Marking External Email with an Exchange Transport Rule

Helping Exchange Protect Users from Bad Email

Given the amount of spam floating around today, it comes as no surprise that many organizations deploy an Exchange transport rule to mark inbound external email with a suitable warning. This is a straightforward rule to configure and it can help stop users being fooled by bad messages that get past the array of checks used by Exchange Online Protection to detect and suppress spam. Even the best anti-spam defense is sometimes fooled by a phishing attempt (at times, you wonder how some “amateur night at the races” phish attempts manage to get through).

Visual Marking to Help Users

The usual approach is to add two visual markings to external messages with the aim that these markings highlight the risk that could be present in external email. The first marking is a disclaimer placed at the top of the message body; the second is a prefix added to message subjects. In the rule below, we see that some HTML text is used for compose the disclaimer while a simple “#External:” prefix is used for the message subject.

Configuring a transport rule to mark external email
Configuring a transport rule to mark external email

Refining the Rule

Exchange applies the rule to any message sent from an external domain to a recipient within the organization. You can get pretty creative with the conditions that cause a rule to fire with the aim of only applying marking to messages that deserve to be treated with some caution. For instance, you could add a condition so that the rule would only fire if the message had an Spam Confidence Level (SCL) higher than 1. This means that any message that came through Exchange Online Protection’s spam checking with an SCL that says it definitely isn’t spam would not be marked. Exchange Online delivers messages with an SCL of 5 or higher to users’ Junk Email folders.

You could also look for a value in a message header and use it to decide if to apply marking. For instance, you might decide to mark all messages that don’t pass DMARC checking (look in the Authentication-Results header for dmarc=none or dmarc=fail).

The Message Header Analyzer tool is very useful when reviewing message headers to decide which to use and what value to look for. This is an add-in that you can load into Outlook (and OWA) to run against messages in your mailbox.

Adding Exceptions

As in the case of rules to add disclaimer text or auto-signatures to outbound messages, I usually add some exceptions to the rule. The first exception is to stop Exchange applying the rule to messages where the #External: prefix already exists in the subject. The logic here is that if someone is involved in a messaging thread, they’ve made the decision that it’s safe to do so and don’t need to be reminded for each reply.

The second exclusion is to not apply the marking for well-known domains. The exact list of these domains will differ from organization to organization but is likely to include important partners and trusted companies, like petri.com and microsoft.com as shown in the example. You could also add onmicrosoft.com to exclude Office 365 tenants that use their service domains for email. However, some spammers have used Office 365 tenants in the past, so this exclusion comes with some risk.

Using exceptions and refining the rule so that not all inbound email is marked has two effects. First, it means that marked messages have a meaning that they won’t have if every inbound message is marked. Second, it stops users complaining when perfectly legitimate business communications are marked. You wouldn’t paste a great big warning label across every parcel that comes into the company by post, so there’s no need to warn about every message coming into your tenant.

Composing HTML Marking

Most email is in HTML format today, so it makes sense to compose the marking in HTML. You might be fluent in HTML, but I am not, so I used the online HTML editor to compose the text and then cut and pasted the HTML into the EAC rule editor.

I also added a small (25 x 25 pixel) graphic to make the marking more visually interesting. All you need is a small graphic file located on a web site that can be reached by Exchange. The HTML I ended up with is:

The Rule

The important parts of the rule (as returned by the Get-TransportRule cmdlet) are shown below:

The Visual Effect

The visual marking for the message body is shown below. Of course, the danger always exists that users will become used to the warning and ignore it over time, so it might be good to change the wording, color, or images used over time.

The Visual Marking applied by an Exchange transport rule to an inbound message
The Visual Marking applied to an inbound message

Remember to check that the marking shows up well on all email clients in use, including mobile devices. Also, any change to an Exchange Online transport rule takes some time to be effective within a tenant due to rule caching and the need to update multiple servers.

Markings Only Warn

The best and most obvious markings that a message might be suspect can and will be ignored by human beings. That sober recognition of what people are capable of might discourage you from adding marking rules, but that’s no reason not to go ahead and use this technique. After all, if it stops one person being phished, it’s worthwhile.


Need more help with Exchange transport rules? Look no further than Chapter 17 of the Office 365 for IT Pros eBook. It’s packed full of useful information about email processing and anti-malware techniques.

Advertisements

4 Replies to “Marking External Email with an Exchange Transport Rule”

  1. Tony, is this line correct? “This means that any message that came through Exchange Online Protection’s spam checking with an SCL that says it definitely isn’t spam would be marked.” Shouldn’t it say “would not be marked”?

  2. Another question for clarification: the text says ” … while a simple “#External:” prefix is used for the message subject” … but the screenshot looks like it has a trailing space, as in ‘#External: “. When I tried this yesterday, Exchange Online said I couldn’t have a trailing space – how did you pull that off?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.