Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-19

Use the Update-SafeList cmdlet to update the safelist aggregation data in Active Directory. Safelist aggregation data is used in anti-spam filtering in Microsoft Exchange Server 2010. EdgeSync replicates safelist aggregation data to computers that have the Edge Transport server role installed.


Update-SafeList -Identity <MailboxIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-EnsureJunkEmailRule <SwitchParameter>] [-IncludeDomains <SwitchParameter>] [-Type <SafeSenders | SafeRecipients | Both | BlockedSenders | All>] [-WhatIf [<SwitchParameter>]]

Detailed Description

The Update-SafeList cmdlet reads the safelist aggregation data stored on a Microsoft Office Outlook user mailbox and then hashes and writes the data to the corresponding user object in Active Directory. Safelist aggregation data contains the Outlook user's Safe Senders List and Safe Recipients List.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "SafeList aggregation" entry in the Transport Permissions topic.


Parameter Required Type Description




The Identity parameter specifies the Outlook user mailbox from which you want to collect safelist aggregation data. Valid input for this parameter includes the following values:

  • GUID

  • Distinguished name (DN)

  • Domain\Account

  • User principal name (UPN)

  • LegacyExchangeDN

  • SmtpAddress

  • Alias




The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.




The EnsureJunkEmailRule parameter specifies whether to force the junk e-mail rule to be turned on for the mailbox if the rule isn't turned on already.

The junk e-mail rule can only be created after the user logs on to the mailbox. If the user has never logged on to the mailbox, this parameter can't turn on the junk e-mail rule.




The IncludeDomains parameter specifies whether to include the sender domains specified by users in Outlook in the safelist aggregation data. By default, domains specified by the senders aren't included.

In most cases, we don't recommend that you include domains because users may include the domains of large Internet service providers (ISPs), which could unintentionally provide addresses that may be used or spoofed by spammers.




The Type parameter specifies which user-generated list is updated to the user object. Valid values for this parameter are SafeSenders, SafeRecipients, and Both. The default value is SafeSenders.

In Exchange 2010, the safelist aggregation feature doesn't act on Safe Recipients List data. We don't recommend running the Type parameter with the SafeRecipients or Both values.




The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.



This example updates Safe Senders List data for the single user

Copy Code
Update-Safelist -Identity


This example updates safelist data for all user mailboxes in your Exchange organization. By default, the Exchange Management Shell is configured to retrieve or modify objects that reside in the domain in which the Exchange server resides. Therefore, to retrieve all the mailboxes in your Exchange organization, you must first set the scope of the Shell to the entire forest using the Set-AdServerSettings cmdlet. For more information, see Set-AdServerSettings.

Copy Code
Set-AdServerSettings -ViewEntireForest $true
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Update-Safelist


To activate the options to include safe domains, or to change the maximum values for the default settings, you must change the msexchangemailboxassistants.exe.config file. Specifically, the following settings and values can be changed in the appsettings section of the msexchangemailboxassistants.exe.config file:

Setting Value


The value for this setting can be True or False.


By default, the value for this setting is 15 minutes. This setting can have a value from 15 minutes through 1 day.


TestUpdateInterval is used in test environments. This setting can have a value from 10 seconds through 1 hour.






By default, the value for this setting is 500. The maximum value is 1000.

For example, the settings in the appsettings section of the msexchangemailboxassistants.exe.config file may be as follows:

Copy Code
	<gcConcurrent enabled="false" />
	<generatePublisherEvidence enabled="false" />

		<add key="IncludeSafeDomains" value="true" />