Microsoft 365 Blog;
Part of our expanding list of Self-help diagnostics for issues in Exchange Online and Outlook, we’re happy to announce a new tool, which can help address or explain issues related to Microsoft 365 safe/blocked sender lists. It is designed to assist administrators in resolving these problems independently, without needing to contact support.
Allowing or blocking senders in Microsoft 365
Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) provide methods for users to ensure that they receive emails from trusted senders, and block emails from unwanted senders. Collectively, these options are known as safe sender lists and blocked sender lists. Users (recipients) manage their safe/blocked Senders lists at the mailbox level, affecting only their specific mailbox. A mailbox safelist collection includes the Safe Senders list, the Safe Recipients list, and the Blocked Senders list.How safelists collections work:
Safelist collection entries are hashed (SHA-256) before they are stored as array sets across user object attributes in the mailbox. When a message is received, Exchange hashes the sender's email address and compares it to the hashes that are stored on behalf of the destination mailbox. If the sender matches the safe senders hash, the message bypasses content filtering (allowed). If the sender matches the blocked senders hash, the message is blocked.- Users configure the safelist collection in Outlook or Outlook on the web for their own mailboxes.
- Admins run the Get-/Set-MailboxJunkEmailConfiguration PowerShell cmdlets to view and configure the safelist collection on any user’s mailbox.
New: Mailbox Safe/Blocked Sender List Diagnostic
Requirements: recipient email address, sender email address or sender domainThe Mailbox Safe/Block List diagnostic provides comprehensive details on whether a sender's SMTP address is listed in the trusted or blocked senders list, powered by the Get-MailboxJunkEmailConfiguration PowerShell cmdlet. For Exchange Online, it also verifies the accuracy and presence of these values in Microsoft Entra ID (formerly, Azure Active Directory or AAD). If any discrepancies are detected, a synchronization (sync) of the values will be initiated.
The diagnostic can be used to:
- Confirm if a sender is allowed or blocked by a recipient
- Confirm if an allow or a block is due to the lists being out of sync with Microsoft Entra ID
- The diagnostic will attempt to sync the safe/block list to the safe/block sender hash value in Microsoft Entra ID.
- Provide insights on configuration issues preventing a sync, such as when the size safe/block lists or the Microsoft Entra ID hash are too large.
Running the Diagnostic
As a Global, Exchange, or Help Desk Administrator, run the Mailbox Safe/Block List diagnostic in any admin portal (Microsoft 365 Admin Center, Microsoft Defender XDR, Exchange Admin Center, Purview compliance, etc.).Use the quick link https://aka.ms/safeblockdiag to:
- Open the Microsoft 365 Admin Center.
- Prepopulate the Get Help field with the diagnostic query.
Examples and Scenarios
Example 1: Check the list for sync issues
Your organization’s recipient@fabrikam.com listed the sender joe@contoso.com as an allowed sender. However, emails from this sender are getting blocked as spam. We will need these two pieces of input:| Sender email address: Joe@contoso.com Recipient mailbox address: Recipient@fabrikam.com 
| Output: 
|
The results indicate that although the sender was included in the recipient's Allowed Sender lists, there was a synchronization issue between the mailbox block/allow lists and Microsoft Entra ID. Once the lists have been re-synced successfully, the issue was resolved. Subsequent testing shows that when joe@contoso.com sends an email to recipient@fabrikam.com, the messages are no longer marked as spam.
Example 2: Check the mailbox safe/block list for limit issues
Your organization has a mailbox at recipient@fabrikam.com. The administrator has recently used PowerShell to add the sender address alex@contoso.com to the safelist using the Set-MailboxJunkEmailConfiguration cmdlet. We will use this sender and recipient pair as input for this process and review the output:
There are two key results: the mailbox block/allow list is synced with Microsoft Entra ID, and the Mailbox allow sender list is nearing its maximum limit of 1024 entries. Currently, it has 1002 entries, so reducing the number is advisable to prevent issues.
Example 3: Check the list for hash sync issues to Microsoft Entra ID
In another example, your organization’s recipient@fabrikam.com had blocked sam@contoso.com, but emails from the sender are still reaching the recipient's inbox. You enter the sender/recipient as input and find that the issue is that the Blocked Sender hash value isn't synced to Microsoft Entra ID due to exceeding the 1000-entry limit (currently at 1004). To ensure synchronization, remove redundant entries and limit the list to under 1000 entries, and re-run the diagnostic.
Example 4: Check the list for domain sync issues
Your organization’s recipient@fabrikam.com listed the sender domain contoso.com in their Allowed Domains list. However, emails from this sender domain keep getting quarantined as high confidence spam. You enter the recipient address and the sender domain as diagnostic inputs, and review the results:
As noted earlier, when it comes to domains, the diagnostic will sync only those in the block list to Microsoft Entra ID, and the recipient can allow the sender email address to allow the sender’s email through.
We hope this diagnostic helps you evaluate and diagnose issues with Mailbox Safe sender and Block sender lists more effectively. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
Source:
Diagnose Safe/Blocked Senders Issues in Microsoft 365 | Microsoft Community Hub
Microsoft has released a new diagnostic tool that helps addressing technical issues with safe/blocked senders lists in Microsoft 365
techcommunity.microsoft.com
