Home » Exchange Server » How to Restrict a Distribution List in Exchange Server 2010

How to Restrict a Distribution List in Exchange Server 2010

Exchange Server 2010 allows you to restrict who can send to distribution groups. You can do this in different ways, but it is important to understand the pros and cons of each type of distribution group protection so that you choose the correct one for your situation.

Each of these methods can be implemented from any workstation or server you’ve installed the Exchange 2010 management tools on.

Preventing External Email to Exchange 2010 Distribution Lists

If you want to prevent any external sender from being able to send email to a distribution group you can simple enable the authentication requirement for that group.  This is found in the Properties of the distribution group in the Mail Flow Settings tab under Message Delivery Restrictions.

Requiring authentication for senders to Exchange 2010 distribution groups

This option is enabled by default for distribution groups created in Exchange Server 2010, but may have to be manually enabled for groups that existed before your Exchange 2010 migration occurred.

This will prevent external, unauthenticated senders from being able to send to the distribution group but may also prevent senders such as network devices or applications from sending to the list if the device or application can’t perform SMTP authentication.

Restricting an Exchange 2010 Distribution List to Specific Senders

Requiring authentication for an Exchange 2010 distribution group won’t prevent any authenticated senders from sending to it, for example all of the mailbox users in your organization will still be able to send.  In some organizations it is desirable to restrict certain distribution groups to only certain senders.

This can be performed by configuring the Accept Messages From setting in the Message Delivery Restrictions, and specifying mail-enabled groups who are allowed to send to the list.

Outlook 2010 and OWA users will see a warning if they compose an email to a group they are restricted from sending to.

If the sender persists and sends the email anyway they will receive a non-delivery report.

Restricting distribution groups in this way gets the job done but it is an all or nothing approach.  There is no scope to allow some messages from people through to the distribution list.

Moderating Exchange Server 2010 Distribution Lists

When you have a distribution group that you want everyone to be able to send to, but you want to be able to approve or reject messages on a case by case basis, you can use moderation.  Moderation allows you to specify one or more mailbox users who can approve/reject emails sent to a distribution group.   This is found in the Properties of the distribution group in the Mail Flow Settings tab under Message Moderation.

Outlook 2010 or OWA users will see a warning when they are composing a mail to send to moderated groups.

The moderators will then receive an Approve/Reject email in their inbox.

Moderation can lead to delivery delays while messages are approved.  You can optionally configure a moderated group so that specific senders bypass the moderation requirement, so that frequent or trusted senders can send messages without any delays.

As you can see each of these methods of restricting who can send to distribution groups has its pros and cons.  There is no one size fits all approach, but you should be able to find a method that works best for your specific scenario.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Patrick Dufourq says:

    Good Day,
    How can you restricts distribtion list in Exchange 2007.

    I would like 3 specific users to be able to send an email using a list to lets say 10 external users (not in the same domain).
    Thank you for your help.
    Kind Regards

    • You can use the second method, “Restricting an Exchange 2010 Distribution List to Specific Senders”. The only difference being that Exchange 2007 users won’t see the warning if they are composing an email to a list they can’t send to, they’ll just get the NDR after they send it.

  2. Kirstin says:

    How do I prevent E2010 from enabling the “Require that all senders are authenticated” for every new d-list?

  3. Liz says:

    Hi, is there a way to view a list of who is authorized to send to a distribution list once you have restricted it?

    We have a good number of distribution lists within our company that are restricted and need a way to report on who is authorized to send without having to scroll and make screen shots every time HR wants to review them.

    Thank you in advance for your assistance.


  4. Brian Johansen says:

    Hi Poul
    We have a big problem with sending mails to distribution groups in Exchange 2010. We have just upgraded from Exchange 2007 to 2010, but the problem started in 2007, around may. We have spend several hours investigating with any luck. Maybe it has someting to do with an update?

    The problem occurs only with some groups and we never get any feedback. Sometimes it works with a group sometimes not. It looks like it maybe works if I create a new group. My colleague thinks it has something to do with caché and offline files.

