I frequently see questions about how to restrict users on the network from being able to send emails to external recipients.
I actually wrote an article on the subject about four years ago, though it deals with one specific scenario of “deny most, allow some”, and even though it was written when Exchange Server 2007 was the latest version it still demonstrates how Transport Rules can be used to achieve various restrictions on what email senders can do.
In this article I will specifically answer the question of how to restrict a small number of specific users from being able to send emails to recipients outside of the organization.
The first step in this method is to create a distribution group. The members of this group will be the users who are restricted from sending external emails. It does not need to be a security group, but it does need to be universal in scope.
Next, create a new Transport Rule with the following configuration.
Conditions:
- From a member of a distribution list (and choose the distribution group you created above)
- Sent to users that are inside or outside of the organization, or partners (and choose “Outside”)
Actions:
- Send rejection message to sender with enhanced status code (I set the status code to 5.7.1 and configure a message such as “You are not authorized to send email to recipients outside of this organization”)
Exceptions: (optional)
- Except when a recipient’s address matches text patterns (and add any domain names or email addresses they should still be allowed to send to)
After the new rule has taken effect the members of that distribution group will not be able to send to external recipients, whether they use the To, CC, or BCC fields to do so, and will still be able to send to those domains or email addresses you configure as an exception to the rule (even if the message includes other recipients that will get blocked, the permitted ones will still receive the email).
Hi Paul,
Great article. My company is using Exchange 2010 and I have queuing problem for my domain outgoing emails on the “SmartHostConnectorDelivery”. From the queue view, it seems to be because I have two user mailboxes sending same emails repeatedly. Every morning I check these two mailboxes each have over 1000 emails of same size in the queue and need to be cleaned up.
I think they are spam mails but don’t know how to configure the server to prevent the two mail boxes from flooding the send connector with same email or sending the same mail repeatedly
Thanks
Joseph
I’m looking to create an inbox rule using exchange management shell. What is the switch for “Sent from Outside the organization”?
In a On premise Exchange where can we do this procedure?
Greetings
Paul, I am looking to find a way to restrict every user inside my exchange organization sending mass emails externally. for example if anyone sends an email to more than 100 recipients gets. is there a way to do that?
Google for “RestrictExtRecips for Outlook” and “RestrictExtRecips for Exchange”
Hi Paul.
In my company we have a situation that I’m trying to figure out how to solve. I already looked everywhere and I still couldn’t find any acceptable solution, and maybe you could help me with this.
We have a lot of distribution groups here and sometimes an user send an email to all the distribution groups generating a huge email traffic.
What I want to know is if there are any way that when somebody tries to send an email to a number of receipents greater than a specifc number, this email is hold until somebody in our IT Department approves.
Do you know if this is possible?
Thanks.
I have a user which is unable to send email externally. Internal mail is working fine. User is just unable to send to external IDs. There is no bounce back message error. How can I identify the error?
Paul
Is it possible to replicate the same rule for o365 tenant?
Currently I have a similar set up as described for 2007 above, with the following criteria:
If the message:
Is sent “Outside the organization”
and is received from “auser@mydomain.com”
Do the following:
Reject the message with explanation
“You can only send external mail to @external.com” with status code ‘5.7.1’
Except if:
recipient address matches these patterns:
‘external.com’ or ‘anotherexternal.com’
The TO function works as expected. However, if the TO has external.com, and the CC or BCC has an otherwise prohibited domain, the email still goes out.
Is it possible to only allow external.com, and deny anything else, regardless of whether To, CC or BCC in o365?
The Real Person!
The Real Person!
From my testing, yes the email still goes out to the allowed recipient, but the email is still blocked for the disallowed recipients.
Paul,
I’m looking for a way to “deny” reply all to members of a distro group. I know this can be accomplished from the delivery management. However with delivery management only the allowed user is able to reply all or send a message to the distro. I need to be able to allow the recipients to send messages to the distro.
I’ll appreciate any thoughts you may have.
I need help. After turning on the Transport Rule to deny sending email, we have noticed Out-of-Office messages are not working during the period when sending is deny. We need to be able to deny sending emails and at the same time, unable automatic-out-of-office notification. The deny sending email is only turn on for few days for business reason. Please help. Thanks.
The Real Person!
The Real Person!
Add an exception to the rule for out of office messages. A subject line match would probably do the trick.
A very useful article. I just had a bit of difficulty in finding out how to create the Transport Rule until I found it under the Mail Flow menu item.
Thanks, Paul, for your explanations.
Is it possible to restrict rule-based usergroup-specific mail forwarding to external recipients?
