Lupasafe (Skopos Security Labs B.V.)

Overview

This guide walks you through configuring Office 365 email whitelisting for e-learning & phishing campaigns. The process involves both automated PowerShell configuration and manual DNS record updates.

(As a platform, we do not want rights to modify Exchange Online transport rules, anti-spam policies, and email filtering configurations on Office 365 tenants for security reasons - we prefer PowerShell scripts that allow customers to maintain full control over their own email security settings while achieving the same delivery results for phishing simulations)

You can download both the Test and Deployment script here. 

Prerequisites

Required Permissions

• Global Administrator or Exchange Administrator role in Office 365
• DNS Management access for your domain (through domain registrar or DNS provider)

Required Software

• Windows PowerShell (Windows) or PowerShell Core (Mac/Linux)
• ExchangeOnlineManagement PowerShell module
• Text editor for script modification

Test Configuration Details

The following email addresses and servers will be whitelisted:

• Email Addresses: phtest1@luminarywebtech.com, phtest2@luminarywebtech.com, phtest1@crestfallenconsulting.com, phtest2@crestfallenconsulting.com, portal@lupasafe.com, noreply@lupasafe.academy
• Mail Server IPs: 141.95.84.46, 45.82.191.25
• Safe Links Exclusions: portal.lupasafe.com, crestfallenconsulting.com, luminarywebtech.com

Part 1: Automated PowerShell Configuration

Step 1: Install Required PowerShell Module

Open PowerShell as Administrator and run:

powershell

Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

When prompted about execution policy change, type Y and press Enter.

Step 2: Download and Prepare the Script

1. Create a new folder for the script (e.g., C:\O365-Whitelist)
2. Copy the PowerShell script from the technical documentation
3. Save as O365-Email-Whitelist.ps1 in your created folder
4. Verify the file has .ps1 extension (not .ps1.txt)

Step 3: Execute the Whitelist Script

1. Navigate to script location: 

   powershell

   cd C:\O365-Whitelist

2. Run the script: 

   powershell

   .\O365-Email-Whitelist.ps1

3. Authenticate when prompted with your Office 365 admin credentials
4. Complete MFA if required by your organization

Step 4: Monitor Script Execution

The script will automatically:

✅ Create transport rules to bypass spam filtering for the specified email addresses
✅ Configure anti-spam policies to allow whitelisted senders
✅ Apply whitelisted IP addresses via the connection filter policy (not the anti-spam policy)
✅ Update Safe Links policies to exclude specified domains where possible (preset policies may show warnings)
✅ Display a configuration summary showing all emails, IPs, and exclusions

Expected Output:

✅ Transport rules created or updated successfully
✅ Anti-spam policy configuration completed
⚠️ Connection filter policy updated for IPs (default policy may already exist; duplicates are ignored)
⚠️ Safe Links policy configuration completed (some warnings are normal for preset policies)

Part 2: Manual DNS Configuration

⚠️ CRITICAL: These DNS changes must be completed manually at your DNS provider. The PowerShell script cannot automate DNS record creation.

Step 5: Update SPF Record

Location: Your domain registrar or DNS hosting provider
Record Type: TXT
Name: @ (or your domain name)

Action Required:

1. Locate existing SPF record for your domain
2. Modify to include the mail server IPs
3. Update the record to include both IPs

Example SPF Record:

v=spf1 include:spf.protection.outlook.com +ip4:45.82.191.25 +ip4:141.95.84.46 -all

If no existing SPF record exists:

v=spf1 include:spf.protection.outlook.com +ip4:45.82.191.25 +ip4:141.95.84.46 -all

Step 6: Add Custom DKIM Record

Location: Your domain registrar or DNS hosting provider
Record Type: TXT
Name: lupasafescanner._domainkey
Value:

v=DKIM1;t=s;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvxc/q5O9U1WTxB6zCclljr+YNxN+vIf7yKqUQlQa2pbd2tpY9sxtG0ZJBYhuMhh0Aaynhsyy+Si7WHI6Vdm/mgoHtHk7wrVxjI9gYdBXU0tSPCWAPQ1fPu/1ZnH+/T/VJw9t6XQ+WIf2FFhUpZBWoCrjuhL7m3dbCJ0JMQZuFVV5yVIzDiywS4s3MnzRWLp8o5Dut6XZnfXlgyoAkJBU0KhMg4AA4nYwnVWjWnUcurfb0uLjxyo1h8ojEP7NHw3GbnJCZb8G4/1RObmQ6LIezY0/VfQtXIIq+FMKclNTXELNfwN4DwrEcHY2MVIMbzjXDuHmH/Np4XqWzpocPyl+vuvYBIBLtoWmildq51WaNE660xtmMyqQayNydvjHZXEvvFJb22Hl6/pQbg8jLjT9mUK8INDDaVkOCsVrH8PFqySHlqtX4dCg/ZIvNn70Smt5X64UMtEYPG13bTzQst3dYhbQukwR9dtwqqwAYFv1zcSWozkds4wedCrHvvhJicQK8NohwUQjxyqv2EwRQXh8zfkqcY+mk/iPyrcsBd2H84FLJ19Pf7AyeOxtTOMAvHlV9LF3ieL11f4XPlzWyx10XLodSaXiYsiwoKqffiBVIjpRqwCrZgAQRoBCPq1GFroZLxV1zGAn3kJMBC1hDgX0vLLs/K4IkwCs5Gp52lv7ps0CAwEAAQ==

