[Update]: This article was first published on September 4, 2019. It’s been updated to present the current steps required for a proper configuration in the Exchange admin center.
There might be situations when it’s necessary to block the mail flow outside an organization for specific users or user groups. Let’s find out how you can use Exchange Online mail flow rules to prevent Office 365 users from sending emails to external recipients.
Block emails sent outside your Office 365 organization
To restrict all (or specific) users to sending only internal emails and block their emails when they’re sent to external recipients, follow the steps below:
- Sign in to the Exchange admin center. Go to Mail flow > Rules. Click Add a rule and select Create a new rule from the drop-down list.
- In the new rule creation wizard, under the Apply this rule if section, select The recipient > is external/internal. In the pane that opens, choose Outside the organization from the drop-down list and confirm by clicking Save.
- If you don’t want the rule to apply to all users, you can add another condition that narrows down its scope. To do so, click the + button next to the first condition. You can, for example, add a specific group so that only its members won’t be allowed to send emails outside the organization.
- In the Do the following section, select Block the message > reject the message and include an explanation.
- Provide a short explanation that says why the email is blocked. Users will get this explanation along with an NDR message after trying to send an email outside the organization. You can also choose not to notify anyone and simply delete the message (by selecting the delete the message without notifying anyone option).
- Complete the remaining steps of the rule creation wizard, save the changes by clicking Finish.
- Once created, the mail flow rule is disabled by default. Select it from the rules list and use the toggle to enable the rule.
- Test whether everything works as expected. Note that it may take up to 30 minutes before the changes to the rule take effect.
That’s it. Now, if the users included in this rule try to send emails outside the Office 365 organization, these messages will be rejected, and the senders will get the notification that their email was blocked.
What about on-premises environments?
If you’re still on an on-premises infrastructure and you’re looking for a similar solution that works with Exchange Server, try CodeTwo Exchange Rules Pro. This program works in on-premises and hybrid environments and offers a wide range of email rule configuration settings that are not available natively in Exchange.
See also:
- MailTips in Office 365
- Managing users’ Outlook rules from Exchange Management Shell (with PowerShell)
- How to manage Office 365 signatures behind IT’s back?
A customer of ours was recently bought out. The new management does not want any emails sent from their legacy mailboxes anymore so we’ve created a rule to precent any outgoing emails. However, they also want an OOF reply to people sending emails into their legacy mailboxes that gives their new email address to send to going forward. The problem is that the rule restricting outbound mail also kills the OOF. Is there a solution that allows both to work?
Hi Mike,
You can add an exception to your rule restricting outbound email. Under the Except if section, select The message properties > include the message type > Automatic reply. This will allow the sending of OOF replies.
If you would like to set up professional OOF replies informing about the new email addresses, you could go with a third-party solution like CodeTwo Autoresponder for Microsoft 365. It allows you to create fully branded and personalized automatic replies & out of office messages and manage them centrally for all users in your Microsoft 365 organization. You can also set up Autoresponder to forward messages from legacy mailboxes to users’ new email addresses. Autoresponder is an additional feature available in CodeTwo Email Signatures 365, the world-leading Microsoft 365 email signature management software.
Hi Adam,
Is it possible to block internal users (specific groups) from emailing each other & externally?
e.g. we have multiple domains (A, B, C, D, etc) that we manage.
Domain A
1. We have managed to create a mail rule to block external sending.
2. Internal blocking is not working on domain A, it ends up affecting domains B, C, and D.
Please advise how would you go about this.
Hello,
In this case you will need to create a comprehensive set of mail flow rules covering all the possible domain combinations (this cannot be done with a single rule as the rule creation wizard only allows for the use of the AND operator).
I’m seeking a solution for two potential scenarios:
1. Restricting a user from receiving new emails between 4PM and 3AM.
2. If using the moderator transport rule, ensuring the user doesn’t receive a delivery report if their message is rejected by the moderator.