Regards,
Guenther
Hello Team, I need help on this.
we have exchange server 2003, and one of user keep sending emails to unwanted ids
How to get restrict these emails.
Tarun
Please i need a help
i have exchange 2010 . and i got spam mails send to specific users some of them exist and other was in my users and deleted . so, i need help to how create transport rule to delete the message itself (don’t reach to anyone from recipients send to )if one of recipient is ………
Thank You
Mohamed Mahmoud
Hi Paul
GREAT ARTICLE!! I’m tempted to try this but looks like I may get myself in trouble if I implement this for what I need. I searched and searched but no one can offer this particular solution to my problem.
I have a customer with Exchange 2007, *there are 4 domains in the “accepted domains” and only 1 send connector. Please forgive me if some configurations sound nuts, I inherited this customer due to the other IT Company dropping the ball. We have them now…
Out of all 4 domains, we realized they are being spoofed and hundreds of emails are leaving this firm and hitting other recipients. People are complaining… If there was a way to STOP the sending of emails from these three domains (just sending because they still receive emails which are forwarded to the 4th domain thats in good standing) and keep the 1 live would be the solution of the century for me. Any thoughts??
The Real Person!
The Real Person!
Are the spoofed emails originating from your server? Normally they are sent by spammers using compromised servers and PCs on the internet. If the emails are actually going from your server that’s not really spoofing, that’s more like your server has been compromised or is allowing open relay.
Hi Paul
Thank you for your response. So much appreciated Sir. I really don’t know and I’m in a tough place. Have to try and figure this out by the time they come back to work on Monday. Sorry that I’m exploring this out on Thanksgiving-eve…
As far as we know, recipients are receiving emails (like 100-300) from this organization (my customers domain) and my first approach was to disable 3 of the 4 domains SMTP policy within exchange. Can this be done. Never ever had to do this with anyone.
Im open for your thoughts. Been following your threads for a while and know you have great solutions.
Thank you 0:-))
The Real Person!
The Real Person!
You really need to determine whether your server is the source of the messages or not. If someone is complaining to you, get them to attach (not forward) a copy of one or two of the messages and send them to you. Look at the message headers (use mxtoolbox or the exrca.com header analyzer) to see where they are originating from.
If the messages are originating from the server, then you need to do further investigation to work out how they are being sent. There are online tools (again, mxtoolbox is one of them) that can test your server to see if it’s an open relay. Or you can run message tracking log searches to trace the source of the messages.
If the messages aren’t originating from your server, they’re likely being sent by spammers on the internet who are spoofing your domains. In that case, you should look at implementing SPF records for your domain.
There’s no point panicking and making changes (like trying to disable domains) without understanding the root cause of the problem first. Investigate properly, find the problem, and take sensible steps to implement a solution.
OK, I have SPF records on many accounts, I can try SPF first then update you. Thank you Paul for always ALWAYS highlighting specific details.
Do you have any recommendations on an SPF record format? I have several that I use for IP and MX, etc… example:
“v=spf1 a ip4:25.87.164.32 include:mydomainname.com ~all”
Thats just an example. Thank you
The Real Person!
The Real Person!
Yes.
https://www.practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/
Hi Paul
THANK YOU again!! This site: https://www.practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators, was VERY helpful. I created the SPF records on all the DNS zone files. Ill see what tomorrow holds. If the customer does not receive any complaints, looks like we pinned it. If their clients are still getting hundreds of emails from their domain, I have to change the approach.
George
Paul
It worked!! I called the customer and no one has complained at all – no one received a spoof or spam email from my customers email domain. That was a very nice site and very informative to build and create an SPF record
Thank you Paul!!
Hello Paul
Sorry its an old thread but I have one question regarding the above topic. Exchange 2007.
I want my users to not send mails to invalid domains (internal and external).
I am trying to create a transport rule like this:
Apply rule to messages when “message header” contains “specific words”
Case 1- Mails are blocked and NDR thrown to sender when
Message header= to
Specific words = full email address of the invalid recipient
Case 2- Mails not blocked when
Specific words = @domain name , *@domain name
Why it accepts email address but not the domain name . I have many such invalid domain names to which my users are sending mails.
Regards
Brindha
Hi Paul,
Please ignore my previous inquiry as I resolved already. Thanks
Hi Paul, i would like to check if there is any other possible way to perform the same for inbound emails.
External users –> internal users = blocked
External users –> Distribution group –> internal users = allowed
understand transport rules process rules on the message by inspecting the headers or envelope.
The Real Person!
The Real Person!
What have you tried so far?
Hi Paul,
Good day! I tried this rules in Exchange 2013 but cannot find it. Would you able to share please?
