Blog Post

Exchange Team Blog
8 MIN READ

All you need to know about automatic email forwarding in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jan 19, 2021
Update: Starting November 2022, protection.microsoft.com URL does not work anymore. Please go to security.microsoft.com instead for the AntiSpam feature mentioned in this post. We realize that many...
Updated Dec 08, 2023
Version 10.0
exchange online
security
tips 'n tricks
transport
troubleshooting
ColinB2022's avatar
ColinB2022
Copper Contributor
Sep 16, 2022

As others have stated; when SMTP Forwarding is enabled with leave copy enabled on a mailbox and an Anti-Spam policy has Auto Forwarding set to Off, internal SENDERS are sent an NDR and NOT the person with the forward. This is extremely confusing to the internal sender and doesn't let the rule creator know that it was blocked.

For example:

Person 1 - Internal User

Person 2 - Internal User with forwarding to external address

Person 3 - External user

Person 1 -> Person 2 = Person 1 gets the NDR. Person 2 doesn't get the NDR but gets the original message.

Delivery has failed to these recipients or groups:

Person1 at internal.com 

Your message wasn't delivered because the recipient's email provider rejected it.

Diagnostic information for administrators:

Generating server: 123abc.PROD.OUTLOOK.COM

mailto:email address removed for privacy reasons

Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7550)'

 

Person 3 -> Person 2 = Person 2 gets the NDR and message but the NDR says the email failed to Person 2 and no mention of the forwarding address

Delivery has failed to these recipients or groups:

mailto:email address removed for privacy reasonsYour message wasn't delivered because the recipient's email provider rejected it.
Diagnostic information for administrators:

Generating server: 123abc1.PROD.OUTLOOK.COM

email address removed for privacy reasons
Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7550)'

 

Because of this we've removed the Outbound Anti-Spam policy. What we have done is:

1. Removed the Forwarding option on Outlook on the Web via RBAC

2. Mail Flow rule to stop Outlook Rules from forwarding externally which let's the rule creator know the action is not allowed.

3. Scheduled script that removes any SMTP Forward that exists.