There’s no doubt that automatically forwarding messages to an email address outside Office 365 can pose a significant risk for a business. Messages can end up in places where they shouldn’t go, including when an attack infiltrates an account and sets up forwarding on a mailbox by setting a mail forwarding address or with an inbox rule. In addition, removing email from Exchange Online compromises compliance and oversight because messages are no longer available for eDiscovery.
Various techniques exist to combat the problem, including:
These techniques work and all allow users to manually forward individual messages, but administrators must be aware of the problem caused by automatic forwarding and act to stop it. What’s different now is that Microsoft is making automatic forwarding more of an opt-in feature rather than forcing tenants to block automatic forwarding (roadmap item 63831) and make organizations more secure by default.
Tuning Mail Forwarding in the Default Ant-Spam Outbound Filter Policy
A series of Office 365 notifications posted to the message center, starting with MC218984 (July) and more recently MC221113 (September), advised tenants of a change to the default outbound spam filter policy. The default outbound spam filter policy is present and active in all Exchange Online tenants.
First, Microsoft introduced automatic forwarding settings for anti-spam policies. The settings were inactive but allowed administrators to define how they wanted forwarding to happen. Tenants identified as having mailboxes with autoforwarding enabled also received notification that they had some work to do to decide how to handle these forwards. The next step was to enable the forwarding setting in the default anti-spam outbound policy using On as the Automatic (default) setting, meaning that mail forwarding acted as before.
This week, Microsoft changed the Automatic setting to Off to block mail forwarding. If you didn’t choose a different setting (possibly because you missed the notification), the Automatic setting is active. Some administrators overlooked the previous communications and were surprised when users began to report that forwarding doesn’t work. Life is full of surprises!
Mail Forwarding Settings
The available settings in anti-spam outbound policies to govern mail forwarding (Figure 1) are:
Automatic: Exchange Online decides if mail forwarding is allowed or not. This is the default setting and normally means that users cannot forward email from Exchange Online mailboxes to external addresses.
On: Users can forward email.
Off: Users cannot forward email. Exchange will not change this value.
Figure 1: Automatic forwarding settings in the Exchange Online outbound spam filter policy
If automatic mail forwarding is blocked, users can still configure a mail forwarding address through OWA options (which is a good reason to remove the option from OWA) or create an inbox rule to redirect messages to an external address, but any attempt to send a message to that user which results in an attempted forward is rejected by the transport service and won’t be delivered. The sender receives an NDR to let them know about the problem (Figure 2).
Figure 2: A message sent to a mailbox with forwarding configured is rejected with an NDR
The key thing for administrators to note is the NDR code: “5.7.520 Access denied. Your organization does not allow external forwarding.” Once you see this, you know a message was blocked by the outbound spam filter policy.
Allowing Automatic Forwarding for Specific Users
The default outbound spam policy is always active and cannot be disabled. If you want to stop mail forwarding in general and allow it for specific people, you should create a custom outbound spam filter policy and add the people and distribution lists to that policy. As you can see in Figure 3, SMTP addresses are used to specify people and distribution lists, not display names.
Figure 3: Configuring a custom outbound spam filter policy
A Good Change to End a Bad Practice
There’s not much to argue about in this change. Automatically forwarding mail to an external address is not good practice. If someone really needs to forward email to an external address, they should be able to quantify the need in terms of a business justification to be added to a custom outbound spam filter policy. I doubt that many will be able to come up with such a justification, but those who do will be able to continue while the rest of the organization remains just a little bit safer.
Need to know more about the various policies used by Exchange Online to manage mail transport? It’s all described in the Office 365 for IT Pros eBook.
I definitely think this is good to be enabled by default, but its dumb MS didn’t allow forwarding that was setup via exch admin panel rules to not be affected by this. THanks for the info all the same.
MS have overwritten our settings, so we set this months ago to enable as we have external services which only work with forwarding.
low and behold that setting got reset.
Which was doubly annoying as for a week it wasn’t on or off it was some messages can be forwarded but not others with no discernible pattern.
At least MS won’t mess with this when set via exch admin, time to go though all the service mailboxes and set them up that way, save MS resetting the setting again.