Thanks
Hi Paul,
Can we do some customization like, if the sender is sending emails to a particular domain like ‘user@gmail.com’, he cannot send it unless he copies someone in the parent orgranization like ‘user@myorg.com’
The Real Person!
The Real Person!
Maybe. Take a look at the conditions and actions in transport rules and see if you can construct a rule that does that. Or, you could use moderated transport so that when that person sends to the particular domain a moderator has to approve the message.
Hi
is there a way to drop a email sent to an address that doesn’t exist in AD, from a rule in Exchange 2010
This email is used by an application for room reservation, when we validate an invitation, there is a NDR, because this adress doesn’t exist.
Thanks for your help
I am curious about something. We have a vendor that has changed companies. We realize that many people have her old email address in outlook. We have asked people to not email the old address but to email her new one. Apparently not everyone is paying attention. Is there a way in Exchange that I can either block the old email address of the vendor so my staff cannot send to it or redirect emails my staff sends to that old address to this vendors new address.
Thank you!
I have installed the exchange 2016 preview. Able to login successfully on mobile device and owa. But not able to send emails either to same user or different user.
Dear paul i want to block mails from other domain to a particular group in my org. The members of particular group should receive only internal mails. is it possible. please help
The Real Person!
The Real Person!
Yes it’s possible. Here you go:
https://www.practical365.com/restrict-distribution-group-exchange-server-2010/
Could this apply company-wide to prevent ANY emails to a specific domain(i.e. #abc.com) with the exception of a single email address(only allowed to send to support@abc.com)?
The Real Person!
The Real Person!
Transport rules can have many different conditions, and they can have many different exceptions.
If you launch the new transport rule wizard you will be able to examine the conditions and exceptions to suit your scenario.
Thanks Paul,
Please can you help with some syntax to go about it and point me to the right direction to help in accomplishing this?
Thanks
Marks
Hi, I am wondering if someone can help…I am looking to restrict some sets (about 200) distribution group from sending externally but doesn’t want to set up an individual transport rule but a rule to deny these distribution groups. It will include To, CC, BC too and in MS exchange 2010.
Any idea will be well appreciated.
Thanks
The Real Person!
The Real Person!
If you don’t want to enter 200 group names manually then you would need to write a PowerShell script to do it.
Hi Paul,
Nice article, I’ve used this method for a while, but have just run hit the 8k transport rule limit so can’t add any additional domains.
Do you know a way around this?
Thanks
Jay
The Real Person!
The Real Person!
Start consolidating or removing some rules I guess.
Is there a way to restrict sending to multiple external domains from the same email? ie, sending to @a.com would be fine, sending to @b.com would be fine, but sending to both @a.com and @b.com from the same email would trigger a rule.
The Real Person!
The Real Person!
Transport Rules are very flexible, you can set multiple conditions and exceptions. I encourage you to work through the new transport rules wizard and find the combination that suits your needs.
Alternative end point solutions are available that asks users to confirm external recipients. Some products that does this are SafeSend and SperrySoftware.
I have a situation where I want to block emails being sent to external addresses on the conidtion that the email is sent from a particular internal server.
We have a test server for a app we are developing and want to allow the server to relay through Exchange for internal email (For Testing). But we want to restrict the test server from emailing outside of our organisation.
Is this possible?
Yes you can do that, within the Transport rules, the rule would be similar to this,
Apply this rule if…
The recipient is located… Outside of the organization
and
the sender is this person… “service account AD account name/Email address” (you can also use the sender is a member of, if you have a distro goup setup)
Do the following…
Block the message… Delete the message without notifying anyone
save it, restart your service, or do a dirsync if your in the cloud and all external emails will be blocked for that user or group. if you want to know if it is trying to send outside- see below.
click add action and choose
Redirect the message to… these recipients and pick an account to send it to.
Hope this was helpful.
Thanks for your reply.
So the rule should work the same as the article as long as I put the AD Computer Account in the distro group?
I will try it out and post back my results.
This question isn’t about a transport rule per se, nor am I an administrator… Our company is implementing a policy that we should notify IT before (or at the same time as) sending any email outside the organization. They won’t block the email, they just want to be notified about it and add it to some report they will publish.
Trying to play along, I’d like to create a local rule on my personal outlook account that effectively “warns” me each time I try to send an email outside the organization, i.e. as (or after) I send an email outside the company I receive a reminder such as follows: “The recipient of this email is outside the company. Remember to notify IT about the recipient.”
I’ve cobbled a rule together that works for recipients INSIDE the company, but can’t figure out how to write a rule for EVERYONE BUT INSIDE the company.
Thoughts, solutions or suggestions?
