Allowlisting in Outlook

Microsoft Outlook may automatically block content or images for inbound messages from Axios HQ. Adjust your settings to allow for automatic download instead.

Image blockers, banners, and spam filters are essential for email clients to protect their users from seeing or downloading sensitive content, particularly when it’s sent from someone you don’t know.

When newsletters are sent through Axios HQ, they’re coming from someone you trust: you! Outlook may not recognize this, so certain settings need to be configured in order to teach your email client that what you’re sending is guaranteed to be safe.

Outlook has a number of ways to adjust these configurations, and many different versions, meaning settings can live in different locations. Connect with your IT team and, depending on your team’s settings, implement one or more of the techniques listed below.

Table of Contents

  1. Allowlisting & Custom Domain
  2. Where to allowlist
  3. Automatic image downloading
  4. Changes to the GPO
  5. Running a PowerShell script
  6. The Trust Center & Intune
  7. Outlook and your Custom Domain integration
  8. FAQs

1. Allowlisting & Custom Domain

Allowlisting our addresses

The first step we recommend is to allowlist our IP addresses and safe sender our domains. Everything you send from Axios HQ is coming from you, so you can automatically trust the content!

These specific addresses and domains can be found here.

Add our addresses and domains wherever they may be relevant: if you have additional spam filtration software, please allowlist in that layer as well. Common software includes Proofpoint, Mimecast, and Barracuda.

Custom Domain

🔗 Connecting a Custom Domain integration allows you to send from your domain, rather than the default noreply@axioshq.com.

📧 If you have a Custom Domain integration with Axios HQ, you will likely need to alter additional settings.

  • That process includes setting up a subdomain, frequently configured as comms.your-domain.com.
  • Your team may need to send from this subdomain. More on that below.

 


 

2. Where to allowlist

If your team plans to send from your internal domain with our Custom Domain integration, your allowlisting rules likely need to be explicit.

📝 Exchange Admin Center: Edit the Anti-Spoof Rule

Edit the Anti-Spoofing policy to allow HQ to "send from" your root domain.

  • Locate your Anti-Spoof Rules. For some versions of Outlook you may find this on the Left Sidebar: Rules → Anti Spoof Rules → Edit Condition
  • Edit any conditions on rules set to block all traffic coming from your root domain with an external IP address. This will allow messages sent from Axios HQ’s IP addresses to send messages on behalf of your team.
  • If you have a rule like this in place, (“Apply rule if sender domain is [root domain]”), include an exception for Axios HQ’s IP addresses (“DO the following EXCEPT if the message is: FROM this specific list of IP addresses.”) Include HQ’s IP addresses in this list.

🛡Microsoft Defender: Add the subdomain to the “Allowed Domains”

Add your chosen subdomain to the “Allowed Domains” list; ensure that your users are sending from an address that includes this subdomain.

  • Navigate to the “Manage Allowed Domains” section: For some versions of Outlook you may find this by navigating to: Email and Collaboration → Policies & Rules → Threat Policies → Anti-Spam Inbound Policy → Manage Allowed Domains
  • Add the subdomain to this list. This should allow anyone sending from an @[subdomain].[your-domain].com address to bypass any security rules.

⚠️ Note: This Microsoft Defender change will require all HQ users to send with the subdomain in their send-from address for every HQ message. See below for details.

 


 

3. Automatic Image Downloading

✅ If you are able to allowlist and unblock images based on IP addresses, as suggested above, your configurations will apply to every send from HQ.

🚧 If not, you may need to allowlist based on domain:

  • Safe-Senders List:
    • We recommend your team safe-sender axioshq.com for any messages coming from our team or noreply@axioshq.com.
    • You should separately allowlist the subdomain you configured, if you've set up a Custom Domain.

If your team is using a Custom Domain, your users are able to send from any address that ends in your domain.

Microsoft does not allow you to set safe-sender rules on internal domains,
so with this integration, any messages sent that end in @your-domain.com effectively bypass the suggested setting above. Because these messages are sent from an external source -- HQ -- they will not trigger the proper exceptions and will flag you anti-spam rules.

⚠️ Your team may need to set an explicit rule on the subdomain and all HQ users will be required to send with the subdomain in their send-from address for every HQ message. See below for details.
  • Review rules for sensitive names and addresses
    • Because these are commonly maliciously spoofed, some send-from names and addresses -- like that of the CEO or founder -- have extra rules preventing you from using them in your send-from fields. If your team plans to send from a notable email address, ensure there are no additional rules that may trigger warning banners.