It was a great idea to just go and disable email forwarding for everybody. I wasn’t receiving emails from one of my inboxes for a month, almost lost a customer. Very reliable service.
Perhaps this also underlines the need to keep an eye on the changes happening in the service so that you understand the potential impact on your business?
That is snide and inappropriate answer. Microsoft sends out dozens of Office 365 announcements per week. This was buried in them. Most small and medium business don’t have enough IT time to process every change made. This is extremely common pattern for use with third party services, especially customer support. Not just people who want things in the gmail inbox. Breaking changes like this should never be applied without user consent or at least very serious and repeated warnings. This was not handled appropriately in anyway.
Loading...
Why snide? I merely report the facts. If you use a service, you need to keep an eye on what’s happening. This change is linked to a more general project to make Exchange Online secure by default and to close off holes exploited by hackers. I told to my view that you need to keep an eye on things if you don’t want to be surprised.
Loading...
Our forwarding has also stopped working internally, so that if we set a forward for a user who has left to go to another internal account, nada. I thought this is only for forwarding to external accounts?
I realized after posting that this could possibly be a Mimecast level interruption so looking into that now. Thanks for the informative article.
Loading...
I’m surprised that disabling automatic forwarding doesn’t actually prevent users from setting up forwarding. It just silently stops email leaving or arriving at their mailbox from their perspective (leaving no way to communicate with them what’s happened). I know that users sending mail to the mailbox get a bounce back but the user with forwarding set up will never know what went wrong.
So now by default, Outlook notifies the end user of their mail being forwarded even if it’s been done at an administrative level from the console. If a user is leaving and the employer wants to keep an eye on their emails this can cause an issue. IMO this should not have been done from Microsoft. I can understand it being done for OWA rule sets as this is common if your mail has been hacked for the hackers to do, however not from an admin level.
I agree with Justin G. Any IT Admin person has over a 101 things to cover off. We’re currently snowed under with Teams. MS send out so many updates even if you read them all you are struggling to understand every nuance until it jumps up an bites you. I think disabling Auto-forwarding by default is a good ide but finding exactly where in Office 365 and Azure Admin is also a nightmare. Unlike previous where user were caught, blocked and punished! there was an alert list where you “fix” their problem and “release” them. Not so now. They’re punished for a “day” no parole allowed by MS. This setting should be more tunable.
Any idea how to retrieve the messages that were blocked from forwarding but “save a copy” was not selected. I can see that there were 35 messages that attempted to auto-forward, but I need to retrieve them, not have them lost in never never land.
If not, do a content search to find out where they are. I don’t think they should have been removed completely. If data was lost, that is a serious issue.
Bigger problem, that the system does not allow me to change the settings. It keeps saying: “Sorry! We couldn’t update your organization settings for now, but we will retry it in background. Please check back later.”
Any advice? Thx
EXO? I am having the same error. I have tried different browsers but still the same error. I need to turn on email forwarding for my API to talk with my other work platforms.
Loading...
Use the Allowing Automatic Forwarding for Specific Users feature in the policy to permit the account you want to use to autoforward.
Loading...
You need to have appropriate privileges. I have global admin privileges but even that wasn’t enough to be able to change the setting. I had to get the user with the admin account to change it.
I have an user from other company, also in Exchange online, where forwarding was enabled and these emails are reaching my exchange, however all messages are being classified from my side as SPAM. Do you know if antispam in Office 365 is automatically marked this messages as SPAM because are forwarded? Thanks!
The messages should go through EOP in the other tenant and might have been marked as spam there. You’d have to look at the headers to see what’s in there.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
I definitely think this is good to be enabled by default, but its dumb MS didn’t allow forwarding that was setup via exch admin panel rules to not be affected by this. THanks for the info all the same.
MS have overwritten our settings, so we set this months ago to enable as we have external services which only work with forwarding.
low and behold that setting got reset.
Which was doubly annoying as for a week it wasn’t on or off it was some messages can be forwarded but not others with no discernible pattern.
