Blog Post

Exchange Team Blog
4 MIN READ

Spotlight on Exchange 2010: E-mail Moderation

The_Exchange_Team's avatar
Jun 11, 2009

Moderation in Exchange Server 2010

In past versions of Exchange server, the best way to control mail flow to a distribution group or mailbox was delivery restrictions. Delivery restrictions allow you to reject mail from certain individuals or groups (sometimes referred to as a blacklist), allow mail only from certain individuals or groups (or a whitelist), or a combination of both. In Exchange Server 2010, moderation enables you to control messages sent to groups and individuals based on the human element: a moderator-not who sent it. Moderation isn't limited to groups. Like delivery restrictions, you can also moderate mail sent to individual mailboxes or mail contacts, in the same way as mail sent to distribution groups. If you wanted to moderate mail from a mailbox/contact, you would have to set up a transport rule, where moderation is available as an action. For the rest of this post, I'll be talking about moderated groups/lists.

Sending mail to a moderated group

For end users, sending mail to a moderated group is the same as sending to any other group. If they are using Outlook Web Access or Outlook 2010, they will see a MailTip telling them they are sending mail to a moderated group. Instead of expanding a message and sending it on to the members of a group, Exchange sends the mail to the Arbitration Mailbox. This mailbox is like a holding tank for messages that are under review by moderators. Upon receiving the message, the arbitration mailbox sends out approval request to each moderator. The original message is attached to the approval request and also shown in preview form in the approval request itself. Moderators have three options for a decision:
  • Approve
  • Reject
  • Reject with comments
These decisions are sent as messages back to the arbitration mailbox, where the decision is processed. Like mail to any other group, users are only notified if their message was not delivered (moderators can choose to include comments explaining why they rejected the message). If the message is approved, it is released from the arbitration mailbox for delivery to the group. In both Outlook and Outlook Web Access, moderators see buttons at the top of their message for approving and rejecting messages (see an Outlook Web Access example below). In older versions of Outlook, moderators can make decisions with voting buttons.

Multiple moderators

For groups configured with multiple moderators, when one moderator makes a decision, a message is sent to all the other moderators notifying them of the decision. This notification is processed by the receiving mailbox, and when this notification arrives in a moderators mailbox, the approval request is disabled (no further decision can be made) and moved to the deleted items folder. This keeps moderators' inboxes less cluttered, leaving only approval requests that still require a decision.

Enabling moderation for a group

To enable moderation for a group, you just need to enable moderation and specify who the moderators are. If you leave the list of moderators blank, the group owners will receive all the approval requests. In ECP, group owners and administrators can configure moderation here: Moderation can be similarly configured from EMC:

Moderation in a transport rule

For more customized scenarios, moderation is also available as an action with any transport rule. In the case of a rule where the condition is a match, the message is not delivered to any recipients until approved by moderator.

FAQ

Q: Are delivery restrictions still there in Exchange 2010? A: Delivery restrictions haven't gone anywhere. In fact, you can use moderated groups and delivery restrictions together; delivery restrictions simply take precedence over moderation. If a sender passes delivery restrictions, then they will be moderated (unless they are on the bypass list for moderation). Q: What if an email is sent to two groups: one moderated and one unmoderated? A: The message will be sent to moderators for approval for delivery to the moderated group. It will be delivered to all members of the unmoderated group without moderator intervention. Any user that is a member of both groups would get the message immediately. They won't see a second message (upon approval to the moderated group) thanks to duplicate detection. Q: What about nested moderated groups? A: If one moderated group (the "child") is a member of another moderated group (the "parent"), the message must be approved for both the parent and the child groups. If you set the BypassNestedModerationEnabled flag to $true on the parent group, any messages sent to that group will bypass moderation by child groups. For some messages, you might not want moderators of child groups to be able to reject them (say, messages from executives sent to an org-wide group). Q: What happens if two moderators make conflicting decisions at the same time? A: In most cases, moderators will not be able to make a decision after one has already been made. However, if two moderators do manage to make decisions at the exact same time, whichever decision message makes it to the arbitration mailbox wins. The "losing" moderator(s) are then notified that their decision did not take effect. Q: What versions of Exchange are required for moderation? A: Moderation requires Exchange 2010 to be deployed on all Hub Transport Servers to work properly. Earlier versions of Exchange will ignore moderation and simply deliver any messages to moderated recipients. - E.J. Dyksen
Updated Jul 01, 2019
Version 2.0
  • Very cool feature, especially for safeguarding those "All Employees" distribution lists.
  • question 1 - You said the sender doesnt get a notification unless the message is rejected.  What if a moderator just sits on the message or accidently deletes/ignores it / whatever?  

    question 2 - what if a message is sent to a group that has 2007 and 2010 recipients but is first processed by a 2007 HT server.  will the delivery be inconsistant or because it hit the 2007 ht first expansion will occur and the 2010 server will take no action?
  • Hi Mike,

    1) Messages expire for moderation after 10 days, I believe.

    2) It all depends on which HT server the mail hits first.  If it hits a 2007 server, then the mail is expanded completely there, and it won't be moderated.
  • This is a great feature - one we have been looking for. We currently use another vendor's listserv product for message moderation.

    A few question:

    If a moderator is OOF and the 'Approval Request' message with voting buttons is sitting in the moderator's mailbox, is there another way approve/reject messages?

    Will Exchange 2010 have an easy way to hide Distribution List members? With Exchange 2007, the hideDLMembership attribute only hides the ability to see membership in OWA. In Outlook, you can still see members, as well as expand the DL and then send messages directly to DL members. Won't this behavior allow for an easy bypass to moderation? I've had to set an explicit Deny permission on 'Read Members' for the underlying group in Active Directory to disable DL expansion. An attempt to expand the DL now results in a cryptic 'There was an error while expanding the list...'. Can Deny DL expansion behavior be improved?
  • What about moderating outbound email?  Can you moderate on a per domain functionality?