How to prevent Office 365 users from sending emails outside the organization?

There might be situations when it’s necessary to block the mail flow outside an organization for specific users or user groups. Let’s find out how you can use Exchange Online mail flow rules to prevent Office 365 users from sending emails to external recipients.

Block users from sending emails outside your Office 365 organization.

Block emails sent outside your Office 365 organization

To restrict all (or specific) users to sending only internal emails and block their emails when they’re sent to external recipients, follow the steps below:

  1. Log in to your Office 365 portal, then go to the Microsoft 365 admin center by clicking the Admin app.
    Admin app in Office 365
  2. In the Admin centers section, click Exchange.
    Admins centers - Exchange
  3. Then, in the Exchange admin center, click mail flow and then rules. Using the plus icon, add a new rule.
    Create a new rule in Exchange admin center
  4. In the new rule window, under the Apply this rule if section, select The recipient is located > Outside the organization.
    The recipient is located outside the organization
  5. If you don’t want the rule to apply to all users, you can add another condition that narrows down its scope. To do so, click More options at the bottom of the window, and then click the add condition button (the button shows up once you have enabled more options). You can, for example, add a selected user group so that only its members won’t be allowed to send emails outside the organization.
    The sender is a member of a AD group
  6. In the Do the following section, select Block the message > reject the message and include an explanation.
    Block the message and include explanation
  7. Provide a short explanation that says why the email is blocked. Users will get this explanation along with an NDR message after trying to send an email outside the organization. You can also choose not to notify anyone and simply delete the message (by selecting the delete the message without notifying anyone option).
    Reject the message with the explanation
  8. Save the changes to the rule and test whether it works as expected. Note that it may take up to 30 minutes before the changes to the rule take effect.
    NDR message

That’s it. Now, if the users included in this rule try to send emails outside the Office 365 organization, these messages will be rejected, and the senders will get the notification that their email was blocked.

What about on-premises environments?

If you’re still on an on-premises infrastructure and you’re looking for a similar solution that works with Exchange Server, try CodeTwo Exchange Rules Pro. This program works in on-premises and hybrid environments, and offers a wide range of email rule configuration settings that are not available natively in Exchange.

See also:

Tools for Microsoft 365

18 thoughts on “How to prevent Office 365 users from sending emails outside the organization?

  1. Is there a way to block an email domain from being sent to across a company?

    If a company complains to our marketing department that they do not wish to receive emails from our organisation, we want a safety net in case someone from our sales department sends an email without knowing theyve requested not to be contacted.

  2. Can the email be blocked from going to external recipients based on a phrase in the subject like “INTERNAL ONLY”? If not that, then another idea is to have a dummy recipient named “INTERNAL ONLY” and to block external recipients as long as “INTERNAL ONLY” is also a recipient.

    • Yes, you can.
      In step 5, I show how to define two conditions. Instead of using the “Member of Finance team” condition, you can use “Subject includes any of these words” and add INTERNAL ONLY as the keyphrase.

  3. Hi,

    I’m trying to block outgoing email by this condition:
    1. Recipient is external
    2. Email contains another predefined domain, for example –

    Idea is to block email if there are our defined domains in it. This rule blocks only email to but if in this email are few other recipients, they receive this email. but we need that email is blocked completely from sending (also to those additional recipients, not only to

    Do you have any suggestions here?

    • I’m afraid it can’t be done with mail flow rules.
      What’s the exact scenario here? I mean, why block this exact message from getting to other recipients?
      Maybe it can be done using a different method, like inbox rules?

  4. Is there a way to turn-off users ability to DISABLE JUNK EMAIL FILTER?
    I know I can run Get-MailboxJunkEmailConfiguration and get a list of users who have it off – but I do not want them to turn it off.

    • I haven’t seen such option in mailbox policies, where it should be.
      Two solutions that come to mind are user education or blocking emails on the server level, so that they don’t even reach mailboxes.

  5. Where is the message held when blocked?
    Also can you block incoming mail to that user? e.g. so the user can not send external outgoing or recieve external incoming (can only send emails internally)

    • The message is blocked in the transport, so the only place it’s held is the sender’s Sent Items folder. You can add another action which forwards or redirects a copy of the message to a mailbox of your choice.
      You can use another mail flow rule to block external incoming messages. All you need to do is to reverse the conditions (The Sender is located outside the organization and the recipient is a member of…)

  6. We’re about to start the migration with your tools.

    We need to notify “external senders” that the tenant email domain is no longer available but still allow the email through. We have then setup mail forwarding for each mailbox to the users new email address.

    Transport Rules only allow me to complete block and notify sender via NDR which is not what we want. We would prefer that mail gets allowed through so that forwarding rules can apply then the external sender received the NDR.

    Any tips on how to achieve this?

    • Will this be a tenant to tenant migration? The easiest way to handle this situation is to disconnect the first (source) custom domain from the source tenant after the migration, add it to the target tenant and set up users’ former addresses as email aliases. This way, all emails sent to the pre-migration email addresses will automatically go to the new mailboxes. Then, you can set up automatic responses, notifying of the new email addresses.
      If you have any further questions, you can contact our Customer Service team. They are available 24/5 and will help you with your migration, if you need any assistance.

  7. Hi there,
    My case is restrict send email to outside organization but add exception of more than 100 of domains, is there any way to import the domain list instead of typing 1 by 1?

    • Sure, but you need to use PowerShell for that. Create a comma-separated array of those domains (you can import from a CSV) and use this array with the -ExceptIfRecipientDomainIs attribute while using New-TransportRule or Set-TransportRule cmdlet, depending on whether you have created the rule in EAC beforehand, or not.

    • In this case, it is an Office 365 (Microsoft 365) Group, but the condition will also accept mail-enabled security groups and distribution groups.

  8. Thanks…
    I Will test
    It is a wonderful idea… I done via restrictions and outbound spam policies but rule is better

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>