Upgrading to Windows 8 Release Preview affects Outlook's safe senders list

The desire to install Windows 8 Release Preview on my PC turned up yet another factoid that I didn’t know about Exchange Online. I’m a big believer of actually using software to discover whether it’s any good and had therefore resolved to put Windows 8 RP on my work laptop, even if (as I discovered) the installation procedure couldn’t keep any settings or applications whatsoever because I had the Windows 8 Consumer Preview installed.

A reinstallation of Windows isn’t a bad thing as it can resolve all manner of lurking inconsistencies that have accumulated since the operating system was originally installed. The biggest pain is installing all the applications afterwards – building a list of everything you use from Office to Skype to different drivers, finding or downloading the kits, and locating the license keys. It all takes time.

In any case, the good news is that the Windows 8 installation procedure is pretty good at laying its code down on a PC, even a three-year old laptop like my HP EliteBook 8530w. Installing all the applications went reasonably smoothly and all devices were connected up without too much trauma. The only subsequent problem that I’ve run into was an annoying habit of Skype to seize the attention of one of the CPU cores. On a two-core laptop that means Skype takes 50% available CPU, which isn’t a good thing. Lots of other people have found the same problem and the recommendation to install an older version of Skype ( is the one I use) solves the problem. I’m sure that Skype will work out how to deal with Windows 8 in due course and then I shall let the program update itself.

It probably comes as no surprise to learn that I’m a heavy user of Office, in this case Office 2010 SP1. After reinstalling Office I found that all of my safe sender data was missing. This is irritating rather than serious because it means that you have to tell Outlook that it’s OK to display graphic-heavy messages from the many companies that feel the need to send their latest corporate marketing bumpf to me. If I don’t add their domains to my safe senders list, Outlook is sensible enough to refuse to display any graphics, which leads to some very boring messages. So over the last week or so I’ve been steadily adding domains to the safe senders list.

Then I had a “eureka” moment. At least, it seemed like one to me as I couldn’t work out why I had lost all my safe sender data as Exchange 2010 automatically aggregates this information by gathering it on a regular basis from user mailboxes and storing it as hashed values in their Active Directory accounts. Thereafter the data is available to be used for more accurate filtering of email by anti-virus or anti-spam products such as ForeFront. 

Hmmm… Exchange Online runs a special datacenter edition of Exchange 2010 so I couldn’t figure out why the aggregation of safe list data did not seem to have happened. If I was used an on-premises server, I would run ADSIEdit and look at the hash values in Active Directory to establish whether the information was being collected there. Or I’d run the Update-Safelist cmdlet to force Exchange to process my mailbox. Neither of these steps would answer the question where the old safe list data had gone but at least they’d reassure me that no further data would be lost. However, Exchange Online doesn’t expose this cmdlet to tenant administrators so that’s not a solution.

Fortunately a workaround or rather another solution to the problem exists. Exchange 2010 introduces the Set-MailboxJunkMailConfiguration as part of an effort to expose additional user configuration options to administrative control. And you can use this cmdlet to add domains and individual email addresses to a mailbox’s safe list. The good news is that the cmdlet is supported by both on-premises and cloud Exchange platforms.

Of course, it's possible that the unwary will immediately run this cmdlet to experiment to see what it actually does. They might even use a command like this to add Microsoft.com to the list of safe domains:

Set-MailboxJunkMailConfiguration –Identity TRedmond –TrustedSendersAndDomains “Microsoft.com”

This command works wonderfully, but it has the unforeseen (unless you read the documentation) side-effect of overwriting any safe list data that previously exists. Overwriting the safe senders list is perfectly acceptable for new mailboxes but not if a user has spent time patiently marking domains as safe over a period of time.


A better approach is to first capture any existing domains to a variable using the Get-MailboxJunkMailConfiguration cmdlet, add the new domain to the list, and then write the updated list back into the mailbox. Something like this works nicely:

$D = (Get-MailboxJunkMailConfiguration –identity TRedmond).TrustedSendersAndDomains

$D = $D + “windowsitpro.com”

Set-MailboxJunkMailConfiguration –Identity TRedmond –TrustedSendersAndDomains $D

I'll leave it as an exercise to the PowerShell-competent readers to reduce these command to a one-liner!

To validate that Outlook sees the same data, we can check by viewing Safe Senders information through Outlook’s Junk Mail options.


Another thing that I discovered in this exercise is that Outlook 2011 for Macintosh doesn't handle safe senders in the same way as its PC counterpart. No surprise there, you might imagine, but I was interested to find out that Outlook 2011 for Mac won't display graphic images in messages even if the originator is added as a safe sender whereas Outlook 2010 will. Outlook 2011 for Mac seems to take a more careful course and forces users to click on a button to download images if they want to see them in messages. I prefer the way the PC client works here.

Although I still don't understand how my upgrade to Windows 8 Release Preview and the subsequent reinstallation of Office lost some safe list data (my guess is that the reinstallation of Outlook zeroized the safe sender list in some way), it's interesting to detect the varied ways that Exchange Online behaves differently to Exchange 2010, so I'm not too bent out of shape about the whole experience. I'll be keeping an eye on my safe sender list when the time comes to upgrade the PC to the final released version of Windows 8.

Incidentally, if you run into a problem where mail sent from your own address is rejected by Exchange, you might like to try the transport rule solution proposed in this blog. Seems like a nice workaround to that particular issue.

Follow Tony @12Knocksinna

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.