Sometimes a customer will have the need to block their users from sending emails to domain names that they consider untrustworthy. Exchange makes this possible through the use of transport rules, also known as mail flow rules. You can use transport rules in Exchange on-premises as well as Exchange Online.

In the mail flow section of the Exchange admin center, create a new rule.

exchange-block-outbound-domain-01

Construct a rule that will block email sent from internal senders to external recipients with addresses that match the specific domain name, or a pattern that matches a number of domain names.

exchange-block-outbound-domain-02

Of course, this is just an example that is relevant to current events. Using mail flow rules like this is a fairly heavy-handed approach, and there’s a few risks and caveats to be aware of.

  • A misconfigured transport rule could easily cause all outbound email for your organization to be rejected. Always test your transport rules in a lab first, and in production you can implement them in test mode for a period of time to assess the impact that they will have.
  • Blocking based on domain names doesn’t necessarily solve the issue of an untrusted or insecure email provider. In the case of Yahoo, there are many other domain names hosted on Yahoo email servers that a rule such as the example above will not block. And who is to say that a trusted partner’s email system hasn’t been breached by attackers already, or that confidential emails aren’t be accessed by unauthorized parties once they leave your organization.
  • Domain-based blocking could be easily bypassed by forwarding an email to another address first, such as a Gmail account, and then sending it on to Yahoo from there.
  • Where does it end? Perhaps there are many other mail services that are just as untrustworthy, but haven’t been discovered or reported yet.

If confidentiality of email is the primary concern, consider implementing Information Rights Management instead.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Aws Ayad

    is there a condition to target sender host name not just domain ?

  2. Priyam Gangwar

    this there any other option to achieve this other than creating transport rule?

  3. Dan

    Is there any way to exempt members of on an on-prem group?

  4. Vaughn

    Hi Paul,
    Where does the backslash in ‘@yahoo.’ come from? Can I learn more about the syntax available there?

Leave a Reply