at the actual sending domain and not the reply to domain?
In an enterprise environment this works well for mail sent using Microsoft 365 Exchange Online, optionally combined with a hybrid setup. However, Microsoft prevents bulk mail like newsletters and mailings and advises using a separate SMTP server which sends email directly to the internet instead of using Exchange Online. Despite all correct settings for SPF/DKIM/DMARC and the sender domain of the separate SMTP server being in the accepted domains for Exchange Online, messages sent through this “external” SMTP server are marked as External. This feature does not check SPF/DMIK/DMARC to mark messages as internal or verified, which makes this feature useless in adding awareness to users for spoofing etc. Adding the entire domain in the allow list, renders this feature also useless since spoofed mail is also accepted.
Any thoughts on this?
My only thought is that if you’re having problems having EXO regard a specific domain as OK (not external) and you think all your settings are correct, you should file a support request with Microsoft and have them check the settings. I can’t see those settings, but Microsoft can…