Exchange Online Block for BCC Messages Sent to Distribution Lists

The Devil Finds Work for Idle Hands

I guess it is reasonable to expect that after more than 25 years of active development, the Exchange engineers might run short of new features to build, something that doesn’t seem to be a problem for their Teams counterparts.

Which brings me to today’s post announcing the new BccBlocked parameter added to the venerable Set-DistributionGroup cmdlet (the example in original post used -BlockBCC; trust me, that’s wrong). Apparently, the use of some distribution lists inside Microsoft forced engineers to conclude that a way was needed to reject messages addressed to a distribution list as a blind carbon-copy (BCC) recipient. The logic is that messages sent as BCCs to distribution lists bypass inbox rules created to stop these messages because the rules cannot detect BCC recipients as this information is not in message headers.

The feature is now available worldwide. It only works for Exchange Online distribution groups and isn’t available (yet) for Microsoft 365 groups.

Blocking BCC for a Distribution List

You could argue that it would have been better to enhance inbox rules to deal with BCC addresses, but developers being developers, they decided that it would be better to create an administrative block instead, which is why we now can crack open a PowerShell session, load the Exchange Online management module, and run something like:

Set-DistributionGroup -Identity "Board Reports" -BccBlocked $True

The default for distribution lists is not to block BCC, so to check the distribution lists with the BCC block, we run:

Get-DistributionGroup | ? {$_.BccBlocked -eq $True} | Ft DisplayName

DisplayName
-----------
Board Reports
The Company

Microsoft says that they plan to expose the BCC blocked option in admin centers. First in the new Exchange admin center later “this year” and probably the Microsoft 365 admin center once support is available for Microsoft 365 groups.

What Happens When a Distribution List is Blocked for BCC?

The Exchange transport system is responsible for processing all messages sent in Exchange. When a message comes in addressed to a blocked distribution list as a BCC recipient, the transport system drops the message and sends a non-delivery report (NDR) with code 5.7.138 to the sender (Figure 1).

Figure 2 shows the detail reported for a blocked BCC message by a message trace in the Exchange admin center:

The same information is available using PowerShell:

Get-MessageTrace -MessageId DB7PR04MB44105FC9811AEB90D9CA5BF18B629@DB7PR04MB4410.eurprd04.prod.outlook.com | fl

Message Trace ID  : 7b94a8cf-512d-423b-ec42-08d8efb44265
Message ID        : <DB7PR04MB44105FC9811AEB90D9CA5BF18B629@DB7PR04MB4410.eurprd04.prod.outlook.com>
Received          : 25/03/2021 17:34:36
Sender Address    : Tony.Redmond@xxxx.com
Recipient Address : boardreports@xxxx.com
From IP           : 51.171.212.129
To IP             :
Subject           : Super Important Email
Status            : Failed
Size              : 13851

Get-MessageTraceDetail -MessageTraceId 7b94a8cf-512d-423b-ec42-08d8efb44265  -RecipientAddress BoardReports@xxx.com

Date                   Event                Detail
----                   -----                ------
25/03/2021 17:34:36    Receive              Message received by: DB7PR04MB5001.eurprd04.prod.outlook.com using TLS1....
25/03/2021 17:34:36    Submit               The message was submitted.
25/03/2021 17:34:36    Fail                 Reason: [{LED=550 5.7.138 RESOLVER.GRP.BlockBcc; the group has been conf...

I’m unsure how much use that the new feature will get outside the unique scenario met in Microsoft, but it’s better to have the capability than to lack it.