Mail
Flow Rules (Transport Rules) in Exchange Online
allow administrators to inspect and take action on email
messages as they pass through the Exchange Online organization. These rules are
extremely powerful for enforcing compliance, security, and custom business
logic.
In Microsoft 365, mail flow rules (or transport rules) work
hand-in-hand with Exchange Online Protection (EOP) to create a comprehensive
email security strategy.
Think of EOP as the automated, frontline defense. It's the
core engine that scans every email for spam, malware, and phishing threats,
assigning a Spam Confidence Level (SCL) to determine if a message is
malicious. EOP's anti-spam policies then take action based on this score, such
as moving an email to Junk, quarantining it, or blocking it entirely.
What
Are Mail Flow Rules?
Mail flow rules (also called transport rules) are a set of
conditions, exceptions, and actions applied to messages as they flow through
the transport pipeline.
They operate at the organizational level and apply to all
messages processed by Exchange Online.
Mail flow rules act as a powerful customization layer on top
of this foundation. They allow administrators to manually fine-tune email
handling for their organization's specific needs. Instead of relying solely on
EOP's judgment, you can create rules to:
- Override Spam Filtering:
Set a low SCL for emails from trusted partners or newsletters to ensure
they are never marked as spam and always reach the inbox.
- Proactively Block Threats: Target emerging
threats by setting a high SCL for emails containing specific keywords or
coming from suspicious domains, ensuring they are immediately quarantined
or rejected.
- Apply Custom Actions:
Go beyond standard filtering by redirecting sensitive messages to a
compliance officer, adding a warning banner to external emails, or
notifying the security team when a specific type of threat is detected.
In short, EOP provides the broad, intelligent security,
while mail flow rules provide the granular, surgical control needed to perfect
your organization's email defense.
Core
Components of a Rule:
- Conditions –
Define when the rule applies.
Example: - Sender
is outside the organization
- Subject
contains specific keywords
- Message
has an attachment
- Exceptions –
Define when the rule should not apply.
Example: - Skip
if the recipient is in the executive group
- Actions – What to
do if conditions are met.
Example: - Prepend
a warning to the subject
- Redirect
the message
- Block
the message
Step-by-Step:
How to Create a Mail Flow Rule
📍Via Microsoft 365 Admin
Center:
- Go
to: https://admin.exchange.microsoft.com
- Navigate
to Mail Flow > Rules
- Click
“+ Add a rule”
- Select
a rule template or create a new rule
- Give
your rule a name
- Set:
- Conditions
(e.g., “If the sender is external”)
- Actions
(e.g., “Add a disclaimer”)
- Exceptions
(optional)
- Configure
additional options:
- Audit
this rule with severity level
- Stop
processing more rules
- Click
Save
|
Test Case |
Expected Result |
|
Send from internal to external |
Disclaimer is appended |
|
Send internally |
Disclaimer is NOT appended |
|
Send encrypted message |
Message is wrapped with disclaimer |
|
Send from service account |
Same behavior as regular users |
PowerShell
script to create
a Mail Flow Rule in Exchange Online that adds a disclaimer with a
fallback action
Top
Use Cases for Transport Rules in Exchange Online:
1. Add Disclaimers / Legal Footers
Use case: Add legal, confidentiality, or branding
disclaimers to outbound emails.
✅ Example Rule:
- Add a
disclaimer to all outbound emails from internal users.
2. Block External Emails to Certain Groups
Use case: Prevent external senders from emailing sensitive
distribution lists (e.g., Executives, HR, Finance).
✅ Example Rule:
- If the
sender is outside the organization AND recipient is “HR Distribution
List,” then reject the message with a custom error.
3. Encrypt Messages Based on Keywords
Use case: Automatically apply Microsoft Purview Message
Encryption when users email sensitive information.
✅ Example Rule:
- If
subject or body contains “SSN” or “Confidential,” then apply Office 365
Message Encryption (OME).
4. Prevent Accidental Data Leakage
Use case: Detect and block PII, PCI, HIPAA-related terms
being sent externally.
✅ Example Rule:
- If
credit card number is detected and destination is outside the org, block
or notify compliance team.
5. Redirect Emails
Use case: Forward certain emails to compliance officers or
archive mailboxes.
✅ Example Rule:
- If
email is sent to “CEO” and contains the word “urgent,” forward a copy to
CISO.
6. Add Sensitivity Warnings
Use case: Warn users if they’re about to send sensitive data
externally.
✅ Example Rule:
- Display
warning: “This email contains attachments and is being sent externally.”
7. Delay Email Delivery
Use case: Introduce a delay to allow cancellation for risky
user groups.
✅ Example Rule:
- Delay
delivery by 5 minutes for finance team emails with attachments to external
users.
8. Monitor or BCC Emails
Use case: Automatically BCC certain emails for
legal/compliance purposes.
✅ Example Rule:
- BCC
all outbound messages from interns or contractors.
9. Reject Spoofed Emails
Use case: Prevent emails claiming to come from internal
domains but sent externally (spoofing protection).
✅ Example Rule:
- If
sender domain is yourdomain.com but not sent from authenticated IP, reject
the email.
10. Apply Sensitivity Labels or Headers
Use case: Mark certain emails as “Confidential” or
“Classified” based on content.
✅ Example Rule:
- Add
custom X-header for all emails containing internal project code names.
Powershell sample:
Please try below use cases:
Example 1: Block messages with attachments, and notify the
sender
Example 2: Notify intended recipients when an inbound
message is blocked
Example 3: Modify the subject line for notifications
Example 4: Apply a rule with a time limit
Example 5: Block messages based on attachment file extension
Basic Interview
questions on Transport rules:
1.I have a mail flow rule that sets the SCL to -1 (Bypass
Spam Filtering) for emails from a specific authenticated sender.
However, message trace shows these emails are still being
moved to the Junk folder by Exchange Online, not by an Outlook rule. The trace
confirms the rule is working: it shows SCL=-1, Spam Filtering Verdict=SKN, and
all authentication checks (SPF, DKIM, compauth) are passing.
What security policy or EOP feature could override an SCL -1
rule and still force a message to Junk?
2.Transport
Rule for Encrypted Messages – Issue with Triggering
I'm working on setting up a mail flow (transport) rule in
Exchange Online to add a banner to incoming emails that are encrypted. However,
during testing, the rule doesn't seem to trigger—even though the received
message displays the Outlook notification indicating it's encrypted. The rule
is configured with the condition “if the message type is encrypted” and
is supposed to add a disclaimer (prepend), but it's not functioning as
expected.
3. Analyzing
Exchange Online Transport Rules Using Message Trace
I currently have over 100 transport rules enabled in
Microsoft Exchange Online, and I’m looking to review their effectiveness to
determine which ones are actively being used. My goal is to identify and clean
up rules that are no longer relevant or in use within our production
environment.
Is there a way to achieve this? Specifically, can Message
Trace help us identify which rules are being triggered and which are not?
4.Blocking
Messages with Leading Whitespace in the Subject Line
We’ve implemented a transport rule to block emails with a
blank subject line. However, we've noticed that some users bypass this by
entering only spaces in the subject field.
Could anyone suggest a suitable regular expression
that we can use in a transport rule to detect and block messages where the
subject contains only whitespace or starts with whitespace but no meaningful
characters?