At least MS won’t mess with this when set via exch admin, time to go though all the service mailboxes and set them up that way, save MS resetting the setting again.
Confused if this is only for cloud based mailboxes or if they can be directory snyced.
It was a great idea to just go and disable email forwarding for everybody. I wasn’t receiving emails from one of my inboxes for a month, almost lost a customer. Very reliable service.
Perhaps this also underlines the need to keep an eye on the changes happening in the service so that you understand the potential impact on your business?
That is snide and inappropriate answer. Microsoft sends out dozens of Office 365 announcements per week. This was buried in them. Most small and medium business don’t have enough IT time to process every change made. This is extremely common pattern for use with third party services, especially customer support. Not just people who want things in the gmail inbox. Breaking changes like this should never be applied without user consent or at least very serious and repeated warnings. This was not handled appropriately in anyway.
Why snide? I merely report the facts. If you use a service, you need to keep an eye on what’s happening. This change is linked to a more general project to make Exchange Online secure by default and to close off holes exploited by hackers. I told to my view that you need to keep an eye on things if you don’t want to be surprised.
Our forwarding has also stopped working internally, so that if we set a forward for a user who has left to go to another internal account, nada. I thought this is only for forwarding to external accounts?
That’s certainly the way it is designed to work. Is the address set up for forwarding using a domain that isn’t “owned” by Office 365?
I realized after posting that this could possibly be a Mimecast level interruption so looking into that now. Thanks for the informative article.
I’m surprised that disabling automatic forwarding doesn’t actually prevent users from setting up forwarding. It just silently stops email leaving or arriving at their mailbox from their perspective (leaving no way to communicate with them what’s happened). I know that users sending mail to the mailbox get a bounce back but the user with forwarding set up will never know what went wrong.
You can block people setting up autofowarding in OWA: https://petri.com/stop-owa-users-autoforwarding-email
So now by default, Outlook notifies the end user of their mail being forwarded even if it’s been done at an administrative level from the console. If a user is leaving and the employer wants to keep an eye on their emails this can cause an issue. IMO this should not have been done from Microsoft. I can understand it being done for OWA rule sets as this is common if your mail has been hacked for the hackers to do, however not from an admin level.
I agree with Justin G. Any IT Admin person has over a 101 things to cover off. We’re currently snowed under with Teams. MS send out so many updates even if you read them all you are struggling to understand every nuance until it jumps up an bites you. I think disabling Auto-forwarding by default is a good ide but finding exactly where in Office 365 and Azure Admin is also a nightmare. Unlike previous where user were caught, blocked and punished! there was an alert list where you “fix” their problem and “release” them. Not so now. They’re punished for a “day” no parole allowed by MS. This setting should be more tunable.
Any idea how to retrieve the messages that were blocked from forwarding but “save a copy” was not selected. I can see that there were 35 messages that attempted to auto-forward, but I need to retrieve them, not have them lost in never never land.
Aren’t the messages not in the user mailboxes?
If not, do a content search to find out where they are. I don’t think they should have been removed completely. If data was lost, that is a serious issue.
Bigger problem, that the system does not allow me to change the settings. It keeps saying: “Sorry! We couldn’t update your organization settings for now, but we will retry it in background. Please check back later.”
Any advice? Thx
Wait for EXO to apply the setting or contact Microsoft support…
Thank you, it worked later today!
EXO? I am having the same error. I have tried different browsers but still the same error. I need to turn on email forwarding for my API to talk with my other work platforms.
Use the Allowing Automatic Forwarding for Specific Users feature in the policy to permit the account you want to use to autoforward.
You need to have appropriate privileges. I have global admin privileges but even that wasn’t enough to be able to change the setting. I had to get the user with the admin account to change it.
Same here! why won’t it go through and save the enable forwarding function?
I have an user from other company, also in Exchange online, where forwarding was enabled and these emails are reaching my exchange, however all messages are being classified from my side as SPAM. Do you know if antispam in Office 365 is automatically marked this messages as SPAM because are forwarded? Thanks!
The messages should go through EOP in the other tenant and might have been marked as spam there. You’d have to look at the headers to see what’s in there.