Outlook for Windows Gets External Mail Tagging

Better Late than Never for the Windows Desktop Client

The preview for External tagging for Exchange Online messages first appeared in March 2021 with general availability in October 2021. Microsoft 365 roadmap item 70595 covered OWA, Outlook Mobile, and Outlook for Mac. For no apparent reason, Outlook for Windows was conspicuously missing, perhaps because Microsoft anticipated faster progress with the Outlook Monarch client.

A year after the other clients received external tagging, builds of Outlook for Windows support the feature. I’ve been using it with beta channel releases (Version 2210, build 15726.20000 and later). External tagging works as expected with Outlook for Windows, but a potential reason for its delay is apparent at first sight.

Fitting External Tagging into Outlook for Windows

Compared to the other Outlook clients, Outlook for Windows is a antique beast of a program. Although Microsoft has tweaked Outlook’s design over the years, the same basic layout persists. Anyone who used Outlook 97 twenty-five years ago would recognize the latest click-to-run build. Sure, the menu is nicer, and Outlook boasts a reading pane to make it easier to triage a busy inbox, but the structure of mailbox resources, folders, and messages remains.

Preserving the essence of Outlook’s interface creates continuity for users. Change has happened over the years, but nothing to totally rebuild the interface in the same way that the Monarch project is progressing. The upshot is that Outlook’s interface is full of items and options, and the views used to display lists of messages are quite tight. The result is that the new external tag must fit into a confined space, and it looks like it (Figure 1).

External tagging in Outlook for Windows
Figure 1: External tagging in Outlook for Windows

I realize I am not a professional designer and that my reaction is very much that of an amateur, but the external tag adds more clutter to an already crowded Outlook screen. In any case, the UI is what it is.

As you’d expect, external tagging works exactly the same way as in other Outlook clients. Any email received from an external domain that isn’t marked for exclusion for tagging is tagged as external (see my previous article for details about how to exclude a domain). Most of the email I receive is from external domains, and even after excluding domains that I correspond with extensively, I see many tagged messages.

Raising User Awareness

To be fair, that’s the point. The idea of external tagging is to highlight these messages to users with the hope that people will pay extra attention to any links and other content. Organizations have used transport rules to stamp inbound email with similar labels for years and highlighting email does help. However, like any visual clue, user fatigue grows over time and the tags are probably less effective once they become part of the Outlook landscape.

External tagging also helps to avoid recipients falling into the trap of business email compromise (BEC). Many BEC attacks happen due to compromised accounts, but the removal of basic authentication from email connectivity protocols should reduce compromise through attacks like password sprays, meaning that attackers need to employ new tactics.

One is when email appears to come from an internal domain but really comes from a domain with a very similar name that’s set up by attackers with the aim of duping recipients. Humans might be fooled when an attacker swaps 1 for an l in a domain name, but a computer won’t be. Unfortunately, there’s no guarantee that people won’t ignore the external tag on an email that apparently comes from an internal sender.

External Tagging for Some, Not All

Adding external tagging to Outlook for Windows rounds out the Office 365 story. At least, if you use the click-to-run version. Perpetual versions like Outlook 2019 don’t include the necessary interface and Exchange Server doesn’t implement the feature for on-premises users. The classic approach of using transport rules to label external mail work in these scenarios.

Microsoft has probably done as good a job as possible to implement external tagging given the constraints of Outlook for Windows. External tagging works, it’s a valuable feature, and it will keep some out of trouble. That is, if you notice and respect the tags.


So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

17 Replies to “Outlook for Windows Gets External Mail Tagging”

  1. Do you have any idea when the external tagging will become available? Maybe, I am just asking when Monarch gets completely released. I know you don’t have the have the Microsoft release schedule, but if you were to guess, what would be your guess?

  2. It sounds as though all accepted domains are automatically excluded. Would that mean that if a sender were to spoof one of our domains (legitimately or not), those emails – even though they originated outside of the O365 tenant – would not have the external tag?

    1. Well, yes, if the spoofed mail managed to get through the rest of the Exchange Online Protection defenses. This is the kind of thing that SPF and DMARC would stop.

      1. What I’m thinking of are systems like Salesforce or other external platforms legitimately spoofing our internal addresses. We have DMARC and SPF implemented and these messages pass through, but we still like it when those emails have an external sender stamp since the message does, in fact, originate outside of our network.

      2. Kreera, You must trust the mail systems of SalesForce and other external platforms a great deal. We don’t. We allow no vendors to spoof our systems. But to train your employees than to open this vector up for an avenue of attack. You have no idea how sloppy of how tight their mail systems are.

  3. Thank you for that article. This new feature is hitting Outlook now and my users don’t like it. Is there a way to disable it so, “External” does not appear in the Outlook pane?

      1. Thank you for the quick response. When I run the command on the affected computer I receive an error indicating the command is not recognized. Is this command run against the local computer or against Exchange Online? I don’t want to disable it for the tenant, just one computer.

        C:\> Set-ExternalInOutlook -Enabled $false
        The term ‘Set-ExternalInOutlook’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
        C:\>

  4. Last week the External tags started appearing in my Outlook for Windows client. This week they are gone!?

  5. Christopher W Ryan, Set-ExternalInOutlook is a command to run against Exchange Online. Currently there is no way to disable it per user / computer, only per tenant.

  6. It seems the external tagging rollout is off to a rough start. There are a couple of things I wish Microsoft would do for these types of enhancements.
    1. Predictability-Select members of our IT staff are in the Insider Channel (now called the Beta Channel.) One would hope that new features like this would surface there first. This one didn’t. Some of our users got this but no one in our IT staff received this (Beta Channel or not.) Everyone in our company uses the same version/build of Office.
    2. Communication-As you might have noticed above, I asked when this was supposed to be released? Tony offered the very reasonable answer of a couple of months. I guess not. (Roadmap, Message Center?)
    3. Visibility-I contacted our users that had this (past tense used on purpose) to find out which build of Office they were using. They were using the same build as our. So, I used the Get-ExternalInOutlook command (which show’s whether its enabled or not.) But this also includes OWA. So, everyone in our company shows as enabled. In other words, we have no way of knowing who has what. When those tickets started pouring in, it would be nice to be able to assess the impact for that P1 ticket I am about to submit. As noted above, the feature went away as quickly as it was rolled out. No notification about that either. Did someone just push the wrong button or something?
    4. Tunability-(I feel like a sports announcer using a like word like that.) As noted in #3, how about having the option of enabling it or disabling it per client type. Just that one option would be so powerful and could be used so many ways.
    5. Deploy disabled (especially) if channels are not used. (I know it doesn’t help their engagement metric, but the metrics are here for us, we aren’t here for the metrics.)

    Microsoft does so many things very well. But as I have come to understand from my own personal experience, consistency is most important in our business. Features and functionality are nice, but surprises are for birthdays, not IT.

    1. I rather like the idea of being able to disable the feature on a per-client basis, much like you can enable or disable client access via Set-CASMailbox or an OWA mailbox policy.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.