Of course! To "whitelist" a sender domain in Exchange Server 2019 (on-premises), the most effective and common method is to create a Mail Flow Rule (also known as a Transport Rule). This rule will bypass the spam filtering process for email messages originating from the specified domain.

Whitelist a Domain using a Mail Flow Rule

You will need to use the Exchange Admin Center (EAC) to create the transport rule.

1. Log in to the Exchange Admin Center (EAC):

   
   
   
   
   • Open your web browser and navigate to your EAC URL (e.g., https://<YourServerName>/ecp).
   
   
   • Log in with your administrator credentials.
   
   
   
   



2. Navigate to Mail Flow Rules:

   
   
   
   
   • In the left navigation pane, click on mail flow.
   
   
   • Select the rules tab.
   
   
   
   



3. Create a New Rule:

   
   
   
   
   • Click the Add icon (+) and select Create a new rule... from the drop-down menu.
   
   
   
   



4. Configure the Rule:

   
   
   
   
   • Name: Give the rule a descriptive name, such as "Bypass Spam Filtering for [DomainName]".
   
   
   • Click More options... at the bottom of the window to see all settings.
   
   
   
   



5. Set the Condition:

   
   
   
   
   • For *Apply this rule if..., select:
     
     
     • The sender...
     
     
     • domain is
     
     
     
     
   
   
   • In the specify domain pop-up window, type the domain you want to whitelist (e.g., trusteddomain.com).
   
   
   • Click the + sign to add it, and then click OK.
   
   
   
   



6. Set the Action:

   
   
   
   
   • For *Do the following..., select:
     
     
     • Modify the message properties...
     
     
     • set the spam confidence level (SCL) to...
     
     
     
     
   
   
   • In the specify SCL pop-up window, select Bypass spam filtering.
   
   
   • Click Save.
   
   
   
   



7. Review and Finalize:

   
   
   
   
   • Set the Priority (a lower number means it runs earlier; usually, you want this high, like 0 or 1, to ensure it runs before other filtering rules).
   
   
   • Set Mode to Enforce.
   
   
   • Click Save to create and enable the rule.
   
   
   
   

Best Practice & Security Note

While the transport rule method is common, whitelisting entire domains can be a security risk because it bypasses all anti-spam and anti-malware checks, including for sender spoofing.

A more secure, though more involved, method is to use the Connection Filter to whitelist the sending IP address of the trusted sender:

1. Get the Sender's IP: Obtain the public IP address(es) used by the sending domain's mail server.


2. Navigate to Connection Filter: In the EAC, go to protection > connection filter.


3. Edit the Default Policy: Select the Default policy and click the pencil icon () to edit it.


4. Add to IP Allow List: Under Connection filtering > IP Allow List, add the sender's IP address(es).

This ensures that only mail truly originating from the secure server IP is allowed, making it harder for spammers to spoof the whitelisted domain.

You may also find this video helpful: Whitelist a domain in Exchange Online. This video explains how to whitelist a domain using mail flow rules in Exchange Online (Microsoft 365), a similar concept to the on-premises Exchange Server 2019 transport rule.

Absolutely! Since you're already familiar with the concept of a Mail Flow Rule, the equivalent PowerShell method in Exchange Server 2019 uses the New-TransportRule and Set-TransportRule cmdlets.

This approach is faster for adding multiple domains or for bulk administration.

Whitelist a Domain using Exchange Management Shell (PowerShell)

The goal is the same as the Exchange Admin Center (EAC) method: create a Transport Rule that sets the Spam Confidence Level (SCL) to -1 for messages originating from the specified domain. An SCL of -1 means the message is considered safe and bypasses spam filtering.

1. Connect to Exchange Management Shell

Launch the Exchange Management Shell (EMS) on your Exchange 2019 server.

2. Create a New Transport Rule (Whitelist Rule)

Use the New-TransportRule cmdlet to create the whitelist rule. Replace "Trusted Domain Whitelist" with your desired rule name and "trusteddomain.com" with the actual domain you want to whitelist.

New-TransportRule -Name "Trusted Domain Whitelist" -Priority 0 -SenderDomainIs @("trusteddomain.com") -SetSCL -1 -StopProcessingRules $true 

3. Adding a Domain to an Existing Rule

If you want to add a new domain to a whitelist rule you've already created (either via EAC or PowerShell), you need to retrieve the existing domains first, append the new one, and then update the rule.