    I’m not quite sure whether we have fixed the problem or not.

    Afther the upgrade we have had a problem expanding groups, sometimes it works, sometimes it works after 1-2 attempts.

    Thank you for your help.

      • Brian Johansen says:

        No, that’s just another thing that came up after upgrading, sometimes we can’t expand groups and see the members. Sometimes it works if we try 1-2 times to click the + sign.

        The main problem is that we couldn’t send to some groups earlier and i’m not sure if we have solved it. The worst thing was that you didn’t get any respond, so we didn’t know whether the mails got through or not. But it seems like the new group works and maybe also the fix with removing caché mode and delete the .OST file. I haven’t hear from my users in the last weeks during the summer holiday time, I hope that’s good.

        I just wondered if you had experienced something like that before and had some input. My Exchange colleague is back in business next week and we wil sit down and evaluta.

        I appreciate your quick answer.


      • Brian Johansen says:

        Yes, we have changed most of our groups to Universal, before they were Global. If it’s Global we can’t look up the AD groups in Exchange. Is it necessary to use Universal when we have Exchange 2010?

      • Yes they should be Universal. Having them Global would be a likely explanation for the non-delivery. When you created new ones they would be Universal and I’d expect them to work fine.

  5. Brian Johansen says:

    I see. I learned som years ago to use Global groups, unless we have more than 1 domain and I can’t remeber more 🙂

    But, I don’t think that was the reason why we many times didn’t receive the mails sent to the groups. Sometimes they worked and sometimes not. It was very strange.

    • Brian Johansen says:

      You are probably right regarding Universal, we have made som tests and it seems like we can expand all Universal groups and not always the old Global ones. it might also have fixed the problem with receiving mails. I haven’t heard of one single problem with the univesal groups in weeks, but yesterday I had a colleague who sent a mail and nobody received it, but it was one of our Global groups. I will now change the rest of the groups to Universal. I’m just concerned about one thing, what about if the Global group is a security group, is it possible to change it to Universal and keep the security settings/members?


  6. Lanny Evans says:

    What I am trying to do is restrict who can send an email to certain email accounts. We have email accounts for physicians that certain people need to be able to see and send email to. Everyone else in the organization needs to be restricted from sending email to those email boxes and hopefully not even seeing them in their GAL. Is there a way to accomplish that? Thanks,

    • Hi Lanny, you can hide mailboxes from the GAL (it is a checkbox in the mailbox properties) and mailboxes also have similar delivery restrictions settings as groups do (also available in the mailbox properties).

  7. Nathan says:

    I host email for nearly all the school districts in a geographic region. Some schools run their own mail servers. We have mail contacts setup for those districts so they can receive mail from distribution lists.

    Is there any way to authenticate a mail contact to send to the distribution list without allowing the whole world to be able to send to that list? We also have to allow sending for any user inside exchange as well.

    Thanks for your help,

  8. Peter says:

    I have setup the distribution group as stated above and it was all working. Now all of a sudden if a user tries to send to the DG it says they do not have permission and just below it it states that it is going to send it to the members (Sending to 402 for example). If I create a brand new DG the permissions are enforced and the user cannot send at all. It would appear something has happened to the DG that I created a few months ago.

      • Peter says:

        I did that this weekend. It would appear all of the news are staying the same except 4 of them which then reverted back to being the same thing I stated above. The rest appear to be holding up and rejecting emails as expected.

        I think I have gremlins in my exchange enviroment and I may need to call Ghostbusters or I mean Microsoft. 😉

  9. Ignacio R says:

    Hi Paul,

    I have for several months had a distribution list that had external contacts blocked from sending emails to that list. The list is actually a Contact Us distribution list and we have potentially lost many emails of people trying to contact us. I wonder if there is a place where this emails are stored or can be seen?

    Thanks for the help,


  10. Dave says:

    Hi Paul,

    I am not able to choose a group to allow access to send to distribution groups. I can see all of the users in the AD but no groups… I oviously do not wish to add individual users as this would prove to be a nightmare!

