How do I whitelist a domain in Microsoft 365?

To ensure our phishing simulation emails are correctly delivered to users’ inboxes and that images load automatically, please apply the following configuration in your Microsoft 365 environment.

Step 1 – Allow the domains in Defender (Anti-Spam)

1. Go to the Microsoft Defender portal.
2. Navigate to Email & Collaboration → Policies & Rules → Threat Policies → Anti-Spam
3. Open your inbound policy (e.g., “Default” or a custom one).
4. Under Allowed senders and domains, add all the domains listed used for your assessment.
5. Click Save.

Step 2 – Whitelist the sender IP addresses (Anti-Spam)

1. Go to the Microsoft Defender portal.
2. Navigate to Email & Collaboration → Policies & Rules → Threat Policies → Anti-Spam

Add the IP address to the allow list:

• In the policy details pane that opens, click Edit connection filter policy.
• Find the box labeled "Always allow messages from the following IP addresses or address range".
• Enter the IP addresses to whitelist:
  • 185.163.84.0/24.
  • 185.163.85.0/24.

3.  Click Save.

Step 3 – Configure third-party phishing simulations (Advanced delivery)

1. Log in to the Microsoft 365 Defender portal with an administrator account.
2. Go to Email & collaboration > Policies & rules > Threat policies.
3. Under Rules, select Advanced delivery. 
4. Select the Phishing simulation tab.
5. Click Edit to open the configuration window. 

In the Edit third-party phishing simulations window, enter the following information:

• Sending Domain: The domain part of the sender's email address.
  • Based on the domain category used by the phishing template.
• Sending IP Address: The IP addresses used the product:
  
  • 185.163.84.0/24.
  • 185.163.85.0/24.

• Simulation URLs to allow: The temporary phishing sites users will visit if they click a link.
  • Based on the domain category used by the phishing template
    
    

(Optional) Step 4 – Create a Mail Flow Rule to Bypass Filtering (SCL = -1)

Create a rule in the Exchange Admin Center that marks our emails as trusted (SCL = -1), ensuring they do not go to junk.  

1. Open Exchange Admin Center.
2. Go to Mail Flow → Rules.
3. Click + Add a rule → Create a new rule.
4. Name the rule: i.e "Bypass PhishSim – SCL -1"
5. Under Apply this rule if, select The sender domain is, and add all domains listed above.
6. Under Do the following, select Modify the message properties → set the spam confidence level (SCL) and set value: -1.
7. Enable Stop processing more rules.
8. Click Save.

Verification: Once active, incoming emails from these domains should have SCL value -1 in the message trace.

Step 5 – Measures to ensure images are automatically shown

There are different alternatives you can work with depending on what best suits your environment.  

Alternative 1 (Works in most environments):
Using PowerShell to go through every mailbox in your Microsoft 365 tenant and add several specific email addresses used by the assessment configuration to each user’s mailbox Safe Senders list.

Alternative 2: 
Global policy setting impacting all incoming e-mails.

1. Go to https://config.office.com.
2. Sign in with an administrator account.
3. Navigate to Customization → Policy Management.
4. Create or edit a policy configuration.
6. Search for the setting “Do not download pictures automatically in HTML e-mail messages or RSS items”
7. Set the value to “Disabled” (allows automatic download of images)
8. Assign the policy to user groups participating in the simulations.