I’ve consulted with Microsoft regarding the second scenario, and they confirmed that blocking the moderator rejection delivery report isn’t possible. The primary goal is to prevent a specific individual from responding to emails after 4PM, as their judgment might be impaired post that time. Ideally, we’d like to implement this without the user’s awareness to avoid complications.
Any guidance on achieving this would be greatly appreciated. Thank you!
No native mechanisms let you handle those scenarios. Mail flow rules don’t let you set up recurrence. And even if they did, you’d need to delay emails, not block them, and there’s no such action available.
It might be more effective to block users access to company resources after a certain time, but it would require scheduling of Conditional Access policies – it’s a subject for a new article.
If the ultimate goal is to prevent users from sending emails outside of work hours, you could also suggest changes to company policies/culture and send reports of those unwanted emails to the management.
How to reject message with condition “blank Subject/Body”
Unfortunately, mail flow rules don’t support such a condition – you can look for certain words or patterns in the subject or body, but it can’t handle selecting blanks.
Hi,
I want users to send mail only from specified IPs. So they can only send mail from within the company. How can i do that ?
You can use AAD Conditional Access policies to limit access to your Microsoft 365 organization based on IP. I have this subject on my TODO list.
I have tried this rule it is not working. the user is able to send messages outside the organisation. Neep help on this.
If you followed all the steps, the rule is enabled and the user is included in the sender condition, my guess is that a higher priority rule has the option to “stop processing more rules” enabled.
Can we use the rule with shared mailbox. I have a scenario where in the mail from shared mailbox should to blocked to all internal users and outside organization except one user.
Yes, to set up such a scenario, do the following:
Apply this rule if: the sender is this person (choose the shared mailbox).
Do the following: Block the message.
Except if: The recipient is this person (choose the user).
I want to add a rule to block out-bound messages where the TO field is empty but BCC has entries which is a common spam pattern.
The rule editor seem quite basic. I cant see a way to do this.
I’m afraid mail flow rules don’t support this scenario.
Just to mention, while spammers often do this, some people also use the method to hide recipients from each other in valid correspondence.
I work for a large company whose clients still want their data, reports, etc emailed out. We’ve had issues with employees attaching one client’s data to another client’s contact list. I want to set a rule that would disallow sending to a contact list if say another client’s name appeared in the attached file. Can this be done by gaining admin privileges to MS 365 and using a transport rule?
You can create a new DLP policy via Microsoft Purview to achieve that, but it’s a subject for another article. I’m adding it to my list!
Hi, I’m trying to block external senders sending mails to specific groups but when I test from my Gmail it still comes through
Apply this rule if
The sender is located outside the organization
and
The recipient is a member of “DS-Test” (distribution group)
Do the following
Reject the message with the explanation “Block test”
I’d recommend the following troubleshooting steps:
1. Make sure the rule is set to “Enforce”.
2. Check whether a higher priority rule doesn’t interfere with the blocking rule.
3. Ensure that your internal recipient is a member of the DS-Test. (Are you sending to a single recipient or the whole group?)
4. Check if the rule works after some time – both mail flow rules and group memberships sometimes take some time to propagate properly.
Hi Guys,
How can I block my team sending emails to someone who asked me to Remove him/she from our mailing list?
Is there a way where I can put someone’s email address and nobody from my organization can send an email?
If yes, can I add multiple email addresses?
Thank you very much for your time guys.
Hi Cristian,
The easiest way to do this in Exchange admin center would be to add those email addresses as contacts, create a distribution list (e.g. named blocked-senders) and add those contacts to the distribution list. After that, create a mail flow rule with the following settings:
Apply this rule if > The recipient is a member of > distribution group/list you created earlier.
Then, choose block the message as the action, save the rule and enable it.
How can I delete blocked messages from “Sent items” after 3 hours?
also, how can I delete “NDR message” or explanation message after 1 hour?
All of that to save storage space.
You could set up a retention policy which automatically deletes items. However, if I remember correctly, a retention policy allows you to delete items after 1 day, you can’t set it up for a shorter period.