    Do you have any ideas?


  11. Rolf says:

    Hello Paul

    My problem is that though my distribution groups are configured to requier authentication for senders to the Exchange 2010 system, still that protection does not work. I thought that maybe some trust between the mail gateway from Internet and the Exchange HUB-server was the problem. But even if you just connect with telnet to port 25 on the HUB server you can address the mail to a distribution group!

    Is there maybe something in the receive connector that can make all incoming mail as if it was sent by an authenticated sender?

    Thank You for Your help!
    Please accept to have a very Happy 2012!


  12. Ally Laurente says:

    Hi Paul,

    We have lots of restricted DG but users is just clicking the + sign and it will expand and they can send to the members. Is there a way to restrict the expansion of the restricted DG?


    • Not that I’m aware of.

      Perhaps you can mask them using contacts that point to hidden DLs? Might get a bit complicated to administer though.

      If they are large DLs you could look at limiting the max recipients that people can send to.

      • RickF says:

        Here’s what worked for me:
        (Restricting who can send to a DL, and preventing expansion of the DL by users)
        1) In Message Delivery Restrictions, set the DL to Accept Messages from “only senders in the following list”. Add the list of users who are allowed to send to this DL.
        2) In Message Moderation, set (enable) “messages sent to this group have to be approved by a moderator.
        3) In Message Moderation, add the same list of users from Step 1 to the list “Specify senders who don’t require message approval”. (NOTE: You do not need to list a moderator(s) if you do not want to (I left mine empty)).
        These settings result in the DL usage being restricted to a list of users. Now when anyone attempts to expand the DL (in Outlook or OWA), they will get a pop up message advising that “moderated groups cannot be expanded”.

  13. Oscar Pedroza says:

    I hope you are well, do you know a way to moderate the number of recipients per mail, i have been looking for these for a long time and I don´t get any way to do this, I hope that you can give me and idea.

    Best regards,

  14. zohaib says:

    well i want to distribute the list in such a way that a single person can mail both mail and female user but mail nd female cant send mail to each other but they can said mail to same gender . if u knw how to do it plz help me

  15. Kristina says:

    Hi Paul,

    Is there a way to restrict access for a group of people from sending to groups in such a way that they do not have to be explicitly denied access (or left out of the people granted access) to each group when it is created ?

    What I want to do is set up a group which will have people who should not be able to email any distribution groups, wondering if the security on the Exchange Distribution groups could perhaps be used to do this ?

    Your thoughts would be very welcome 🙂

  16. ONP says:

    I wanted to enquire whether we can restrict the users from creating their own local distribution list in MS Outlook 2007?

  17. Tom Bedell says:

    Hi Paul. Thanks for your help. I appreciate it.

    Are there any tricks or gotchas with regards to setting delivery restrictions on an Exchange 2010 object in a user account/resource account organization? I know I need to link the permission to the user account and not on the disabled account in the resource forest, but I’m wondering what the cmdlt would use for the -User parameter. Thanks for any insight you can provide.


    Tom Bedell

  18. Elliot Brand says:


    We are running exchange 2007 and have rules set up for who can send to a couple of DG. The problem is that any user can expand the list and send an email to all of the individuals in that DG. Is there any way to shut this option off?

    Thank you,

    Elliot B

  19. Roy P says:

    Is there a way within ex 2010 to allow people to create a new email and send to a DL
    Prevent people who recieve that email from doing the annoying reply to all.

    I cant really disable their reply to all option as thats not workable.
    Teaching them to NOT use reply to all and only reply to the person who sent the original email doesnt work with some of them either.

    So we end up with a swathe of emails going back and forth to everyone in the distribution list .

