Step four of our “Golden Tenant” Microsoft 365 setup guide covers Microsoft Exchange server mail flow rules. These rules are necessary for operations and keep your tenant protected from phishing. That being said, these configurations may potentially disrupt your organization. So, you should implement them with caution. Not all of these settings might be a good fit for your tenant.
Document your Mail Flow Rules
Always document your configurations as you go. Keeping track of your progress is crucial to ensuring that baselines and standard operating procedures are being met. With Microsoft Exchange mail flow rules in particular, one setting can have a lot of impact. Therefore, having a log of configurations makes it easier to remedy misinputs.
Luckily, we have a template complete with the SOPs that correspond to the 365 setup guide. All of the settings listed below appear in this template and you can document the status of your tenant alongside them. Click the button below to inquire about our free template.
Mailflow Order of Operations
Based on the references below, the order of operations for the Exchange Online Transport flow is:
- DMARC / SPF / Connection Filtering
- We did this earlier
- Anti-Malware / High Confidence Phishing / Advanced Delivery Policy Exceptions.
- This will be covered as part of Defender for Office 365
- Transport Rules / Mail Flow Rules
- We are working on this now
- Content Filtering (Phishing, High-confidence Spam, Spam, Spoofing etc)
- This will be covered as part of Defender for Office 365
Link to Microsoft Learn Article that covers this at a high-level.
As you prep your tenant, you want to make sure that your Organization has all Mailflow Rules in place that are necessary for operation.
There are some Mailflow Rules listed here that are nice to have on hand in case you need them. However, you may not need to create all of the Rules within the Microsoft 365 tenant if you are using a phishing filter.
Microsoft Defender Takes Priority
Note that Microsoft Defender will override other programs you may have in place, even if you have a third party phishing filter set up. We will address configuring Defender in a later chapter.
🚩 Keep an eye out for any settings that have the 🛑⚠️ appended to them. These settings may have a large impact to your end-user experience and should be enabled with caution.
To get started, navigate to admin.exchange.microsoft.com > Mailflow > Alert Policies
⚠️🛑Approved Domains | Off
CIS recommends not enabling whitelisting domains or senders within a tenant. Whitelisting allows senders, domains, or IP addresses to bypass the spam filtering policies enabled by default. If you currently use third-party phishing filters to whitelist and block, this mailflow rule may not work as intended.
⚠️If you do not need this mailflow rule, do not create the Mailflow rule in the tenant
Conditions
Name: Approved Domains
Apply this rule if
The sender domain is ‘n.com’
Do the following
First, modify the message properties
Then, set the spam confidence level (SCL) to ‘-1’ (Bypass spam filtering)
AND
Modify the message properties
Set the message header ‘X-MS-Exchange-Organization-BypassFocusedInbox’ to the value ‘true’
Settings
Rule mode: Enforce
Stop processing more roles
Match sender address in message: Header
Comments: Emails from these domains will be accepted at all times, even if suspicious attachments are included.
Rule status: Disabled
Priority: Will move to bottom of Rules
Finally, verify that the rule has been created with the correct conditions within the Exchange Mailflow Rules of Microsoft 365.
⚠️🛑Approved Senders | Off
CIS recommends not enabling whitelisting domains or senders within a tenant. Whitelisting allows senders, domains, or IP addresses to bypass the spam filtering policies enabled by default. If you currently use third-party phishing filters to whitelist and block, this mailflow rule may not work as intended.
⚠️If you do not need this mailflow rule, do not create the Mailflow rule in the tenant
Conditions
Apply this rule if
The sender is this person ’email address of sender’
Do the following
Modify the message properties
Set the spam confidence level (SCL) to ‘-1’ (Bypass spam filtering)
AND
Modify the message properties
Set the message header ‘X-MS-Exchange-Organization-BypassFocusedInbox’ to the value ‘true’
Settings
Rule mode: Enforce
Stop processing more rules
Match sender address in message: Header
Comments: Any sender included in this list is automatically whitelisted and forward to the recipient without any further checks.
Rule Status: Disabled
Priority: Will move to bottom of Rules
Finally, verify that the rule has been created with the correct conditions within the Exchange Mailflow Rules of Microsoft 365.
⚠️Blocked Domains | Enable
ℹ️ This mailflow rule could conflict with third-party phishing filters. Also, blocking a domain like gmail.com will block all emails from the domain specifically.
⚠️If you do not need this mailflow rule, do not create the Mailflow rule in the tenant
Conditions
Name: Blocked Domains
Apply this rule if
The sender domain is ‘test.com’
Do the following
Block the message
Delete the message without notifying anyone
ℹ️ You have the following options when it comes to Blocking messages:
- Reject the message and include an explanation
- Reject the message with an enhanced status code of
- Delete the message without notifying anyone
Settings
Rule mode: Enforce
Stop processing more rules
Match sender address in message: Header
Comments: Emails from these domains will be blocked and deleted from Microsoft 365.
Rule status: Disabled
Priority: Will move to bottom of Rules
Finally, verify that the rule has been created with the correct conditions within the Exchange Mailflow Rules of Microsoft 365.
⚠️Blocked Senders | Enable
ℹ️ This mailflow rule could conflict with third-party phishing filters.
Conditions
Name: Blocked Senders
Apply this rule if
Includes these patterns in the From address: ‘sender email address’ and Is received from ‘Outside the organization’
Do the following
Redirect the message to hosted quarantine.
ℹ️ You have the following options when it comes to Blocking messages:
- Reject the message and include an explanation
- Reject the message with an enhanced status code of
- Delete the message without notifying anyone
Settings
Rule mode: Enforce
Stop processing more rules
Match sender address in message: Header
Comments: Emails from these domains will be blocked and deleted from Microsoft 365
Rule Status: Disabled
Priority: Will move to bottom of Rules
Lastly, verify that the rule has been created with the correct conditions within the Exchange Mailflow Rules of Microsoft 365.
Append Confidentiality Disclaimer | Off
ℹ️ This mailflow rule may cause an issue with your existing Email Signature tool (if one exists). Check the documentation of your provider if the disclaimer is duplicated in sent emails.
Conditions
Name: Append Confidentiality Disclaimer
Apply this rule if
Apply to all messages
Do the following
Apply a disclaimer to the message, append a disclaimer
Append
<P style="FONT-SIZE: 9pt; FONT-FAMILY: Calibri; COLOR: #888888" align=left>
<strong>Confidentiality Notice:</strong> The content of this email is intended for the person or entity to which it is addressed only. This email may contain confidential information. If you are not the person to whom this message is addressed, be aware that any use, reproduction, or distribution of this message is strictly prohibited. If you received this in error, please contact the sender and immediately delete this email and any attachments.<span style="color:#FFFFFF;"></span></P>
and fallback to action ‘Ignore’ if the disclaimer can’t be inserted
Except if
The subject or body includes any of these words
Confidentiality NoticeSettings
Rule mode: Enforce
Match sender address in message: Header
Comments: Appends a confidentiality disclaimer to all outgoing emails.
Rule Status: Disabled
Priority: Will move to bottom of Rules
As always, verify that the rule has been created with the correct conditions within the Exchange Mailflow Rules of Microsoft 365.
Conclusion
These are some examples of mailflow rules that are helpful to have in an environment.
In Microsoft, you can always find more than one way to accomplish a specific task. The above demonstrates just one of the many ways that organizations can block and allow domains in their tenant.
Before applying your mailflow rules, it is incredibly important to make sure that you test these within a controlled environment instead of a production one.
The Lazy Administrator has some great resources for building mailflow rules for the experienced System Admininstrator.
The Complete Guide to Microsoft 365
Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs.
