Configure External E-mail Warning

Security is the number one priority for most mature IT Service Providers. Microsoft is no exception. An often overlooked configuration parameter within Exchange Online is the External E-mail Warning. By enabling this option, all of your tenant users will be notified when a specific e-mail origins from external.

This; combined with SPF, DKIM & DMARC create a robust security layer to protect your organisation against potential e-mail thread.

While you could also work with transport rules to set a banner in the content of a mail, this post focuses on the built-in capabilities of Exchange Online.

After connecting to Exchange Online you can execute the following command to enable this option in your tenant:

Set-ExternalInOutlook -Enabled $true

Note that it can take up to 24 hours for the configuration to be effective, and only new messages will be tagged as such. This configuration does not impact any messages that were received prior to the change.

If you want to prevent the message to appear for certain smtp domains or addresses, the following command can be used:

Set-ExternalInOutlook -AllowList,

Although this feature works as documented, I would very much love to see integration with user’s white list. In that approach, the warning would only pop-up in case the sender is not in the organization wide allow list, or on the white ilst of the specific mailbox.

Happy configuring!

The certificate “name” on “servername” has expired

When logging in to a customers Exchange Server 2013 environment recently, a pop up caught my eye, indicating the following errror:

An expired certificate as such obviously isn’t such a weird event. However, when zooming into the error, the server that the error referred to was an old, already decommissioned, Exchange Server!

The following locations were checked, to no avail:

  • Get-ExchangeServer
  • Get-ExchangeCertificate
  • ADSI Edit
  • Certificate store on all Exchange Servers

After some googling searching the web with Bing, I found a solution on the web.

Get-Mailbox -Arbitration | Search-Mailbox -DeleteContent

Keep in mind, to run the command, specific permissions are required. A management role needs to be created with Mailbox Import Export assigned role. Assigning the Discovery Management role is not enough!