It’s frustrating when a legitimate email lands in the junk folder, even after you’ve taken proactive steps to whitelist the sender or domain at the tenant level under the Safe Sender list. Recently, while troubleshooting such a case, we identified an underlying issue related to the TrustedListsOnly attribute in the mailbox junk email configuration. Here, we’ll dive into what causes this behavior, how to identify it, and the steps to resolve it, both via Outlook/OWA/Powershell as Admin.
The Scenario
An email from a trusted sender ended up in the recipient’s junk folder despite the sender’s domain being added to the tenant-wide Safe Sender list. Upon investigation using Threat Explorer in the Microsoft 365 Defender portal, the email was flagged as:
“Blocked due to user overrides. Update or remove the user mailbox policy ‘ExclusiveSetting’.”
This pointed to a mailbox-specific junk email setting where the attribute TrustedListsOnly was set to $true. This configuration instructs the mailbox to accept emails only from addresses or domains explicitly added to the Safe Senders list, overriding tenant-wide Safe Sender configurations.
What is TrustedListsOnly?
The TrustedListsOnly setting ensures that a user’s inbox exclusively accepts emails from addresses and domains in their personal Safe Senders list. While this provides an additional layer of control, it can conflict with tenant-level Safe Sender policies, leading to unintended junking of legitimate emails.
How to Identify the Issue
- Threat Explorer: Use Threat Explorer in Microsoft 365 Defender to trace why the email was moved to junk.
- Check the delivery action for the email.
- Look for the message “Blocked due to user overrides.”
- Mailbox Configuration:
- Run the following PowerShell command to check the TrustedListsOnly setting for a specific user:
Get-MailboxJunkEmailConfiguration -Identity user@example.com
If the value is $true, the setting is enabled.
How to Enable or Disable TrustedListsOnly
You can configure the TrustedListsOnly setting from both Outlook and OWA. Here’s how:
From Outlook
- Open Microsoft Outlook.
- Navigate to Home > Junk > Junk Email Options
- In the Junk Email Options dialog box:
- Go to the Options tab.
- Check or uncheck the box for “Safe Lists Only: Only emails from people or domains in your Safe Senders List will be delivered to your Inbox.”
- Click OK to save changes.
From OWA (Outlook Web App)
- Log in to Outlook on the Web (OWA).
- Click on the Settings (gear icon) in the upper-right corner.
- Select View all Outlook settings at the bottom of the panel.
- Navigate to Mail > Junk email.
- Under the Filters section:
- Toggle the option for “Only trust emails from addresses in my Safe Senders and domains list and Safe Mailing Lists.”
- Click Save to apply the changes.
Resolving the Issue
If legitimate emails are being blocked:
- Check and Adjust the Setting:
- Review the user’s Safe Senders list and ensure the sender/domain is added.
- Disable the TrustedListsOnly attribute temporarily to test the behavior.
Use PowerShell to disable it:
Set-MailboxJunkEmailConfiguration -Identity “user@example.com” -TrustedListsOnly $false
- Educate Users:
- Inform users about the impact of enabling the TrustedListsOnly setting.
- Encourage them to regularly update their Safe Senders list.
- Validate Tenant Configurations:
- Ensure tenant-wide Safe Sender lists are correctly configured in the Exchange Admin Center (EAC).
- Communicate with end-users about policy overlaps.
Conclusion
The TrustedListsOnly setting is a powerful tool for managing junk email but can sometimes cause legitimate emails to be misclassified. By understanding how to configure this setting and addressing the interplay between user and tenant-level policies, you can ensure a smoother email delivery experience. Educating users and monitoring configurations is key to avoiding such conflicts in the future.
!!! THANKS FOR READING !!!
Regards,
HARISH KUMAR
Knowledge is not a finite resource to hoard; it’s a boundless treasure that grows when shared.