1. Define Variables for Rule Name and New Domain:

   $RuleName = "Trusted Domain Whitelist" 
   $NewDomain = "anotherdomain.com" 
   

   
   


2. Get Existing Domains and Append the New One:

   $CurrentDomains = (Get-TransportRule $RuleName).SenderDomainIs 
   $UpdatedDomains = $CurrentDomains + $NewDomain | Select-Object -Unique 
   

   
   


3. Update the Rule with the Full List:

   Set-TransportRule $RuleName -SenderDomainIs $UpdatedDomains 
   

   
   

4. Verification

To verify that your rule has been created and configured correctly, run:

Get-TransportRule "Trusted Domain Whitelist" | Format-List Name,State,Priority,Conditions,Actions 

You should see the SenderDomainIs condition listing your domain(s) and the SetSCL action set to -1.

For further security best practices and to understand rule configuration in detail, this video can be helpful: How to set up email flow rules using PowerShell. This video walks through setting up mail flow rules in Exchange Online using PowerShell, which applies similar cmdlet concepts to your Exchange 2019 on-premises environment.

http://googleusercontent.com/youtube_content/2

That is a much more direct way to bypass the core spam filtering engine. In Exchange Server 2019, the anti-spam component that evaluates the content of a message is the Content Filter agent.

You can use the Exchange Management Shell (EMS) to add the domain to the Content Filter's Bypassed Sender Domains list. This is the direct mechanism for whitelisting at the agent level, without relying on a Transport Rule.

Whitelist a Domain in Content Filtering via PowerShell

The Content Filter agent maintains a list of senders and domains for which it will bypass content evaluation. You use the Set-ContentFilterConfig cmdlet to manage this list.

1. Check Current Bypassed Domains

First, it's essential to check the list to see what's currently there.

Get-ContentFilterConfig | Format-List BypassedSenderDomains 

2. Add the New Domain to the List

The BypassedSenderDomains parameter accepts a multi-valued property, so the safest way to add a new entry without accidentally deleting the existing ones is to follow this three-step process:

1. Retrieve the existing list of domains and save it to a variable.


2. Add the new domain to that variable.


3. Apply the updated list back to the configuration.

Replace "newdomain.com" with the actual domain you want to whitelist.

# 1. Retrieve the existing list 
$BypassedDomains = (Get-ContentFilterConfig).BypassedSenderDomains 

# 2. Add the new domain to the list (using Select-Object -Unique ensures no duplicates) 
$BypassedDomains += "newdomain.com" | Select-Object -Unique 

# 3. Apply the updated list to the Content Filter configuration 
Set-ContentFilterConfig -BypassedSenderDomains $BypassedDomains 

3. Verification

To confirm the new domain has been successfully added, run the Get-ContentFilterConfig command again:

Get-ContentFilterConfig | Format-List BypassedSenderDomains 

The output for BypassedSenderDomains should now include the domain you just added. Any mail coming from this domain will now bypass the Content Filter agent, giving it a Spam Confidence Level (SCL) of -1.

Note: For this process to work, the Content Filter agent must be installed and enabled on your Exchange Mailbox or Edge Transport server. If you receive an error, you may need to install the anti-spam agents first.

Yes, it should stop them from being quarantined by the Content Filter agent.

Here is the breakdown of why this works in Exchange Server 2019:

How Content Filtering and Quarantine Relate

1. Content Filter's Role: The Content Filter agent is responsible for scanning the message content and assigning a Spam Confidence Level (SCL) score from 0 (safest) to 9 (most suspicious).


2. Quarantine Threshold: Exchange is configured with a specific SCL Quarantine Threshold. For example, you might set the threshold to SCL 6. Any message with an SCL of 6 or higher is sent to the quarantine mailbox.


3. Bypassed Sender Domain Effect: When you add a domain to the BypassedSenderDomains list using Set-ContentFilterConfig:
   
   
   • The Content Filter agent skips all content inspection for messages from that domain.
   
   
   • It immediately assigns the message an SCL of -1 (Bypass spam filtering).
   
   
   
   

The Result

Since the whitelisted domain's messages are instantly given an SCL of -1, this score is much lower than the typical SCL Quarantine Threshold (e.g., SCL 6 or 7). Therefore, the message will not meet the condition for quarantine and will be delivered to the recipient's Inbox.

A Critical Caveat (Non-Spam Filtering)

The key thing to remember is that you are only bypassing the Content Filter (spam detection).

Messages can still be stopped or quarantined by other agents/rules if they trigger a detection for:

• Malware Filter: Messages containing known malware will still be blocked or deleted by the Malware Filter agent. Whitelisting does not bypass malware scanning.


• Connection Filter: If the sender's IP address is on your IP Block List, the Connection Filter will block the connection before the message even reaches the Content Filter.


• Transport Rules: While you are avoiding a rule-based whitelist, any blocking or quarantine Transport Rule that you have set up with a higher priority or different condition (e.g., based on attachment type or recipient) could still intercept the message.

In summary: For messages classified as spam by the Content Filter, adding the domain to BypassedSenderDomains is the correct way to prevent them from being quarantined.