Email forwarding can be useful, but poses a security risk due to the potential disclosure of information. Therefore the Anti-spam outbound policy blocks the auto-forwarding at the tenant level by default. Although this minimises the security risks, it hampers productivity since there are valid reasons to allow auto-forwarding to an external domain.
There are valid use cases for external email forwarding such as:
- To support the adoption of Microsoft Teams and the concept of working in Teams rather than sending email. However, users cannot auto-forward emails to a Teams channel, because the Teams channel email addresses are external email addresses, for example (uniqueid@emea.teams.ms or uniqueid@uk.teams.ms).
- Auto-forwarding emails to a third-party system, such as CRM or ticketing system for processing.
Read on to learn how to allow auto-forwarding to Teams channels and other authorised external domains to increase productivity and reduce security risks.
Requirement to allow auto-forwarding to Teams channels
- Allow auto-forwarding to internal email addresses.
- Block auto-forwarding to all external domains except for authorised domains. In this scenario allow auto-forwarding to Teams channels with the domain “emea.teams.ms”.
- Notify users when auto-forwarding is blocked.
Change to allow auto-forwarding to Teams channels
- Change the Anti-spam outbound (default) policy to allow all users to auto-forward emails to external domains.
- Alternatively, create a custom Anti-spam outbound policy to allow a group of users to auto-forward emails to external domains. The users must be in a distribution group, mail-enabled security group or Microsoft 365 Group.
- Create Mail flow rules to block auto-forwarding to all domains except for authorised domains which include auto-forwarding to Teams channels with the domain “emea.teams.ms”.
Update the Anti-spam outbound (default) policy to allow auto-forwarding
By default, the Anti-spam outbound (default) policy blocks all external auto-forwarding and takes priority over any mail flow rules.
So the first step is to enable auto-forwarding in the Anti-spam outbound policy. There are two options for this:
- Update the Anti-spam outbound (default) policy to allow auto-forwarding.
- Create a custom policy for a subset of users who can use auto-forwarding.
From the Microsoft 365 Defender, Admin Center > Email and collaboration menu > Policies & rules.
Select Threat policies and Anti-spam policy.
Option 1: Allow all users in the organisation to auto-forward emails to Teams channels
Update the Anti-spam outbound (default) policy to allow auto-forwarding.
Select the Anti-spam outbound policy (Default)
Edit the Anti-spam outbound policy.
Edit the Forwarding rules.
Automatic forwarding rules = On – Forwarding is enabled
Select Save.
Option 2: Allow a subset of users to auto-forward emails to Teams channels
The Anti-spam outbound (default) policy remains unchanged, with auto-forwarding blocked.
Create a new custom Anti-spam outbound policy to restrict auto-forwarding to a group of users in a distribution group, mail-enabled security group or Microsoft 365 Group.
Select +Create policy to create a new outbound Anti-spam policy. Then select Outbound to create a new outbound policy.
Add in the users, groups or domains in scope. I recommend using a distribution group, mail-enabled security group or Microsoft 365 Group to manage membership outside of the policy.
Forwarding rules
- Automatic forwarding rules = On – Forwarding is enabled.
Then save.
Create a Mail flow rule to allow auto-forwarding to Teams channels and other authorised domains
Now the Anti-spam outbound policy allows auto-forwarding with any external domain, Being able to automatically forward emails to any domain poses a security risk. Reduce this risk by using Mail flow rules to block auto-forwarding to external domains except for an authorised list of domains.
Create a Mail flow rule so users can only auto-forward emails to authorised domains. For example in this scenario, add the domain “emea.teams.ms” to allow auto-forwarding to Teams channels with the domain “emea.teams.ms”. Auto-forwarding of emails to all other external domains will remain blocked.
From the Exchange Admin Center > Mail flow> Rules.
Select +Add a rule and Create a new rule
Name = Only allow email forwarding to Authorised domains.
Apply this rule if
- The recipient = is external/internal
- The recipient is located = Outside the organisation
Then select the + sign to add a second rule.
And
Apply this rule if
- Message properties = include the message type
- The message type = Auto forward
Do the following
- Block the message = reject the message and include an explanation
- Specify rejection reason = Auto forwarding of emails to external email addresses is not permitted.
Except
- The recipient = Domain is
- The recipient’s domain = emea.teams.ms
These are the authorised domains.
Select next
- Rule mode = enforce
Select next
Review and then select Finish.
A new Mail flow rule is created but is initially disabled.
To enable the Mial flow rule, select the rule to show the details.
Enable the rule, then wait until the status changes to Enabled.
The Mail flow rules will now take effect.
User experience
When a user creates an auto-forwarding rule from their mailbox, there are no controls to prevent the user from adding an email address from a blocked domain. However, Mail flow rules will block auto-forwarding to non-authorised domains even if users set up rules for it.
If the forwarding email address is an internal email address, the Mailflow and Anti-spam rules do not apply.
Auto-forwarding to an authorised domain
The Mail flow rules will automatically forward the email if the domain is listed in the exceptions list (an authorised domain).
For example in this scenario, a user can auto-forward emails to a Teams channel because the channel email is uniqueid@emea.teams.ms and “emea.teams.ms” is an authorised domain. The email (and any attachments) is automatically forwarded to the Teams channel.
Auto-forwarding to a blocked domain
Auto-forwarded is blocked if the email address does not belong to a non-authorised domain e.g. a personal email address. Instead, the user receives a non-delivery response with the custom message detailed in the Mail flow rule.
If the user is in an Anti-spam policy that does not allow auto-forwarding, then the mail flow rules do not apply. In this scenario, the user only receives the default non-delivery message.
Monitoring and reporting
Auto-forwarding increases the risk of data leaks of people in your organisation automatically forwarding email messages to an external domain, such as a personal email address. Therefore there are a set of reports and insights in the Exchange Admin Center to monitor usage.
Auto forwarded message report
From the Exchange Admin Center.
Select Reports and Mail flow from the menu.
Choose the Auto forwarded message report. This report shows:
- Forwarding types
- Forwarding domains
- Users who have set up forwarding rules
Mail flow Insights
From the Exchange Admin Center select Insights from the left-hand menu.
There are two insights:
- New domains being forwarded email – users in your organisation are forwarding messages to new domains.
- New users forwarding email – new users start forwarding messages to external domains.
Alerts
Alerts are created when a user creates an auto-forwarding rule. These alerts are visible from the Microsoft 365 Defender Admin Center, Microsoft Purview Admin Center and Exchange Admin Center.
Email notifications can be sent to admins.
Microsoft references
All you need to know about automatic email forwarding in Exchange Online – Microsoft Community Hub
Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
New domains being forwarded email insight in the new EAC in Exchange Online | Microsoft Learn
New users forwarding email insight in the new EAC in Exchange Online | Microsoft Learn