Is there a way to block an email domain from being sent to across a company?
If a company complains to our marketing department that they do not wish to receive emails from our organisation, we want a safety net in case someone from our sales department sends an email without knowing theyve requested not to be contacted.
There are several ways to do that. The easiest would be a third-party unsubscribe mechanism (this solution is for on-premises Exchange Server and hybrid environments). With the native tools, you could keep a mail flow rule which blocks emails sent to specific domains. To set it up, you need to click more options in the new rule and as the condition, choose The recipient > domain is. You can add multiple domain names to the list, then.
Can the email be blocked from going to external recipients based on a phrase in the subject like “INTERNAL ONLY”? If not that, then another idea is to have a dummy recipient named “INTERNAL ONLY” and to block external recipients as long as “INTERNAL ONLY” is also a recipient.
Yes, you can.
In step 5, I show how to define two conditions. Instead of using the “Member of Finance team” condition, you can use “Subject includes any of these words” and add INTERNAL ONLY as the keyphrase.
Hi,
I’m trying to block outgoing email by this condition:
1. Recipient is external
2. Email contains another predefined domain, for example – microsoft.com
Idea is to block email if there are our defined domains in it. This rule blocks only email to microsoft.com but if in this email are few other recipients, they receive this email. but we need that email is blocked completely from sending (also to those additional recipients, not only to microsoft.com)
Do you have any suggestions here?
Thanks
I’m afraid it can’t be done with mail flow rules.
What’s the exact scenario here? I mean, why block this exact message from getting to other recipients?
Maybe it can be done using a different method, like inbox rules?
Is there a way to turn-off users ability to DISABLE JUNK EMAIL FILTER?
I know I can run Get-MailboxJunkEmailConfiguration and get a list of users who have it off – but I do not want them to turn it off.
I haven’t seen such option in mailbox policies, where it should be.
Two solutions that come to mind are user education or blocking emails on the server level, so that they don’t even reach mailboxes.
Where is the message held when blocked?
Also can you block incoming mail to that user? e.g. so the user can not send external outgoing or recieve external incoming (can only send emails internally)
The message is blocked in the transport, so the only place it’s held is the sender’s Sent Items folder. You can add another action which forwards or redirects a copy of the message to a mailbox of your choice.
You can use another mail flow rule to block external incoming messages. All you need to do is to reverse the conditions (The Sender is located outside the organization and the recipient is a member of…)
Thanks so much for the article! ;-)
We’re about to start the migration with your tools.
We need to notify “external senders” that the tenant email domain is no longer available but still allow the email through. We have then setup mail forwarding for each mailbox to the users new email address.
Transport Rules only allow me to complete block and notify sender via NDR which is not what we want. We would prefer that mail gets allowed through so that forwarding rules can apply then the external sender received the NDR.
Any tips on how to achieve this?
Will this be a tenant to tenant migration? The easiest way to handle this situation is to disconnect the first (source) custom domain from the source tenant after the migration, add it to the target tenant and set up users’ former addresses as email aliases. This way, all emails sent to the pre-migration email addresses will automatically go to the new mailboxes. Then, you can set up automatic responses, notifying of the new email addresses.
If you have any further questions, you can contact our Customer Service team. They are available 24/5 and will help you with your migration, if you need any assistance.
Hi there,
My case is restrict send email to outside organization but add exception of more than 100 of domains, is there any way to import the domain list instead of typing 1 by 1?
Thanks
Sure, but you need to use PowerShell for that. Create a comma-separated array of those domains (you can import from a CSV) and use this array with the -ExceptIfRecipientDomainIs attribute while using New-TransportRule or Set-TransportRule cmdlet, depending on whether you have created the rule in EAC beforehand, or not.
Is the 365 example, what is “Finance Team”, an OU or a distribution group ?
In this case, it is an Office 365 (Microsoft 365) Group, but the condition will also accept mail-enabled security groups and distribution groups.
Thanks…
I Will test
It is a wonderful idea… I done via restrictions and outbound spam policies but rule is better