The Real Person!
The Real Person!
LOL! My thoughts are that this is one of the most ridiculous IT policies I have ever heard of. I can barely believe your IT department is putting this burden on you.
A solution is for your IT department to use the tools at their disposal to extract data from email logs to produce their report.
My suggestion to you is to tell them to do their job and not bother you with rubbish like this 🙂
I’d love to know what provoked this idea to come to fruition.
I’m with you…
I agree this situation sounds absurd, but if you knew the WHOLE background you might have a little more compassion (grin). I’ll try to be brief… I work in Shanghai for a Chinese financial institution with multiple sub-entities. In total there are over 100,000 employees working on multiple different platforms all over the country. Outlook is by no means a standard. Our subsidiary has about 8,000 employees, only some of whom use Outlook.
Amid China’s urgent anti-corruption efforts (a good thing) the Chinese Government has decreed some immediate high-level requirements – announced in our company yesterday, effective today – to avoid inappropriate sharing of info with outside entities. For now there is no limitation as to WHO you can send to (and hopefully there won’t be – in our situation that would be REALLY ridiculous!), just a requirement to track external recipients in the event some case of corruption is discovered in the future. Per requirements I’ve already provided a list of domains I’m likely to send to, but there will always be unexpected recipients.
As governments do, there is little regard for how easy these (wacky?) requirements can be accomplished. No doubt IT will find a satisfactory solution and implement it in time, but I’m still burdened with abiding by the rules starting today. In the end it is each employee’s responsibility – I’m just trying to find a way to help me avoid accidentally forgetting to update the list after I send an email to a person or domain not originally on the list.
So to summarize and restate, my end user requirement (regardless of how crazy) is to create a local rule on my personal outlook account that “warns” me each time I try to send an email outside the organization, providing a reminder such as “The recipient of this email is outside the company. Remember to notify IT about the recipient.”
If I can just figure out how to filter out non-inhouse domains, I “think” I can write a rule to send a copy of only those emails to a special folder, then another rule that alerts me everytime that folder receives a new email. Could it be that simple? If so, question is how to filter out non-inhouse domains….
Whew…
Is there a power shell command that will hide all distro groups within the GAL or deny the sending to all Distribution Groups from 1 Distribution group?
In other words, I have 1 Distribution group, that I do not want to be able to send to any other Distribution groups, nor do I want them to see Distribution Groups within the GAL.
Thanks
The Real Person!
The Real Person!
You can use transport rules to create ethical walls between DLs.
GAL visibility is a different matter. You would probably need to use Address Book Policies to achieve what you’re asking for there.
I have set this transport rule. But the thing is, if i give individual email id, the mail gets blocked for that user to external domains immediately i click apply for the rule settings. But if i do this for a distribution group, it does not apply this rule and i didn’t get any bounced mail. Mail gets delivered successfully.
So is the delay what you talk about is for applying rule from a distribution group? but not for an individual id?
I got it. Its the same 4 hrs frequency applied even for the first time when we add any user to a distribution group.
Only individual mail id rules are applied instantly..
Thanks..
The Real Person!
The Real Person!
Yes, I believe transport services do some caching of group membership for a few hours to reduce load on domain controllers from too many group lookups.
Hi,
To elaborate further, it does not meet my requirement because from what I have tested,
this text pattern exception will allow the email to go thru when there are multiple recipients, and one of them is permitted.
Thank you.
I agree with Nick…
The user can simply CC themselves and send to any external recipient. The rule doesn’t trigger because one of the “users” is internal, so pretty easy to get around.
Thanks.
Hi Paul,
Thanks for sharing. However I am having the same problem as Tom, I couldn’t find the “Except when a recipient’s address matches text patterns option” in my Exchange 2007 Version: 08.03.0298.001.
I want to restrict a user to send email to certain email address only.
I’m currently using “except when a text pattern (xxx@xxx.com) appear in a message header (TO)” but it doesn’t perfectly meet my requirement.
Appreciate if any help can be provided.
Maybe if Is just a few users – set the delivery option for maximum number of recipients to zero.
Hey there I am so thrilled I found your site, I really found you by
error, while I was browsing on Google for something else, Nonetheless
I am here now and would just like to say thanks a lot for a marvelous post and a all round
entertaining blog (I also love the theme/design), I
don’t have time to read it all at the minute but I
have bookmarked it and also added in your RSS feeds, so when I have time I will be
back to read much more, Please do keep up the superb job.
Dear Paul,
is possible to deny permission to send outside the organization for a user not owner of the mailbox but that has ‘send as permission’?