Step 7: Verify Standard Office 365 DKIM (if needed)

If your organization hasn't configured DKIM for Office 365:

1. Run this PowerShell commandto get required CNAME records: 

   powershell

   Connect-ExchangeOnline
   Get-DkimSigningConfig -Identity "yourdomain.com"

2. Add CNAME recordsat your DNS provider:
   • Name: selector1._domainkey
   • Value: [Selector1CNAME from command output]
   • Name: selector2._domainkey
   • Value: [Selector2CNAME from command output]

Part 3: Configuration Verification

Step 8: Run Verification Script

1. Use the verification script to check configuration
2. Save verification script as verify-whitelist.ps1
3. Execute verification: 

   powershell

   .\verify-whitelist.ps1

Step 9: Manual Verification in Exchange Admin Center

1. Navigate to: https://admin.exchange.microsoft.com
2. Check Transport Rules:
   • Go to Mail flow → Rules
   • Verify presence of ELearning-Test-Bypass-Spam-Filter and ELearning-Test-IP-Whitelist
3. Check Anti-Spam Policies:
   • Go to Email & collaboration → Policies & rules → Threat policies
   • Click Anti-spam policies
   • Verify ELearning-Test-Whitelist-Policy exists

Step 10: Send Test Email

Send a test email from one of the whitelisted addresses:

• From: phtest1@luminarywebtech.com
• To: Your work email address
• Subject: Whitelist Test - Should Arrive in Inbox
• Expected Result: Email arrives in inbox (not spam folder)

Step 11: Use Message Trace

1. Go to Exchange Admin Center → Mail flow → Message trace
2. Search for the test email sent in Step 10
3. Verify results:
   • SCL (Spam Confidence Level): Should be -1 (bypass)
   • Delivery Status: Delivered
   • Filter Results: Bypassed or None

Troubleshooting

Common Issues and Solutions

Issue: PowerShell script fails with "parameter not found" errors
Solution: Use the updated script version that handles newer Exchange Online parameter changes

Issue: DNS changes not taking effect
Solution: DNS propagation can take up to 48 hours. Use online DNS checker tools to verify changes

Issue: Test emails still going to spam
Solution:

• Verify transport rules are enabled
• Check message trace for specific filtering reasons
• Ensure 30-minute propagation time has passed

Issue: DKIM validation failing
Solution:

• Verify DNS TXT record syntax is correct
• Check for extra spaces or formatting issues
• Use DNS lookup tools to confirm record visibility

Script Error Handling

If the PowerShell script encounters errors:

1. Check error messages carefully
2. Verify admin permissions are sufficient
3. Ensure Exchange Online connection is active
4. Re-run script after addressing specific errors

Security Considerations

Important Security Notes

• Temporary Configuration: This whitelist is intended for testing purposes
• Remove After Testing: Disable or remove whitelist rules after phishing test completion
• Monitor Usage: Regularly review transport rules and anti-spam policies
• Document Changes: Keep record of all configuration changes for security audits

Rollback Procedure

To remove the whitelist configuration:

powershell

Connect-ExchangeOnline

# Remove transport rules
Remove-TransportRule -Identity "ELearning-Test-Bypass-Spam-Filter" -Confirm:$false
Remove-TransportRule -Identity "ELearning-Test-IP-Whitelist" -Confirm:$false

# Remove anti-spam policy
Remove-HostedContentFilterRule -Identity "ELearning-Test-Whitelist-Rule" -Confirm:$false
Remove-HostedContentFilterPolicy -Identity "ELearning-Test-Whitelist-Policy" -Confirm:$false

Summary Checklist

PowerShell Configuration (Automated)

•  ExchangeOnlineManagement module installed
•  Execution policy configured
•  Whitelist script executed successfully
•  Transport rules created
•  Anti-spam policies configured
•  Safe Links policies updated

DNS Configuration (Manual)

•  SPF record updated with mail server IPs
•  Custom DKIM record added (lupasafescanner._domainkey)
•  Standard Office 365 DKIM records configured (if needed)
•  DNS changes propagated (allow up to 48 hours)

Verification Steps

•  Verification script executed
•  Exchange Admin Center configuration confirmed
•  Test email sent and received successfully
•  Message trace shows bypass behavior (SCL = -1)

Time Requirements

• PowerShell Configuration: 10-15 minutes
• DNS Updates: 5-10 minutes (plus propagation time)
• Verification: 10-15 minutes
• Total Active Time: 25-40 minutes
• Total Including Propagation: Up to 48 hours

Additional Resources

• Exchange Online PowerShell Documentation: https://docs.microsoft.com/en-us/powershell/exchange/
• Office 365 Anti-Spam Policies: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/
• DNS Record Management: Contact your domain registrar or DNS provider for specific instructions

For additional support, contact the IT helpdesk with this article reference number.