Allowlisting by IP address in Exchange 2013, 2016, or Microsoft 365 (formerly Office 365)

Support Desk
  • Updated
Follow

IMPORTANT NOTICE: Since Microsoft rolled out the "Secure by Default" standard in October 2021, the required method of allowlisting has changed. To correctly allowlist in Exchange and Office 365 environments, please see our article Allowlisting via Microsoft Advanced Delivery.

To ensure the effective delivery of our simulated phishing emails, you will need to allowlist our servers, we recommend allowlisting by either IP address or by hostname.

Sometimes allowlisting can require some trial and error, this article covers allowlisting by IP address, if you are unsuccessful with this method check out our guide on allowlisting by Hostname, which can be found here.

Another option is allowlisting by Email Headers, but this is usually only necessary if you use a cloud-based spam filter, see guide here.

NOTE:

When allowlisting for Microsoft 365 (formerly Office 365), we STRONGLY recommend implementing the ATP/Defender bypass steps to avoid potential false-positives in your campaigns. 

 

The Process

The process is quite simple, there are just 4 steps:

The first thing you'll need to do is set up an IP Allow List which includes Phishing Tackle's IP addresses. Next, you add a mail flow rule which allows our emails to bypass your Clutter folder and Microsoft's Exchange Online Protection (EOP) filter. Lastly, if you're using Microsoft 365 (formerly Office 365), you'll need a connector to prevent deferments. All of these steps must be done to fully allowlist our servers.

Step 1 - IP Allow List

Step 2 - Bypass Clutter & Spam Filter

Step 3 - Bypass Junk Filter - Microsoft 365 (formerly Office 365) Only

Step 4 - Create connector to avoid deferments - Microsoft 365 (formerly Office 365) Only

 

NOTE:

Within Microsoft 365 (formerly Office 365) environments: If you allowlisted Phishing Tackle before March 2020, we recommend you configure a connector to prevent emails being deferred. You'll find quick instructions to do this in Step 4.

 

Step 1 - Adding Phishing Tackle's IP addresses to the IP Allow List 

  1. Log into the Microsoft 365 (formerly Office 365) portal and select Admin centers > Security.
    Allowlisting_by_IP_address_-_Security_Center.png

  2. Select "Policies & Rules".
    Allowlisting_by_IP_address_-_Security_Center_-_Policies___Rules.png

  3. Select "Threat policies".
    Allowlisting_by_IP_address_-_Security_Center_-_Threat_Policies.png

  4. Select "Anti-Spam".
    Allowlisting_by_IP_address_-_Security_Center_-_Policies___Rules_-_Anti-Spam.png

  5. Click "Connection filter policy (Default)".
    Allowlisting_by_IP_address_-_Connection_Filter_Policy.png

  6. Select "Edit connection filter policy".
    Allowlisting_by_IP_address_-_Connection_Filter_Policy_-_Edit.png

  7. Within the connection filter policy add Phishing Tackle's IP addresses one at a time. A complete list of our IP addresses can be found here.
    Allowlisting_by_IP_address_-_Connection_Filter_Policy_-_IP_addresses.png
  8. Click "Save".
  9. Move onto the mail flow rule in Step 2!

 

Step 2 - Bypass clutter and spam filtering

This step is crucial to avoiding Microsoft's EOP.

NOTE:

Microsoft details some useful information regarding flow order in this article which may help if emails are still getting blocked/quarantined, read here.

  1. Visit the Microsoft 365 (formerly Office 365) portal and select Admin centers > Exchange.
    Allowlisting_by_IP_address_-_Exchange_Admin_Center.png

  2. Click "Mail Flow".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_clutter_and_spam_filtering.png

  3. Click "Rules".
  4. Click "Add a Rule".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_clutter_and_spam_filtering_-_Rule.png

  5. Click "Bypass spam filtering".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_spam_filtering.png

  6. Give the rule a memorable and easy-to-understand name.
    Allowlisting_by_IP_address_-_Bypass_clutter_and_spam_filtering_-_Rule_Name.png

  7. Under *Apply this rule if... select "The sender..." > "IP address is in any of these ranges or exactly matches".
    Allowlisting_by_IP_address_-_Bypass_clutter_and_spam_filtering_-_Apply_Rule.png

  8. Then enter each of Phishing Tackle's IP addresses, clicking the "Add" button for each. (A complete list of our IP addresses can be found here.) Then hit "Save".
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-_Specify_IP.png

  9. The Bypass spam filtering rule is automatically configured for you. This is displayed Under *Do the following.
    Allowlisting_by_IP_address_-_EAC_-_Bypass_Spam_Filtering_Rule.png

  10. Click the "+" button under "Do the following".
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-_Additional_Rule.png

  11. Under "And" select "Modify the message properties..." > select "set a message header".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_Spam_Filtering_Rule_-_And.png

  12. Edit the properties of this by selecting the Enter text buttons:
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-_Enter_text_buttons.png

    Use the following entries:
    Set the message header to "X-MS-Exchange-Organization-BypassClutter" set the value to "true".
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-_Header_and_Value.png

  13. Click "Next".
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-__Next.png

  14. Leave all settings in "Set rule settings" as their default values and click "Next".
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-__Set_Rule_-Next.png

  15. Review your settings and click "Finish".
    Allowlisting_by_IP_address_-_EAC_-_Review.png

If you're using Microsoft 365 (formerly Office 365), you will need to complete Steps 3&4 below, if you are just using Microsoft Exchange, you're done!

