Categories
EOP exchange exchange online Exchange Online Protection Outlook owa security spam

[New] External Email Notification in Exchange Online

This is a new feature released in March 2021 that adds support in Outlook (Mac, OWA, Mobile) for the display of the external status of the sender – note at the time of writing it does not add this feature to Outlook for the PC. This should be used to replace the way this has been commonly done for years with the modification of the message body.

Modifying the message body has in my opinion two problems, the first being a permanent change to the message that was sent, which will appear in search results or the message preview, and the second issue being that the first breaks DKIM in some scenarios. DKIM is a digital signature added to the message headers by the senders email system that attests to the integrity of the message body (and other headers such as sender). Modifications to the message body break DKIM and I have seen this where you have complex routing in place, for example a cloud email filtering service (ProofPoint, Mimecast, etc) or on-premises before Exchange Online. When you modify the senders message in (say) Mimecast, Mimecast has already checked that DKIM passes, but now when the message arrives at Exchange Online, Exchange Online Protection wants to do the same thing and DKIM fails and this can have message integrity issues.

So, back to the issue at hand. If I can avoid tampering with the message at all this is better, but in the case of DKIM I should not tamper until the last point in the email chain (I digress though!).

The Exchange Online PowerShell cmdlet Set-ExternalInOutlook -Enabled $True will turn on a header in Outlook Mobile and OWA and the new Mac Outlook. In Outlook for Windows on the PC it will work in Office 365 build 2021 and later (Jan 2021 releases), which at the time of writing is “Current Channel” and soon to be “MonthlyEnterprise Channel”.

To turn this feature on run the above cmdlet in your tenant and wait 24-48 hours for the change to roll out. Try it in a test tenant first if you have one, but look below for detail images of what your users will see.

Connecting to Exchange Online PowerShell
Run Set-ExternalInOutlook to enable this setting

If you have a few different tenants and you would consider some of these “internal” then run Set-ExternalInOutlook -Enabled $true -AllowList otherdomain.com,diffdomain.com.

Setting some external domains to appear as internal
https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWxp8e?ver=43b2
What The Feature Looks Like In Outlook Mobile

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.