Skip to main content

Microsoft - How to Enable Image Display in Outlook to Track Opens

  • Updated

This article explains why Outlook may block images in SMARTFENSE emails and how to configure senders as safe to ensure correct open tracking statistics.

Why this behavior occurs

Emails sent from SMARTFENSE include a transparent tracking pixel. When the email client downloads that pixel, the platform records that the email was opened.

If Outlook blocks the automatic download of external images — a common behavior in corporate environments — the pixel is not retrieved and the open is not counted.

This behavior is not a SMARTFENSE error. It is a setting inherent to Outlook. Other actions, such as clicking a link, are recorded correctly even if images are not downloaded.

The configuration we will propose below is optional and depends on each organization. If you choose not to enable image display, when the simulation recipient clicks the link, the platform will automatically complete the open statistics.

How to identify the senders to configure

Each simulation may use a different sender address. To obtain the correct sender:

  1. Log in to the SMARTFENSE platform.
  2. Navigate to Predefined Contents.
  3. Click Preview on the desired simulation.
  4. Copy the address shown in Email Address as the sender in the Data visible to the user section.

This step must be repeated for each simulation used in campaigns, as each one may have a different sender.

The platform offers a complete list of senders used in simulation scenarios. You can view and export it from Settings > Security > Whitelist in the Senders used in simulations section.

Alternative 1: Centralized configuration via PowerShell

This option adds the sender as safe in the mailboxes of all users in the organization centrally, without requiring any action from individual users. It is the recommended alternative for environments with Exchange Online (Microsoft 365).

To execute these steps, you need an account with administrative permissions on Exchange Online.

Connecting to Exchange Online

  1. Open Windows PowerShell as administrator (right-click the Windows start icon → Windows PowerShell (Administrator)).
  2. Check if the Exchange Online module is installed:
Get-Module -ListAvailable -Name ExchangeOnlineManagement

If the module is installed go to Add sender or Remove sender depending on the action you want to perform. If the command returns no results, install it by following these steps:

  1. Run the following command to allow PowerShell scripts downloaded from the internet to be from trusted publishers. This removes restrictions necessary for remote access:
Set-ExecutionPolicy RemoteSigned
  1. Install the module:
Install-Module -Name ExchangeOnlineManagement
  1. Import the module:
Import-Module ExchangeOnlineManagement
  1. It is recommended to revert the policy restrictions to default by running the following command:
Set-ExecutionPolicy Restricted
  1. Connect to Exchange Online replacing account@yourdomain.com with your administrator account:
Connect-ExchangeOnline -UserPrincipalName account@yourdomain.com

An authentication window will open. If you have two-factor authentication enabled, you will be prompted for the verification code.

Add sender

  1. Once connected, run the command replacing sender@example.com with the sender address of the desired simulation. You obtain this data by following the steps detailed in How to identify the senders to configure.

    To apply the configuration to all user mailboxes in the organization:

$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
$All | ForEach-Object {
    Set-MailboxJunkEmailConfiguration $_.Name -TrustedSendersAndDomains @{Add="sender@example.com"}
}

To apply the configuration to a single account (for example, to perform a prior test), replace Account Alias with the alias or email address of the mailbox:

Set-MailboxJunkEmailConfiguration "Account Alias" -TrustedSendersAndDomains @{Add="sender@example.com"}

If you want to add more than one simulation sender address, use a comma-separated list maintaining the quotes for each sender: @{Add="sender@example.com","sender2@example.com","sender3@example.com"}

  1. Repeat the previous step for each sender address used in your simulations.

It is normal for the script to show errors on some accounts. Distribution groups or accounts not enabled to receive emails do not support this configuration, but the script continues executing on the rest of the mailboxes.

Verify the configuration

Once the command is applied, you can confirm that the sender was added correctly in two ways:

  1. By command: replace <MailboxIdentity> with the name, alias, or email address of the mailbox you want to verify and run:
Get-MailboxJunkEmailConfiguration -Identity "<MailboxIdentity>" | Format-List trusted*,contacts*,blocked*

If the list of values is extensive, you can use this variant to see only the safe senders:

(Get-MailboxJunkEmailConfiguration -Identity "<MailboxIdentity>").TrustedSendersAndDomains

Source: Configure junk email options in Exchange Online mailboxes

The configured sender should appear in the results. You can also validate it from the email client:

  • In Outlook 2005, go to Settings > Mail > Junk Email, scroll down to the Senders section and open the Safe Senders and Domains tab. The sender should appear in that list.
  • In Outlook 2016, go to Junk Email > Junk Email Options and verify that the chosen sender is listed in the Safe Senders tab.
  • In Outlook Web, go to the three dots for more settings, then Rules > Manage rules, in the Junk Email section, verify that the sender appears in Safe senders and domains.
  1. When finished, log out:
Disconnect-ExchangeOnline -Confirm:$false

Wait for the changes to propagate and validate the result with a test simulation campaign before launching it to the entire organization.

Remove sender

  1. Perform the Connection to Exchange Online, steps 1 and 2.
  2. To remove a sender added to the list, replace sender@example.com with the address you want to remove.

For all accounts:

$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
$All | ForEach-Object {
    Set-MailboxJunkEmailConfiguration $_.Name -TrustedSendersAndDomains @{Remove="sender@example.com"}
}

For a single account, replace Account Alias with the alias or email address of the mailbox:

Set-MailboxJunkEmailConfiguration "Account Alias" -TrustedSendersAndDomains @{Remove="sender@example.com"}
  1. When finished, log out:
Disconnect-ExchangeOnline -Confirm:$false

Alternative 2: Configuration via GPO (for environments with desktop Outlook)

For SMARTFENSE to correctly detect email opens, the end user must view the images in the relevant emails.

If you want SMARTFENSE emails to be displayed with their images by default and thus ensure correct collection of open statistics, it is recommended to perform the following configuration on an Outlook client:

Block or unblock automatic image downloads in classic Outlook email messages

To apply the same rule to all users in the organization, this must be done through a group policy. You can follow the steps in the following article:

Deploy junk email settings by using Group Policy

For Outlook 2016 version, the templates can be downloaded here:

💡 Best practices

  • Apply the configuration via PowerShell or GPO before starting simulation campaigns, not after detecting the problem in the statistics.
  • Always validate the result with a test campaign targeted to a small group of users.
  • Repeat the configuration each time a new simulation with a sender different from the already configured one is added.
  • Document the configured sender addresses in each instance to facilitate maintenance and avoid duplicates.
  • Keep in mind that image blocking only affects open statistics; link clicks are recorded correctly in all cases.

Related to

Related articles