  20. Roy P says:

    No believe it or not paul it is actually an All Staff DL which goes out to the entire company, but the directors are very laid back about everyone having access to this and the constant reply to alls going to everyone. However as I.T we get moaned at about all these replys going back and forth from people who simply do not wish to see them and I can appreciate their point. It is quite embarressing as well some of the comments they put in knowing the MD’s see these and dont seem to mind.
    I did put in the Outlook 2010 mailtips with the ignore option to ignore the threads from filling your mailbox with the constant back and forth, but wondered if there is a discreet way of preventing them from simply replying to all on this All Users DL.
    You could say if the MDs are not bothered then why bother, but from a professional I.T persepctive it is embarressing as some of these threads turn to jokes etc that all members of staff see and go on and on. Basically just trying to discreetly keep the peace.
    I saw your thread here and have followed your tips over the last 10 yrs or so on various ex projects and thought if one of the Exc MVPs doesnt know then it cant be done from a technical stance so we will just live with it.
    If it cant be done thats fair enough.

    • Ok, so you’re looking for a technology solution to solve a human behavior problem 🙂

      You’ve got a few options, none of which will be perfect.

      The first would be to restrict who can send to the DL. It seems like that won’t fly though, based on your comment above.

      The second would be to use moderation so that messages to the DL need to be manually approved. This will stifle responses quite a bit and may stop people abusing the list, but means anything urgent may get delayed, depending on how you configure it (moderation allows you to also specify users who are not subject to moderation).

      Another option may be to use a Transport Rule to detect any message with a subject starting with “Re:” that is going to that DL, and send it to a moderation queue. I imagine users will quickly work out how to get around this though 🙂

      Tough situation you’re in, especially if the bosses don’t care.

  21. Bhushan says:

    1. how can sender get notification if message is approved by moderators.

    2. what if message is ignored by moderators i.e. its not approved and not rejected.

  22. Abhishek says:

    Hi All,

    I am a little confused over one thing here and I don’t have a test environment to test this.

    A user has permission to send emails to a particular Distribution List (DL)- A , that distribution list has quite a few distribution lists as its members ( DLs B C and D are member of A) for which the user doesn’t have permission to send to.

    So, will he be able to send emails to “A” DL without getting a bounce back message ?

    Please let me know


  23. Aussupport says:

    HI Paul,

    Is there way to allow from trusted domains?

    i have set the “only allow messages from authenticated users”

    now network devices or applications cannot sending to the list. Also some of our other domains?


  24. Hello,

    I used your method to enable moderation on our distribution groups.
    When emails are sent from external addresses, they are moderate.
    But the emails sent from internal addresses, moderation does not work and the emails are delivered directly.

    Showing the moderation parameters we have for distributions groups:
    BypassNestedModerationEnabled: False
    BypassModerationFromSendersOrMembers: {}
    ModerationEnabled: True
    SendModerationNotifications: Always

    Thank you for your help.


  25. Anil says:

    hi Paul,

    we have an urgent request here:
    1. Needs to block an external email address coming to our Hybrid exchange environment (On permises and 0365)
    2. However with an exception to allow the external email address to talk to only one person within our organisation.

    Please advise how to go about it


  26. Jon W says:

    Is there a way to allow external users to send to a distribution group but restrict internal users who can send to the group? I had the Require that all senders are authenticated NOT checked. I also added a list of users who could send to the group. As it turned out, only those internal users I specified could send to it. External users were not able to get to it.

      • Jon W says:

        I created transport rule on the HTP server that says:
        Apply rule to message
        sent to a member of ‘DistGroup@ourdomain.com’
        Delete the message without notifying anyone
        except when the message is from ‘me@ourdomain.com’ or ‘2nduser@ourdomain.com’
        or except when the message is from users that are ‘Outside the organization’.

        When I send a message to the group as me or 2nduser, it works. However, when I send from outside the organization from a Mindspring or Yahoo account, it never arrived. No NDR does not get sent back either.

        Any suggestions?

        • You chose “Delete the message without notifying anyone” so naturally there will be no NDR.

          Remove or change that action to notify the sender while you test your rule. You can also use message tracking log searches to try and work out what happened to the test emails.