 


 

4. Changes to the GPO

Automatic Image Downloading

💻 Microsoft’s Group Policy Object (GPO) is a virtual collection of policy settings that defines how your Microsoft system will behave for a defined group of users. Your team can make changes to your GPO to enable or disable certain fields and alter the behavior of a Microsoft application (such as Outlook) for all users.

  • 📒 With Microsoft’s Group Policy Object, you can specify which domains should be on your company’s Safe-Senders List. Adding Axios HQ to your users’ Safe-Senders List will mark us as trusted and will allow images to automatically display.
  • There is a registry key in the GPO that will force image downloads. 
    • Here is a support article on Microsoft’s website that lists the keys you will need to manipulate within your system’s registry. 
    • Please note that the key they use as an example has a placeholder that you should replace with your version of Outlook.

If you are able to allowlist based on IPs, you can find those IPs in our Allowlisting recommendations. If you can only allowlist based on domain, please allowlist the domains found in the document as well as any subdomains we have set up as part of our Custom Domain integration.

 


 

5. Running a PowerShell script

📝 A PowerShell script can be executed to make changes to all users’ machines. This is a one-time change that can be run and pushed to all existing users. We recommend leveraging the PowerShell script to -- as with the GPO -- configure the Safe-Senders List for your organization's employees.

  • If you have a cadence for running PowerShell scripts, including a piece to force image downloads for Axios HQ communications might be a simple addition!
  • This change will be pushed to all current Outlook applications. This process can take a few hours, and is often run overnight.
  • It is a one-time change. We recommend regularly running this PowerShell script to capture new employees.

External warning banner

📝 A PowerShell script can also be executed to turn off the External Warning Banner, by leveraging “Set-ExternalInOutlook -Enabled $false”

 


 

6. The Trust Center & Intune

Automatic Image Downloading

🌐 The Trust Center offers another option to unblock images, but it is more limiting: utilizing the Trust Center will allow you to make changes to Outlook’s behavior in the browser, but likely will not affect anyone using the Outlook application.

External Warning Banner

🌐 The Trust Center is the most common place that we’ve seen the [EXTERNAL] notice be toggled off.

Microsoft Intune

☁️ If your team is leveraging Microsoft Intune, we recommend adding the domains HQ uses for our assets, which can be found here. Some clients have found that unless domains like these are added to your Intune configuration, Outlook will not download the image, regardless of any email address settings.

7. Outlook and your Custom Domain integration

📨 If you are using a Custom Domain, you will likely need to include your subdomain in the send-from address of every series in your organization. Remember, the Custom Domain integration allows you send from HQ as if you were sending from your own domain, and this is precisely what anti-spam rules and software is trained to protect against.


How to configure HQ to align with Outlook's allowlisting settings

  • The send-from address should include the subdomain: example@comms.your-domain.com. This is what your recipients will see in their inbox.
  • The reply-to address would remain example@yourdomain.com. This is the address that will receive all replies.


    In the above example, the organization ACME has set up the subdomain "comms.acme.com." Every outgoing message must include "comms.acme.com" in the send-from address. 
  • You can access the send-from address settings by navigating to your series > Series Settings > General > Send-from email address

🦄 The send from address does not need to be a real, active inbox. You can set your send-from address to anything you'd like, as long as the subdomain matches the Custom Domain you've configured.

We do recommend the reply-to be an active inbox, in order to receive responses from your recipients.

 

✅ With this configuration, your series will send-from an address that includes the subdomain, which will trigger the rules and exceptions your team has configured in your anti-spam software or directly in Microsoft itself!


8. FAQs 

My version of Outlook does not support a GPO change

Organizations may not be able to force the Outlook application to use the Global Address Book as a user’s primary Contact List, which means recipients have to add the sender email to their contact lists manually

  • We have seen this behavior with the MacOS “New” Outlook Desktop

We are seeing an error that says "Images cannot be displayed"

Unlike the "click to download" image block seen above, the "images cannot be displayed" error is not a prompt to download images.

The site where these images are hosted is likely blocked by a URL protection rule. This may be in Exchange, or your anti-spam software such as Mimecast or Proofpoint.

We're seeing External warnings for some editions, but not others.

Review the send-from name and address for the editions triggering the External warnings. Are these high-profile addresses from leadership, all-staff, or the founders? If so, your IT team may have included an extra rule around spoofing a particular address.

  • Chat with your IT team to see if they can loosen restrictions on the address you would like to send from. They may need to implement additional Allowlisting rules.
  • Consider changing the send-from name or address! You can use a shortened version of a sensitive name (ex: instead of John Doe, try John D.) or a slightly different send-from address. If you're leveraging a Custom Domain with Axios HQ, you can send from john@subdomain.your-domain.com (more on that above.)