SPAM and UCE (unsolicited commercial E-mail) is the bane of the Internet and E-Mail world. After using dozens of technologies such as RBL’s, heuristics, server based and client based spam filtering, gateway based SPAM filtering, I still received close to 50 SPAM E-mails every day. The problem is not technology; the technologies I used worked really well protecting me against SPAM. The main issue is UCE, which is usually allowed by SPAM filters. And why shouldn’t it be? After all, I must have signed up for something and agreed to the myriad terms stating that I would be Ok with them selling my email address to third parties for marketing purposes.

While UCE is annoying, it’s different than SPAM in that it straddles the line of legality. It’s peddled by several E-mail sending services who use a multitude of IP address and domains, making blocking them very difficult and time consuming. So what was my solution you ask? An Exchange O365 whitelist!

After someone started sending email to an unpublished address for our help desk, I decided to implement an all-out draconian, no-prisoners taken approach to UCE. I created an Exchange rule to block all E-mail except those domain that I specifically white list. The rule is shown below.



To create the rule, open O365 or Exchange ECP and navigate to mail flow –> rules. From there:

1. Give your rule a friendly (or if you are frustrated an unfriendly) name.

2. Add the recipients (or domain/organization) to whom the rule will apply.

3. Add a polite (or snarky) reject message that nobody (save IT admins) will read.

4. Add a list of domains that you want to allow through.

The hardest part of this is to create a list of white-listed domains. I went through all my last year’s E-mail, identified the domains of vendors, clients and other business partners and I white listed the domains.

Make sure you do not white list public E-mail domains unless you want to receive E-mail from Nigerian princes. If you have individual public E-mail address to whitelist, you can add an exception and create a white list of email address in addition to the domain white list.

Since we are a business and only receive E-mail from our client’s domain, I had no need to create a white list for public E-mail addresses.

Sometimes you have a service such as a 2FA that cannot get through. Rather than calling them and spending hours to find out what the name of the sending server’s domain, it’s recommended to just open ECP and uncheck the rule to disable it.


Once you receive the E-mail and see the sender’s domain, add it to the white listed domains and re-enable the rule.


We use a contact form on our Web site to receive new vendor/client requests and requests from entities that are unknown to us. I’m happy to say that after implementing a rule-based Exchange white list, I am receiving ZERO SPAM/UCE.  If only I could find a similar solution for my phone SMS.


Leave a comment

Your email address will not be published. Required fields are marked *

error: Sorry, copy/paste is disabled
Skip to content