  27. Jon W says:

    I found one problem with the Transport Rule I set up. The “sent to a member of the group” and “delete the message except when the message is from” really came back to bite me. What ended up happening was that the members of the groups and external users could e-mail to the members of those groups. All other internal members had their e-mails deleted with no NDR. So, we ended up missing two days of mail without realizing it since we could e-mail each other. BEWARE!!!! Read those transport rules through. They are VERY literal.

  28. Graeme C says:

    Hi Paul, I’ve set up moderation for a test group, and the mechanism works. The only thing I don’t see is the user warning in OWA and Outlook 2010 that the group is moderated. Have you seen this before? Is there anything I should check?

  29. Sahin Boluk says:

    Hi Paul,

    After you restrict a DL to only a few people and anyone that add’s the DL to an email can expand the list and send to those users. Is there a way to restrict the expansion of certain DL’s?

  30. Jeremy Steger says:

    Paul, We have email that goes through an antispam service and is then delivered to our network load balancer which is then delivered to our Exchange servers. We have the NLB set to TLS and externally secured in the hub transport.
    My thought is that since the NLB is delivering the mail and it’s considered an “authenticated” device that Exchange is processing the message as being from an “authenticated sender” and the mail is delivered to the DL.
    Have you experienced this anywhere? Your thoughts?
    I need to reject all senders if they are not internal. Moving forward we will only use the “domain.local” for the smtp only but I have hundreds of “domain.com” email addresses that are in use.

    • Yes that is what is happening and it is a common mistake when people use the same load balancer VIP for inbound SMTP as well as SMTP relay for internal apps/systems.

      Do you have enough public IPs so that you could NAT both your Transport servers, and have the antispam service configured with two equal-cost inbound routes (one to each public IP)? That would bypass the load balancer while still providing HA for inbound email.

      • Jeremy Steger says:

        Thanks for the quick reply Paul. I’ve asked our Network team if they can do anything about the F5 in this situation.

  31. Andy Bigsby says:

    Hi Paul,

    Have you ever see a Restricted Distribution group still get an email from a non-authorized person? I just had this happen yesterday and cannot figure it out how it got through? I did message tracking on it and the logs show it failed, however the 223 recipients in the restricted distribution group still received the email.

  32. Gary says:

    Hi Paul,
    I have one user who is able to recieve emails sent to a All Staff Distribution Group but they are not able to send to it (They get the don’t have permission to send) message when composing an email.

    Any ideas?

  33. Azeez says:

    thanks a lot,
    i tried to add a user to dose that can send mail to all staff from message delivery restriction.
    then i select to receive mail only from the sender list and it works.
    am greatfull

  34. Girish says:


    I have a DL .While sending mail to the DL the sender who is member of the DL should not receive the email.Is this possible to achieve?


  35. Girish says:


    I have a DL .While sending mail to the DL the sender who is member of the DL should not receive the email.Is this possible to achieve this scenario?


  36. Nu says:

    I’d like to restrict sending to a distribution list to a few internal users (easy) and our parent company’s domain (anybody@anotherdomain.com) Any help would be welcome


  37. Andy Bigsby says:


    Sorry I did not see your post…

    In the Exclaimer software for the signature policies:
    1. Go to Conditions Tab
    2. With the “The Recipient is someone” option checked, select the Inside or Outside and the condition box will appear
    3. At the bottom of the condition box, there is an option for a check box for “Expand Distribution Lists before checking conditions”. YOU WANT THIS UNCHECKED!

    I believe you need to restart the Transport Services for these settings to take effect. I recall rebooting our CAS/HUBS.

  38. Arrol Khoo says:

    Hi Paul,

    I’ve got a Mail enabled security group that i’ve migrated over from a 2003 exchange server to a 2010 server, i’m trying to add a security group to the approved senders list (there are already security groups in that list from when it was configured in 2003 exchange) however when searching for the list of possible users I can add, the security group doesn’t show up, I’ve made sure that the group is a universal security group but it still doesn’t come up in the search. Any ideas? Do you know if this is even possible? Any help would be greatly appreciated.


