Share via

Outlook safe senders list is ignored for messages created via Graph API

Alex 0 Reputation points
2026-03-18T23:29:52.44+00:00

I may be misunderstanding how this is supposed to work, but I am seeing different behavior depending on how the message reaches the mailbox.

  1. When a message arrives through normal inbound mail delivery, adding the sender domain to "Safe senders and domains" in Outlook (Settings > Mail > Junk email) appears to work as expected:
    1. external images are shown automatically
    2. the “Trust sender” banner does not appear
  1. When I create the exact same message (same sender, body, etc) through Microsoft Graph API and deliver it directly to the mailbox (Direct Mail Injection), Outlook behaves differently for what appears to be the same sender:

the domain is already listed in Safe senders and domains

but external images are still blocked

  • Outlook shows: *“Some content in this message has been blocked because the sender isn't in your Safe senders list.”
    *Screenshot 2026-03-19 at 00.28.05

One detail that may help: if I add the full sender email address to Safe senders and domains, then the Graph-created message is handled correctly. The difference only seems to be with a domain-only entry.

So the question is whether this is expected:

Does domain-level safe sender matching apply only to inbound mail?

Are messages created through Graph evaluated differently?

Should a domain entry be enough here, or is a full sender address required for this type of message?

From a user point of view, it looks like:

  • full email address safelisted → works

domain safelisted → works for inbound mail, but not for Graph-created mail

Thank you for your help.

Outlook | Web | Outlook on the web for business | Settings
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Darren-Ng 9,635 Reputation points Microsoft External Staff Moderator
    2026-03-19T01:33:10.27+00:00

    Dear @Alex,

    Thank you for posting your question in the Microsoft Q&A forum.

    Based on your description, adding a full sender email address to Safe senders and domains works correctly for messages created via Microsoft Graph, but adding only the sender domain works only for inbound mail. You want to confirm whether this behavior is expected, whether Graph‑created messages are evaluated differently, and whether a full sender address is required instead of a domain for this type of message.

    What you’re seeing is expected. Emails delivered through normal inbound mail flow and emails injected directly into a mailbox via Microsoft Graph can be evaluated differently, so a domain-only entry in Safe senders and domains may not be applied consistently for Graph-created messages.  For Graph-injected messages, the most reliable approach is to safe listing the full sender email address, which matches your test results (address works; domain-only may not).  Microsoft also notes that whether domain entries are honored can vary depending on how the service handles the message (policy verdict/action path), while specific sender addresses are more consistently honored.  If you want to verify what’s actually stored for the mailbox and whether it’s in sync, Microsoft provides a Safe/Blocked Sender diagnostic tool:

    Diagnose Safe/Blocked Senders Issues in Microsoft 365

    I hope information above meet your expectations, if it does not, please leave the comment below so I can support you more effectively.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    I hope information above

  2. Q&A Assist
    2026-03-18T23:30:15.8933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Domain-level safe sender entries are not guaranteed to be honored for all scenarios, and behavior differs between Outlook’s client-side junk filter and Exchange Online/Exchange Online Protection.

    From the documented behavior:

    • Outlook’s Junk Email Safe Senders list can contain both email addresses and domains. Entries in this list are “never treated as junk email” by the Outlook junk filter itself, and the list is primarily designed to control spam classification, not image-download behavior.
    • In Exchange Online/Exchange Online Protection, “safe domains are not recognized by default… Only blocked domains, blocked sender addresses, and safe sender addresses are recognized.” This means domain-level safelisting is not consistently applied at the service level; only full sender addresses are reliably honored.

    Because of this design:

    • Full email addresses in Safe Senders are consistently honored.
    • Domain-only entries can behave differently depending on where and how the message is processed.
    • Messages created via Graph and injected directly into the mailbox bypass normal inbound transport and anti-spam processing paths, so they are not evaluated the same way as SMTP-delivered mail. In that path, Outlook’s image-blocking logic can end up relying on per-address trust rather than domain-level entries.

    So for the questions:

    • Domain-level safe sender matching is not a general guarantee and is not recognized by default in Exchange Online/EOP.
    • Messages created through Graph are evaluated differently from normal inbound SMTP mail.
    • For consistent behavior (including automatic external image display) with Graph-created messages, a full sender email address in the Safe Senders list is required; a domain-only entry is not sufficient or supported as a reliable mechanism.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.