Make sure to run some test campaigns to a small group of recipients, checking both spoofed and external domain templates, before running an organisation-wide campaign.

 

Step 3 - Bypass the Junk Folder - Microsoft 365 (formerly Office 365) Only

  1. Visit the Microsoft 365 (formerly Office 365) portal and select Admin centers > Exchange.
    Allowlisting_by_IP_address_-_Exchange_Admin_Center.png

  2. Click "Mail Flow".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_clutter_and_spam_filtering.png
  3. Click "Rules".
  4. Click "Add a Rule".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_clutter_and_spam_filtering_-_Rule.png

  5. Click "Bypass spam Filtering".
    Allowlisting_by_IP_address_-_EAC_-_Bypass_spam_filtering.png

  6. Give the rule a memorable and easy-to-understand name.
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Rule.png

  7. Under "*Apply this rule if..." select "The sender" > select "IP address is in any of these ranges or exactly matches".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Apply_this_rule_if.png

  8. Then enter each of Phishing Tackle's IP addresses, clicking the "Add" button for each. (A complete list of our IP addresses can be found here.) Then hit "Save".
    Allowlisting_by_IP_address_-_Bypass_Spam_Filtering_-_Specify_IP.png

  9. Under "*Do the following..." click the "+" button to create an additional rule.
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Add_Rule.png

  10. Under "And" select "Modify the message properties..." > select "set a message header".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_And_-_Message_Header.png

  11. Edit the properties by selecting the "Enter text" buttons.
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_And_-_Edit_Message_Header.png

  12. Click "Enter text" next to Set the message header and set the message header to "X-Forefront-Antispam-Report". Then hit "Save".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Header_Text.png

  13. Click "Enter text" next to "the value" and set the value to "SFV:SKI;". Then click "Save".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Message_Header_Value.png

  14. Click "Next".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Set_rule_conditions.png

  15. Leave all settings in "Set rule settings" as their default values and click "Next".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Set_Rule_Settings.png

  16. Click "Finish".
    Allowlisting_by_IP_address_-_Bypass_Junk_Filter_-_Review_and_Finish.png
  17. Review your Rules in Exchange admin center. Adjust the Priority (if necessary) to be directly after the Bypass clutter and spam filtering rule, created in step two.

  18. Move onto create the connector in Step 4!

 

Step 4 - Create a Connector to Avoid Deferments - Microsoft 365 (formerly Office 365) Only

This step is crucial in avoiding Microsoft's rate limiting settings.

  1. Visit the Microsoft 365 (formerly Office 365) portal and select Admin centers > Exchange.
    Allowlisting_by_IP_address_-_Exchange_Admin_Center.png

  2. Click "Mail Flow".
    Allowlisting_by_IP_address_-_Create_connector_to_avoid_deferments_-_Mail_Fl.png

  3. Click "Connectors".
    Allowlisting_by_IP_address_-_Connector_-_Mail_Flow_-_Connector.png

  4. Click "Add a connector".
    Allowlisting_by_IP_address_-_Connector_-_Add_A_Connector.png

  5. In "
    Allowlisting_by_IP_address_-_Connector_-_New_connector.png

  6. Ensure "Connection to" is set to Office 365. Then click "Next".
  7. Give the connector a memorable and logical name, add a description if you like (it's optional) then click "Next".
    Allowlisting_by_IP_address_-_Connector_-_Connector_Name.png

  8. Click "By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization".
    Allowlisting_by_IP_address_-_Connector_-_Authenticating_Sent_Email.png

  9. Click the "+" button and enter each of Phishing Tackle's IP addresses (A complete list of our IP addresses can be found here.) Then click "Next".
    Allowlisting_by_IP_address_-_Connector_-_Authenticating_Sent_Email_-_IP.png

  10. Ensure Reject email messages if they aren't sent over TLS is selected.
    Allowlisting_by_IP_address_-_Connector_-_Security_Restrictions.png

  11. Double-check the settings entered are correct, then hit Save.
    Allowlisting_by_IP_address_-_Connector_-_Create_Connector.png

That's it!

Allowlisting can sometimes require some trial and error, should the above guide not work, try allowlisting by Hostname instead.

 

Should you require any further assistance, please contact our support team by clicking here.

 

Related articles