  39. david says:

    I have a DL with about ~2000 users under it. I have message size restriction set fairly small to avoid abuse but I would like to make an exception for a few VIP types and their admins to send to this DL with a larger size email not necessarily as an attachment. Is this doable in transports rules? What would the rule start/look like. It’s a mixed exchange 2010-2013 environment.

  40. Ingo Hatalla says:

    Hi there,

    I am having kind of the opposite problem. External mails still get through to distribution lists, allthough the “Require that all senders are authenticated” option is enabled.

    The SMTP connector does not require any authentication as we have some systems which need to be able to send mails without authentication, I guess this is the problem.

    Is it possible to have a SMTP connector without authentication but have exchange 2010 to only accept mail from domain users?


    • The auth setting on the connector isn’t necessarily the problem, because anonymous senders are treated differently to authenticated senders. It really depends on the overall receive connector settings you’ve got in place, and whether the external email is hitting Exchange directly, or whether it’s hitting a smart host or load balancer first (a common misconfiguration is configuring a connector that considers the inbound smart host IP address “authenticated” and therefore any email appears to be from an authenticated sender).

      If you have internal systems that need relay access then you can configure a separate receive connector those those to use:

  41. Ingo Hatalla says:

    Hi Paul,

    thanks for the quick reply.
    The external mails are hitting a smarthost (linux machine with postfix) and not the exchange server itself, so your guess about the misconfigured connector, considering the smarthost as authenticated is quite likely.

    I will have a look at the configuration and your link for the relay connector setup and might get back to you.


  42. Sanjeev Kumar says:

    Let suppose X user is added in XY DL , and some one sent a email to XY DL as well as X in this case user will get two emails. I want user will get only one email. is that possible in exchange ???

  43. Bid says:

    Hi Paul,

    We run Exchange 2010 SP3 and two methods described above were used for a particular group. We however discovered that users are still able to send to the restricted group. Moderation set did not also work. This does not happen all the time though. I was just wondering if there has been any report of bugs on this settings and what we can probably do to prevent further embarrassment.

    Thank you

    • I don’t know of any bugs relating to these features. Hard to say any more without being able to see the case first hand. It would be worthwhile making sure you’re installed to the latest Rollup Update.

  44. Mase Pro says:

    Hi Paul,

    How can I allow only specific external domain to email our distribution list(Mail Non-Universal Group).

    Hi have the “required that all senders are authenticated” enabled but will prefer to allow a domain not just a list of email users.

    Thank you

  45. Fazli says:

    Hi Paul,

    I hv facing problem as below.

    1. Send a email ( outlook calendar ) to few group(min 5groups). Each group has min 3-4 email ID.
    2. Got error ” Delivery has failed to these recipients or groups: ”
    Ali (ali@abc.net)
    The server has tried to deliver this message, without success, and has stopped trying. Please try sending this message again. If the problem continues contact your help desk.

    As a new exchange administrator..what i should i do on my server.

    please help. Thanks.

  46. Nisar Ahmad says:

    Hi Paul,

    Getting error from one sender domain:

    You aren’t authorized to send to this recipient.
    550 5.7.1 Requested action not taken: message refused

    Please help in this regards,


  47. winsun2003 says:

    I have a user who is unable to send email with error X-Supplementary-Info: < #5.7.1 smtp;550 5.7.1 RESOLVER.RST.NotAuthorized;. I checked and found that the DL user is sending is a nested DL and have many Sub DLs added as a members. Could you please suggest a way to give permission to user at once in all sub-members of the DL or I have to give permission on them one by one.

  48. Yehuda says:

    i have a very specific scenario i need your assistance with
    i have a small group of users for which i need to do the following:

    1) to prevent them finding any other user addresses, so when they search the GAL they can find only the users who belong to that group.
    2)restrict them from sending e-mail only between each other but to no one else inside or outside the org.
    is it possible?

    i have EX 2010

    thank you in advance

  49. Yehuda says:

    Great, I will look into it.
    Your articles tips and info here is being very helpful to me, makes my job easier.

    thank you for all that.

Leave a Reply

Your email address will not be published. Required fields are marked *