Microsoft Clamps Down on Automatic Mail Forwarding in Exchange Online

Stop Email Going Outside Exchange Online

There’s no doubt that automatically forwarding messages to an email address outside Office 365 can pose a significant risk for a business. Messages can end up in places where they shouldn’t go, including when an attack infiltrates an account and sets up forwarding on a mailbox by setting a mail forwarding address or with an inbox rule. In addition, removing email from Exchange Online compromises compliance and oversight because messages are no longer available for eDiscovery.

Various techniques exist to combat the problem, including:

These techniques work and all allow users to manually forward individual messages, but administrators must be aware of the problem caused by automatic forwarding and act to stop it. What’s different now is that Microsoft is making automatic forwarding more of an opt-in feature rather than forcing tenants to block automatic forwarding (roadmap item 63831) and make organizations more secure by default.

In some ways, it’s like the approach taken to disable basic authentication for Exchange connection protocols. Start by showing disapproval of something which contributes to insecure tenants and gradually escalate to close the hole.

Tuning Mail Forwarding in the Outbound Spam Filter Policy

A series of Office 365 notifications posted to the message center, starting with MC218984 (July) and more recently MC221113 (September), advised tenants of a change to the default outbound spam filter policy. The default outbound spam filter policy is present and active in all Exchange Online tenants.

First, Microsoft introduced automatic forwarding settings in the policy. The settings were inactive but allowed administrators to define how they wanted forwarding to happen. Tenants identified as having mailboxes with autoforwarding enabled also received notification that they had some work to do to decide how to handle these forwards. The next step was to enable the forwarding setting in the outbound spam filter policy using On as the Automatic (default) setting, meaning that mail forwarding acted as before.

This week, Microsoft changed the Automatic setting to Off to block mail forwarding. If you didn’t choose a different setting (possibly because you missed the notification), the Automatic setting is active. Some administrators overlooked the previous communications and were surprised when users began to report that forwarding doesn’t work. Life is full of surprises!

Mail Forwarding Settings

The available settings to govern mail forwarding (Figure 1) are:

  • Automatic: Exchange Online decides if mail forwarding is allowed or not. This is the default setting and normally means that users cannot forward email from Exchange Online mailboxes to external addresses.
  • On: Users can forward email.
  • Off: Users cannot forward email. Exchange will not change this value.
Automatic forwarding settings in the Exchange Online outbound spam filter policy
Figure 1: Automatic forwarding settings in the Exchange Online outbound spam filter policy

If automatic mail forwarding is blocked, users can still configure a mail forwarding address through OWA options (which is a good reason to remove the option from OWA), but any attempt to send a message to that user results is rejected by the transport service and won’t be delivered. The sender receives an NDR to let them know about the problem (Figure 2).

A message sent to a mailbox with forwarding configured is rejected with an NDR
Figure 2: A message sent to a mailbox with forwarding configured is rejected with an NDR

The key thing for administrators to note is the NDR code: “5.7.520 Access denied. Your organization does not allow external forwarding.” Once you see this, you know a message was blocked by the outbound spam filter policy.

Allowing Automatic Forwarding for Specific Users

The default outbound spam policy is always active and cannot be disabled. If you want to stop mail forwarding in general and allow it for specific people, you should create a custom outbound spam filter policy and add the people and distribution lists to that policy. As you can see in Figure 3, SMTP addresses are used to specify people and distribution lists, not display names.

Configuring a custom outbound spam filter policy
Figure 3: Configuring a custom outbound spam filter policy

A Good Change to End a Bad Practice

There’s not much to argue about in this change. Automatically forwarding mail to an external address is not good practice. If someone really needs to forward email to an external address, they should be able to quantify the need in terms of a business justification to be added to a custom outbound spam filter policy. I doubt that many will be able to come up with such a justification, but those who do will be able to continue while the rest of the organization remains just a little bit safer.


Need to know more about the various policies used by Exchange Online to manage mail transport? It’s all described in the Office 365 for IT Pros eBook.

17 Replies to “Microsoft Clamps Down on Automatic Mail Forwarding in Exchange Online”

  1. I definitely think this is good to be enabled by default, but its dumb MS didn’t allow forwarding that was setup via exch admin panel rules to not be affected by this. THanks for the info all the same.

  2. MS have overwritten our settings, so we set this months ago to enable as we have external services which only work with forwarding.
    low and behold that setting got reset.
    Which was doubly annoying as for a week it wasn’t on or off it was some messages can be forwarded but not others with no discernible pattern.
    At least MS won’t mess with this when set via exch admin, time to go though all the service mailboxes and set them up that way, save MS resetting the setting again.

  3. It was a great idea to just go and disable email forwarding for everybody. I wasn’t receiving emails from one of my inboxes for a month, almost lost a customer. Very reliable service.

    1. Perhaps this also underlines the need to keep an eye on the changes happening in the service so that you understand the potential impact on your business?

      1. That is snide and inappropriate answer. Microsoft sends out dozens of Office 365 announcements per week. This was buried in them. Most small and medium business don’t have enough IT time to process every change made. This is extremely common pattern for use with third party services, especially customer support. Not just people who want things in the gmail inbox. Breaking changes like this should never be applied without user consent or at least very serious and repeated warnings. This was not handled appropriately in anyway.

      2. Why snide? I merely report the facts. If you use a service, you need to keep an eye on what’s happening. This change is linked to a more general project to make Exchange Online secure by default and to close off holes exploited by hackers. I told to my view that you need to keep an eye on things if you don’t want to be surprised.

  4. Our forwarding has also stopped working internally, so that if we set a forward for a user who has left to go to another internal account, nada. I thought this is only for forwarding to external accounts?

    1. That’s certainly the way it is designed to work. Is the address set up for forwarding using a domain that isn’t “owned” by Office 365?

      1. I realized after posting that this could possibly be a Mimecast level interruption so looking into that now. Thanks for the informative article.

  5. I’m surprised that disabling automatic forwarding doesn’t actually prevent users from setting up forwarding. It just silently stops email leaving or arriving at their mailbox from their perspective (leaving no way to communicate with them what’s happened). I know that users sending mail to the mailbox get a bounce back but the user with forwarding set up will never know what went wrong.

  6. So now by default, Outlook notifies the end user of their mail being forwarded even if it’s been done at an administrative level from the console. If a user is leaving and the employer wants to keep an eye on their emails this can cause an issue. IMO this should not have been done from Microsoft. I can understand it being done for OWA rule sets as this is common if your mail has been hacked for the hackers to do, however not from an admin level.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.