We have a transport rule for deny permission to send out for user in a specific group but if an user has ‘send as’ permission for a mailbox whose owner isn’t in the group he can send out from this shared mailbox, and we want to avoid this situation.
Thank for any suggest!
The Real Person!
The Real Person!
Not possible as far as I know.
Send As is a powerful right that you grant to somebody. If you can’t trust them with it then don’t grant it to them.
Thanks Paul,
but is not a problem about trusting or not a user but just be aligned with a organization policy. The annoying thing is that in 2003 ( before migration to 2010) the ‘delivery restriction ‘ setting in the SMTP connector did exactly what we wanted: the delivery restriction deny all except who is in a security group. With this configuration only the user in the group can send (with ‘send as’ permission’) outside from a mailbox it does not own.
My guess is that in exchange 2003 the ‘smtp delivery restriction’ looked permissions not only for the owner of the mailbox but also the ‘send as’ or ‘on behalf to’ user permissions.
This behaviour is changed in 2007/2010 with transport rules but there is no technical explanations from Microsoft documentation of this change.
Thanks for sharing this, Paul. Any links or pointers that you can share, to add custom rules via C# or something ,would be helpful. Am looking to create a new custom rule that looks for specific patterns in the to and from email addresses.
Thanks
VC
■Except when a recipient’s address matches text patterns option is not available there in exchange 2007 .Is there any option to add this in exchange2007.
Hey Paul,
is it possible to get the powershell command for that ? We wanna deny one user in one specified org to send emails.
Greetings Oliver
Paul
That was very useful as I am now able to configure and edit the transport hub effectively.
But I am now looking to configure the relay to restrict/allow mail from my code but i am getting the following error
I get this error message: ‘Mailbox unavailable. The server response was: 5.7.1 Unable to relay’
Brent
I’m just a new here.
I want my DL of exchange user sending to specify domain.
e.g; i want some DL to allow ” *@abc.com ” ” *@123.com ”
With my regards,
T.Han
Have you found the answer?
Hi Paul,
I have the rule and want to add 200 members to restrict sending emails to internet. Instead of adding users i am planning add one securtiy group and merge it in to existing Group which is being used by transport rule for external email blocking.
Please suggest me what happened if we add groups in TR instead of users. Will TR takes time to process the action?
Forgive my denseness, but is there a way to set a user up so that they can only send emails to one specific external domain?
We have students from an external organisation who need to send timesheets back to their host employer. I have currently got one of our email address for them to use but I don’t want them to be able to send anywhere else other than anyone at “blah.com”.
Is there an easy way to do this?
The Real Person!
The Real Person!
Transport rules should allow you to do this. Each rule has a criteria, action, and exceptions. So the criteria would be “From user X” (or a group), action would be “Reject” or similar, and exceptions would be “Unless recipient is in domain Y”.
I’m only vaguely describing it there, but if you explore the New Transport Rule wizard and do some testing you’ll see what I mean.
Hi Paul,
Is it possible to Limit the “Maximum numper of recipients” only on outgoing Mails, but not for internal Mails?
Thanks you
Jörg
Paul
Great article, i only wanted a specific user to be able to send internal emails. I followed your instructions to the T and they worked perfectly, however i have now removed the specific user from the distribution group (only user in the group) but it still blocks any outgoing emails, i have logged the user off and on again, restarted the pc, re-added a dummy account to the dissolution group, logged the user off and on again and waited for a couple of hours and its still being blocked.
Is there a period of time for how long it takes to update all the setting in Exchange 2010 SP2 and 2008 R2 AD when removing users from distribution groups?
Also for another user is it possible to block specific email address and domains.
Thanks
Trevor
The Real Person!
The Real Person!
Yes there is a delay, I believe up to 4 hours, for changes like this to kick in. Hopefully by now your change has worked 🙂
Thanks for the reply and yes all is working as normal after the 4hrs. Not sure if its possible to lower the refresh time from 4hrs to 5mins.
Thanks
Trevor
In order for changes to take effect immediately, you must restart the Microsoft Exchange Transport service under services.msc where you have the Exchange server running. You should the change take effect after the service finishes restarting.
Paul,
Why Exchnageonline accepts SMTP connection on port 25? This can used for spoofing and yes, we can spoof any email address using this port just by telnet session. Is ther a way in office365 to block port 25 for incoming?
The Real Person!
The Real Person!
SMTP uses port 25, and that’s how two email servers talk to each other. If you could block port 25 no email would work at all.
Hi Paul,
How can I configure it in 2007 Except when a recipient’s address matches text patterns option is not available there in exchange 2007 .Is there any option to add this in exchange2007.
Because of the same users can able to send mails to external world if they put it in cc or bcc.