Exchange Online: Blocking Auto-Forward Messages to External Recipients
Background:
Every now and then, we are presented with the question: "How do we prevent internal messages from being Auto-Forwarded to external recipients?" which usually follows with us reviewing a transport rule or several other creative methods that fail to stop forwarding externally.
The "catch" with Auto-Forwarded messages is that you want to focus more on the destination of the Auto-Forward message rather than the source, in this case, the external recipient we're trying to prevent from receiving our email. The user with the Auto-Forward configured is not considered the "sender" of the forwarded message in the transport layer. That configuration just instructs Transport on how/where to deliver a copy of the message that is sent to them before it even touches their mailbox. When you try to scope the rule to the original intended recipient or sender, the rule will not function in the manner you are intending because it fails to address the origin or the destination of Auto-Forwarded message and often assumes that the intended recipient is also the source of the message, in error.
As a result of this common confusion, below are the methods that I would use for testing and implementing this restriction in my own environment. If enough people want a deeper dive into the supporting technology, let me know in the comments and I can revise this.
Scoped Method:
Prior to implementing a global change in production, it's wise to scope it to test users initially to verify that it works as desired. Below is how to properly scope the rules.
1. Create New Rule
2. *Apply this rule if...
- 1. The sender is located... "Inside the organization"
- 2. The recipient is located... Put the external destination's email address or define their Contact in this field
- 3. The message type is... "Auto-Forward"
3. Choose your desired action (NDR/Forward etc etc), I chose to reject the message with an explanation
Global Method:
Once you're sure that this rule is acting accordingly to Auto-Forward messages destined externally, you can implement into production by doing the following.
1. Create New Rule
2. *Apply this rule if...
- 1. The sender is located... "Inside the organization"
- 2. The recipient is located... "Outside the organization"
- 3. The message type is... "Auto-Forward"
3. Choose your desired action (NDR/Forward etc etc), I chose to reject the message with an explanation.
I hope this helps
-Mitchel
Comments
- Anonymous
January 01, 2003
Thanks - Anonymous
May 04, 2015
Great article! Thanks for taking the time to share! - Anonymous
June 26, 2015
In my EAC, I do not see the "The message type is"...option... - Anonymous
November 08, 2016
I have a test rule similar to this one and it doesn't appear to be acting on the messages. I have the recipient set to a specific address. I have my account forwarding set to that address and email is still flowing. Any help would be appreciated.