Applies to: Exchange Server 2013

Topic Last Modified: 2012-08-21

Use the Update-SafeList cmdlet to update the safelist aggregation data in Active Directory. Safelist aggregation data is used in the built-in anti-spam filtering in Microsoft Exchange. EdgeSync replicates safelist aggregation data to Edge Transport servers in the perimeter network.


Update-SafeList -Identity <MailboxIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-EnsureJunkEmailRule <SwitchParameter>] [-IncludeDomains <SwitchParameter>] [-Type <SafeSenders | SafeRecipients | Both | BlockedSenders | All>] [-WhatIf [<SwitchParameter>]]



This example updates Safe Senders List data for the single user

Copy Code


This example updates safelist data for all user mailboxes in your Exchange organization. By default, the Exchange Management Shell is configured to retrieve or modify objects that reside in the domain in which the Exchange server resides. Therefore, to retrieve all the mailboxes in your Exchange organization, you must first set the scope of the Shell to the entire forest using the Set-AdServerSettings cmdlet. For more information, see Set-AdServerSettings.

Copy Code
Set-AdServerSettings -ViewEntireForest $true
Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Update-Safelist

Detailed Description

The Update-SafeList cmdlet reads the safelist aggregation data stored on a Microsoft Outlook user mailbox and then hashes and writes the data to the corresponding user object in Active Directory. The command compares the binary attribute created to any value stored on the attribute. If the two values are identical, the command doesn't update the user attribute value with the safelist aggregation data. Safelist aggregation data contains the Outlook user's Safe Senders List and Safe Recipients List.

Be mindful of the network and replication traffic that may be generated when you run the Update-SafeList cmdlet. Running the command on multiple mailboxes where safelists are heavily used may generate a significant amount of traffic. We recommend that if you run the command on multiple mailboxes, you should run the command during off-peak, non-business hours.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "SafeList aggregation" entry in the Mail Flow Permissions topic.


Parameter Required Type Description




The Identity parameter specifies the mailbox from which you want to collect safelist aggregation data.

This parameter accepts the following values:

  • Alias

    Example: JPhillips

  • Canonical DN

    Example: Atlanta.Corp.Contoso.Com/Users/JPhillips

  • Display Name

    Example: Jeff Phillips

  • Distinguished Name (DN)

    Example: CN=JPhillips,CN=Users,DC=Atlanta,DC=Corp,DC=contoso,DC=com

  • Domain\Account

    Example: Atlanta\JPhillips

  • GUID

    Example: fb456636-fe7d-4d58-9d15-5af57d0354c2

  • Immutable ID


  • Legacy Exchange DN

    Example: /o=Contoso/ou=AdministrativeGroup/cn=Recipients/cn=JPhillips

  • SMTP Address


  • User Principal Name





The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.




The EnsureJunkEmailRule parameter specifies whether to force the junk email rule to be turned on for the mailbox if the rule isn't turned on already.

The junk email rule can only be created after the user logs on to the mailbox. If the user has never logged on to the mailbox, this parameter can't turn on the junk email rule.




The IncludeDomains switch specifies whether to include the sender domains specified by users in Outlook in the safelist aggregation data. By default, domains specified by the senders aren't included.

In most cases, we don't recommend that you include domains because users may include the domains of large Internet service providers (ISPs), which could unintentionally provide addresses that may be used or spoofed by spammers.




The Type parameter specifies which user-generated list is updated to the user object. Valid values for this parameter are SafeSenders, SafeRecipients, and Both. The default value is SafeSenders.

The safelist aggregation feature doesn't act on Safe Recipients List data. We don't recommend running the Type parameter with the SafeRecipients or Both values.




The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.