Skip to main content

Microsoft - How to Implement Whitelist by Header in Microsoft Exchange 2013 and 2016

  • Updated

This article describes how to configure the Whitelist in Microsoft Exchange 2013 and 2016 on-premise using a custom Header, instead of SMARTFENSE IPs. Use this method when simulations arrive at your organization from IPs different from those of SMARTFENSE, typically because there is an intermediate antispam or other technology that rewrites the source IP.

If simulations arrive with SMARTFENSE’s own IPs, configure the Whitelist by IP instead of by Header. See the article Microsoft - How to Implement IP Whitelist in Microsoft Exchange 2013 and 2016.

Exchange limitation: each Header rule supports around 100 characters. The default SMARTFENSE header exceeds this limit, so it must be shortened before configuring the rules.

Verify if simulations arrive with SMARTFENSE IPs or not

Before choosing between the IP method and the Header method, verify which IP the emails are arriving from.

  1. Go to Mail flow > Message trace in Exchange.
  2. Click Start a trace.
  3. Define recipient, sender, and time range.
  4. Select the email in the list.
  5. In the detail side window, look for the More information field and check the source IP.
  6. Compare that IP with those published in your SMARTFENSE instance, under Settings > Security > Whitelist.

If the IP does not match any of SMARTFENSE’s, continue with the Header configuration described in this article.

Shorten the Header in SMARTFENSE

  1. Log in to the SMARTFENSE platform.
  2. Go to Settings > Security > Whitelist.
  3. Locate the Phishing and Ransomware email Header section.
  4. Click the Customize Header button.
  5. Paste the header into a plain text editor (e.g., Notepad) and delete characters from the end forward until it is approximately 100 characters long.
  6. Paste the shortened header back into SMARTFENSE.
  7. Click Save.

Keep the shortened header, as you will use it in the four Exchange rules.

Summary of rules to create

The four rules use exactly the same condition on the header X-PHISHINGSIMULATION with the value of the customized SMARTFENSE header.

# Rule name Header set Value
1 Bypass Clutter and junk email filtering by Header X-MS-Exchange-Organization-BypassClutter true
2 Bypass Junk Email folder X-Forefront-Antispam-Report SFV:SKI;
3 Bypass ATP Links X-MS-Exchange-Organization-SkipSafeLinksProcessing 1
4 Bypass ATP Attachments X-MS-Exchange-Organization-SkipSafeAttachmentProcessing 1

Access to create the rules

  1. Log in to the administration portal of your mail server.
  2. Go to Admin.
  3. Access the Exchange menu.
  4. Go to Mail flow > Rules.
  5. Click (+) Create new rule.
  6. Click More options.

Important: if you do not see all configuration options, click the More options link within the New rule screen. Without this option, you cannot apply several of the actions required by the following rules.

Repeat the flow for each of the four listed rules.

Rule 1 — Bypass Clutter and junk email filtering

  1. Name it Bypass Clutter and junk email filtering by Header.
  2. Under Apply this rule if…, select A message header > includes any of these words.
  3. In Enter text, type X-PHISHINGSIMULATION.
  4. In Enter words, paste the customized SMARTFENSE header.
  5. Click the large + sign to confirm the condition.
  6. Under Do the following…, select Set the spam confidence level (SCL) to… > Bypass spam filtering.
  7. Add a second action: modify the message properties > set a message header.
  8. Set the header X-MS-Exchange-Organization-BypassClutter with value true.
  9. Click Save.

Rule 2 — Bypass Junk Email folder

  1. Name it Bypass Junk Email folder.
  2. Use the same header condition (X-PHISHINGSIMULATION + customized SMARTFENSE header).
  3. In the action, set the header X-Forefront-Antispam-Report with value SFV:SKI;.
  4. Click Save.

Rules to bypass Advanced Threat Protection

We recommend waiting at least two hours for the rules to propagate to all your users. Test effectiveness with a small group before launching mass campaigns.

Rule 3 — Bypass ATP Links

  1. Name it Bypass ATP Links.
  2. Use the same header condition.
  3. Set the header X-MS-Exchange-Organization-SkipSafeLinksProcessing with value 1.
  4. Click Save.

Rule 4 — Bypass ATP Attachments

  1. Name it Bypass ATP Attachments.
  2. Use the same header condition.
  3. Set the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing with value 1.
  4. Click Save.

💡 Best practices

  • Shorten the header in SMARTFENSE before creating the rules in Exchange to avoid silent errors due to excess characters.
  • Always verify with a message trace whether simulations arrive with SMARTFENSE IPs before choosing the Header method.
  • Make sure to click More options when creating each rule: without this step, several actions remain hidden and the rule is incomplete.
  • Wait at least two hours after creating the rules before testing simulations.
  • Launch a test campaign with a small group including yourself as administrator.
  • Keep the default values for the rest of the options of each rule, unless expressly indicated otherwise.
  • Document the customized header configured in SMARTFENSE so you can replicate it if rotated.

Related to

Related articles