6.2.3 Ensure email from external senders is identified


External callouts provide a native experience to identify emails from senders outside the organization. This is achieved by presenting a new tag on emails called 'External' (the string is localized based on the client language setting) and exposing related user interface at the top of the message reading view to see and verify the real sender's email address.

Once this feature is enabled via PowerShell, it might take 24-48 hours for users to start seeing the External sender tag in email messages received from external sources (outside of your organization), providing their Outlook version supports it.

The recommended state is ExternalInOutlook set to Enabled True

Note: Mail flow rules are often used by Exchange administrators to accomplish the External email tagging by appending a tag to the front of a subject line. There are limitations to this outlined here. The preferred method in the CIS Benchmark is to use the native experience.


Tagging emails from external senders helps to inform end users about the origin of the email. This can allow them to proceed with more caution and make informed decisions when it comes to identifying spam or phishing emails.

Note: Existing emails in a user's inbox from external senders are not tagged retroactively.


Mail flow rules using external tagging will need to be disabled before enabling this to avoid duplicate [External] tags.

The Outlook desktop client is the last to receive this update and the feature is only available for certain versions see below:

Outlook for Windows: Update 4/26/23: External Tag view in Outlook for Windows (matching other clients) released to production for Current Channel and Monthly Enterprise Channel in Version 2211 for builds 15831.20190 and higher. We anticipate the External tag to reach Semi-Annual Preview Channel with Version 2308 on the September 12th 2023 public update and reach Semi-Annual Enterprise Channel with Version 2308 with the January 9th 2024 public update.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To enable external tagging using PowerShell:

Connect to Exchange online using Connect-ExchangeOnline.

Run the following PowerShell command:

Set-ExternalInOutlook -Enabled $true

Default Value:

Disabled (False)

See Also


Item Details


References: 800-53|CM-6b.

Plugin: microsoft_azure

Control ID: 827c699977b376d9f5bf1aa2dd6e727a25cc1476c9372d685a98f58a20ee9ae6