How to Use an Exchange Mail Flow Rule to BCC Messages

Posted on by Tony Redmond

Use a Mail Flow Rule BCC All Messages Matching Rule Criteria to Another Recipient

Sometimes when I am at a loss for a topic to write about, I look at the Microsoft Technical Community forums to see what’s going on there. Which brought me to the following question:

“My boss needs all my outgoing emails to have him BCC’d onto them. If I don’t have an automated BCC to all emails I compose, reply to and forward, I know there’ll be message I forget to add him to.”

On the surface, you might wonder why a manager would want to be a BCC recipient on all outgoing messages for their employees. It’s a kind of big brother supervision technique. However, there is value in automatically copying messages. For instance, you might want to send copies to:

  • A central CRM system to track customer engagement.
  • A shared mailbox (or Microsoft 365 group) so that other team members can see customer queries and other interactions.
  • An external system to index and archive messages.

I’m sure other reasons exist. The point is that the ability to copy messages to a destination automatically without user intervention or knowledge is a reasonable request.

Available Methods

The potential methods available to solve the problem include:

  • Inbox rules. Apart from the fact that the rules wizard doesn’t support BCC copying (this can be done using Visual Basic for applications), an obvious problem is that the user can see the inbox rules and can remove the rules without administrator knowledge.
  • Third-party tools. Although effective, third party tools might only cover certain email clients (and specific software versions) and probably incur cost for purchase and support.
  • Transport (mail flow) rules. This method is the only one that you can guarantee will process messages sent by all email clients. The downside is that an administrator must configure the rule. However, if the rule settings are flexible, this should be a one-time operation.

Mail Flow Rule BCC is Best Option

Overall, mail flow (transport) rules are the best solution. They’re part of Exchange Online so don’t cost anything, and they cover all bases.

The basic outline for the rule is very simple:

  • Look for messages sent by a specific user.
  • Copy those messages to a BCC recipient.

I recommend using a distribution list to identify the originators of messages to be copied. This allows the rule to cover multiple users and means that administrators don’t need to update the rule when people leave the organization. The responsibility for maintaining the distribution list can be given to the manager, who can update list members through Outlook or OWA.

The same logic appears to hold for the BCC recipient, and it would be nice to use a distribution list here. Unhappily, that transport rules don’t support using a distribution list or Microsoft 365 group as the target for BCC copies. However, transport rules do support shared mailboxes as BCC targets, and shared mailboxes offer some advantages over copying messages to the manager’s mailbox.

  • The manager can open the shared mailbox using OWA, Outlook, and Outlook mobile and a clear separation exists between BCC messages and normal email traffic delivered to the manager’s mailbox.
  • If the manager moves to another position, they can hand the shared mailbox over to their replacement.

If you decide to use a shared mailbox, make sure to assign the manager full access to the mailbox. With this permission, they’ll be able to open the shared mailbox as a shared folder in OWA. Outlook desktop detects the presence of the full access permission and will add the shared mailbox to the set of resources it opens automatically.

So much for the theory, let’s create the rule.

Creating and Refining the Mail Flow Rule BCC

Mail Flow rules are managed through the Rules section under Mail flow in the Exchange Online admin center. When you create the rule, use the send messages and save a copy for review template. This presents a simplified version of the creation UI appropriate for a send and capture rule. In Figure 1, I’ve selected to:

  • Apply the rule if the sender is a member of the BCC Employees distribution list; and
  • Bcc the message to the BCC Destinations recipient (shared mailbox). Any valid email address will work as the BCC recipient and you can enter several addresses for different types of recipients.

Editing the Automatic BCC transport rule
Figure 1: Editing the Automatic BCC transport rule

Setting the rule to Enforce causes the Exchange transport system to apply the rule. Because of the way Exchange Online spreads mailboxes in an Microsoft 365 tenant over several mailbox servers, it can take up to 30 minutes before the new rule is distributed and becomes effective on all servers. The same interval occurs for rule changes, so build this time into your testing regime.

When the mail flow rule is effective, the Exchange transport system copies all messages sent by anyone in the monitored distribution list to the BCC recipient. Figure 2 shows the shared mailbox following the arrival of some BCC messages. The BCC Destinations shared mailbox looks like any other mailbox in the set of resources available to the manager, making this a convenient way to monitor inbound traffic generated by employees.

Figure 2: BCC messages copied to a shared mailbox by a transport rule

In passing, you’ll note the use of plus addressing to identify email coming from a specific source in the copied message shown in Figure 2.

The Need for Exceptions

Although everything works, the problem is that the manager could spend a lot of time reviewing email that they don’t need to. For example, if the employee sends a personal message, should the manager see that email? This is an issue that organization culture, HR processes, the need to respect privacy, and employee sentiment all influence. An organization might decide that employees should not use email for personal reasons, but that’s hard in today’s always connected world.

We can improve the transport rule by building in an exception to allow the employee to mark email as personal. For instance, the rule could allow any email with a certain word in the message subject to pass without being copied. To prove the point, I added an exception to the transport rule to allow users to mark private email by including P: in the subject (Figure 3).

Adding an exception to the transport rule
Figure 3: Adding an exception to the transport rule

Mail Flow Rule BCC Works But…

The mail flow rule works, but I wonder if it’s a good use of management time to review every message sent by users. A better solution might be a mail flow rule which checks for specific words or phrases (like “quotation” or “purchase”) in email and BCCs those messages. In any case, the technology works and it’s available in all Exchange Online plans.

Learn about maximizing the use of Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s importance and how best to protect your tenant.

8 Replies to “How to Use an Exchange Mail Flow Rule to BCC Messages”

  1. Pingback: [m365weekly] #53 - M365 Weekly Newsletter
  2. Pingback: Exchange Online Transport Rule and Regex | The Hornet's Nest

  3. This works as expected if the messages are not encrypted. Were you able to get it to work if you encrypted the messages first and then sent? I tried it in the latest Office 365/Exchange Admin Center, but I can’t view the encrypted messages that the transport rule BCC’ed to the Shared Mailbox.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.