How to Block a Domain or Email Address in Exchange Online

While blocking domains in Exchange Online may seem like a drastic step to solving spam-related issues, it is a widely adopted feature that is used by many, if not most organisations that utilise Exchange Online.

By blocking a domain or email address directly from the Microsoft 365 admin center you are ensuring that:

  1. The block impacts all end users in your tenant
  2. The block cannot be overridden by end users in your tenant

In this tutorial, I am going to show you how to block a top-level domain, domain or email address in Exchange Online and explain what happens to blocked emails behind the scenes.

Block a domain or email address in Exchange Online

Microsoft 365 Defender is the central location in Microsoft 365 where you can modify security policies relating to Exchange Online. As such, we are going to use this web portal to modify the default anti-spam policy for Exchange Online to include our blocked domains and addresses.

1. Login to Microsoft 365 Defender http://defender.microsoft.com/

2. Expand Email & collaboration, then select Policies & rules > Threat policies

Defender Threat policies
Defender Threat policies

3. Select Tenant Allow/Block List under the Rules heading.

Tenant allow block list
Tenant allow block list

4. Under the Domains and addresses heading, click Block.

Add to block list
Add to block list

5. From here, enter the TLD (top-level domain), domain or address you wish to block and click Add.

Enter the TLD you wish to block
Enter the TLD you wish to block

8. The domain is now blocked and should appear on your blocked domains list.

Domain blocked
Domain blocked

What happens when an email is received from a blocked address?

When an email is received from an external address that has been manually added to the block list in Microsoft Defender, the email is marked with SCL:9 which forces Exchange Online to mark messages as spam based on the default policy spam level. Messages with an SCL of 8 or 9 are marked as High confidence spam and are sent to the user’s Junk mail folder.

You can confirm this is the case with blocked messages by viewing the following header property of the sent email: X-MS-Exchange-Organization-SCL: 9. For more detail on message headers in Exchange Online, view my tutorial: Review and Interpret Message Headers in Exchange Online.

As an admin, you can modify this behaviour by modifying the same Anti-spam policy as above and clicking Edit actions. From here you can change the default behaviour for the High confidence spam action.

high confidence spam
high confidence spam

This behaviour is changing in August 2023

Unfortunately, configuring blocked messages to be High-confidence spam is not the best solution to block a message. In most cases, a message blocked tenant-wide should not be delivered to the user’s mailbox at all. Thankfully Microsoft recognises this issue and this year the default behaviour for how blocked messages are handled will change. 

Instead of the message being marked as high-confidence spam, it will instead be marked as high-confidence phish. This means that by default the message will be sent to the Admin Quarantine and not the junk mail folder

A high-confidence phishing email cannot be released by the user from their own quarantine. This means that if a user needs to view the email, they will need to request that it be removed from the quarantine by an admin of their organisation.

From an admin perspective, instead of the message header containing the SCL level of 9, it will instead show HPHISH in the X-Forefront-Antispam-Report header. such as X-Forefront-Antispam-Report: CAT:HPHISH. It is also imperative correct guidance and training is provided to end users, as with poor expectations, admins could be lumbered with additional administrative duties.

How to release blocked messages from the admin quarantine

Messages that are marked as high-confidence phish will be delivered to the admin quarantine. This means users that will not be able to release these emails from their own quarantine portal.

As an admin, there are 2 ways to access the admin quarantine, you can either go directly to https://defender.microsoft.com/quarantine, or follow the below steps:

2. Under Email & collaboration select Review > Quarantine

Access quarantine
Access quarantine

3. Select the desired email from the list and click Release

Release email
Release email

Once the message has been released it will immediately arrive in the recipient’s inbox. Additional header information will be located in the X-MS-TrafficTypeDiagnostic: header which includes the EE_ReleasedQuarantineMessage text.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply