Known External Senders are different from Allow List entries.
Use Known External Senders when you want to identify trusted external business partners, vendors, or service providers so users see a blue “Known External” style banner on authenticated mail from those senders.
Use an Allow List entry when you want to suppress a specific INKY warning or classification for a trusted sender, domain, subdomain, or result type.
Adding a sender as Known External does not mean all messages from that sender bypass INKY detection. INKY can still analyze the message and flag suspicious behavior, malicious links, spoofing, or other risks.
| Scenario | Recommended area to review |
| Frequent trusted vendor should appear more recognizable to users | Known External Senders |
| Users receive regular mail from a verified business partner | Known External Senders |
| A sender is incorrectly flagged as spam, phishing, or malicious | Allow List and threat category |
| A link inside the sender’s email is blocked | Link Rewriting or URL/link exception |
| A message appears to come from your own domain but was sent by a third-party service | Trusted Third-Party Senders |
| A sender fails SPF, DKIM, or DMARC | Sender authentication; Known External label may not apply |
Authentication Is Required
Known External Sender entries only apply to authenticated mail.
If a sender is listed as Known External but the blue banner does not appear, confirm the message passed authentication.
Review:
- SPF result
- DKIM result
- DMARC result
- Header From domain
- Envelope sender or Return-Path
- Actual sending service or platform
If the sender fails authentication, INKY may not show the Known External label even if the sender, domain, or subdomain is listed.
Configure Known External Senders at the Correct Tenant or Team Level
For MSP-managed environments, confirm that the Known External Sender entry was added in the correct customer/team context.
Do not assume that a Known External Sender entry created at a parent organization level will automatically apply to every customer/team. If a trusted vendor should show as Known External for a specific customer, verify that the entry exists for that customer/team.
Review this if:
- The sender is listed as Known External, but users do not see the blue banner.
- The sender works for one customer/team but not another.
- An MSP manages multiple customer tenants.
- A vendor sends legitimate mail to several customers.
- The entry was added at the organization level, but the affected users belong to a specific customer/team.
Do Not Add Your Own Domains
Do not add your own team or customer domains as Known External Senders.
Authenticated mail from team domains is handled automatically. Known External Senders should be used for external business partners, vendors, or service providers.
If a message appears to come from your own domain but was sent by an outside platform, review Trusted Third-Party Senders instead. This is common with billing systems, marketing platforms, ticketing systems, CRM systems, and other services that send on behalf of your domain.
If the Blue Banner Does Not Appear
If a Known External Sender entry was added but users do not see the expected blue banner, check the following:
- The sender address, domain, or subdomain was entered correctly.
- The sender is listed in the correct customer/team context.
- The sender passed SPF, DKIM, and DMARC.
- The message was received after the Known External Sender entry was added.
- The message is actually from the listed sender or domain.
- The message was not sent through an unexpected third-party platform.
- The message did not trigger a higher-risk INKY classification that changes the banner behavior.
- The user is part of the expected protected team or customer environment.
If the sender uses a third-party sending platform, review the message headers or EML to confirm the actual sending service.