Trusted External Senders

Maintain a per-organization list of trusted external senders (full SMTP addresses or whole domains) and let TATER generate an idempotent Exchange Online PowerShell script that allowlists them — bypassing spam filtering, suppressing the native external-sender tag, and stamping a "verified by IT" banner. Optional org setup, found under TATER Manage → Connections → Email-to-Ticket.

Why this exists

Legitimate external mail — a partner's invoicing system, a vendor portal, a managed-service relay, the inbound mailbox that feeds email-to-ticket intake — sometimes lands in junk, gets the Outlook "External" safety tag, or trips spam scoring. Manually building and maintaining the Exchange Online transport rules and allow lists for these senders is fiddly and easy to get wrong. TATER lets an admin keep a simple list and produces a correct, repeatable script to apply it.

What the generated script does

For the senders you list, the script performs three coordinated actions:

  • Transport rule (SCL bypass + banner). Creates or updates a single TATER-managed transport rule that sets SCL -1 (skip spam filtering) for the listed addresses/domains and prepends a small "TRUSTED SENDER - verified by IT" HTML disclaimer so recipients can see the message was intentionally allowlisted.
  • External-tag suppression. Adds the trusted domains to Set-ExternalInOutlook -AllowList, removing the native Outlook "External" tag for those senders.
  • Idempotent reconciliation. The script reads the current rule/allow list, merges your desired set, and writes the union — so re-running it is safe and removing a sender in TATER generates a matching de-trust script that preserves the other entries.

Built-in guardrails

From-address trust is spoofable, so the script is deliberately cautious:

  • Tenant confirmation. Before any Set-, the script confirms the connected tenant's default domain matches the expectedDomain you configured — so you can't accidentally apply one org's trust list to another tenant.
  • DMARC pre-check. For each trusted domain, the script resolves the _dmarc TXT record. If DMARC is not at enforcement (or absent), it emits a warning that From-only trust is spoofable for that domain and recommends scoping the transport rule by -SenderIpRanges instead, plus recording an accepted-risk decision in TATER.
  • Single managed rule. All trust lives in one named TATER rule, so it never sprawls across dozens of hand-made rules and is trivial to audit or remove.

Setting it up

  1. In TATER Manage → Connections → Email-to-Ticket, open the Trusted External Senders card.
  2. Set the expected domain (your tenant's primary domain) — this is the safety check the script verifies before applying anything.
  3. Add each trusted sender as a full SMTP address (billing@partner.com) or a whole domain (partner.com).
  4. Click Generate script, review it, then run it in an Exchange Online PowerShell session as an Exchange admin. Re-run any time the list changes — it's idempotent.
  5. Removing a sender in TATER produces a matching de-trust script so you can keep Exchange in sync.

API & MCP

  • GET /api/trusted-senders — list the org's trusted senders + expected domain.
  • POST /api/trusted-senders — add or update a sender (Admin).
  • DELETE /api/trusted-senders/{value} — remove a sender; returns the de-trust script for the removed entry (Admin).
  • POST /api/trusted-senders/script — generate the full apply script for the current list.

The same lifecycle is exposed through MCP so an agent can maintain the list and hand you the script from a chat session. Trusted-sender writes require the Admin role.

  • Email-to-Ticket Intake — the inbound mailbox feature that most commonly needs a trusted relay/scanner allowlisted.
  • TATER Manage — where the Connections / Email-to-Ticket configuration lives.

Last updated: 2026-06-12. ADO #624.