Whitelisting Salesforce Emails in Exchange Online Protection

In this article, Salesforce list three IP address ranges (by way of CIDR notation) where their emails can come from when you are a Salesforce.com user. To ensure these emails come to all users of your organization if you are using Exchange Online Protection (EOP) then you have to create a transport rule to attempt to bypass any filtering that might be applied to these messages.

The problem with this list of network ranges and EOP is that EOP only accepts CIDR ranges that are /24 or smaller (i.e. /24 to /32) when creating connectors or content filtering and the Salesforce ranges are all larger than that.

To add a range bigger than /24 you must create a Transport rule that operates on the IP address range that sets the spam confidence level (SCL) to Bypass spam filtering (meaning that all messages received from within this IP address range are set to “not spam” and no additional filtering is performed by the service). However, if any of these IP addresses appear on any of Microsoft’s proprietary block lists or on any of their third-party block lists, these messages will still be blocked. So even though it is possible to do this, the emails might still be blocked if the individual addresses are blocked.

To add the transport rule follow these steps:

  1. In the EAC, navigate to Mail flow > Rules.
  2. Click + and then select Create a new rule.
  3. Give the rule a name and then click More options.
  4. Under Apply this rule if, select The sender and then choose IP address is in any of these ranges or exactly matches.
  5. In the specify IP addresses, specify the IP address ranges provided by Salesforce, click Add +, and then click ok.
  6. Under Do the following box, set the action by choosing Modify the message properties and then set the spam confidence level (SCL). In the specify SCL box, select Bypass spam filtering, and click ok.
  7. If you’d like, you can make selections to audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. Manage Transport Rules contains more information about these selections.
  8. Click the save button to save the rule. It appears in your list of rules.

After you create and enforce the rule, spam filtering is bypassed for the IP address range you specified.




4 responses to “Whitelisting Salesforce Emails in Exchange Online Protection”

  1. […] Whitelisting Salesforce Emails in Exchange Online Protection Whitelisting Salesforce Emails in Exchange Online Protection […]

  2. Seth avatar

    Can this be reversed to Blacklist salesforce.com emails? I get ‘lead’ spam regularly via salesforce.com . salesforce.com seems to have my entire company email list and sends us spam constantly.

    1. Brian Reid avatar

      You can block anything in EOP as long as you have some consistent property to track the message against. For example if all “leads” emails have “[Lead]” in the subject and come from Salesforce.com domain then you could write a transport rule in Exchange Online to give these emails a spam confidence level (SCL) of 5 or higher. Any property of the email can usually be used to find the emails in Exchange transport rules and then the action would be to delete or set the SCL. If the SCL is 5 or higher then the message will go to the Junk E-mails folder automatically.

  3. […] Whitelisting emails in Exchange Online Protection […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.