Forum Discussion

spetrova1's avatar
spetrova1
Copper Contributor
Oct 17, 2025

Policy for limiting external domains and allowing particular external receivers

Hi community, 

 

According to the guide https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-policies-external-email-forwarding i have created the following rule for our test domain:

Rule description Apply this rule if 'X-MS-Exchange-Inbox-Rules-Loop' header matches the following patterns: '.'
Do the following Set audit severity level to 'Medium' and reject the message and include the explanation 'Delivery not authorized, message refused' with the status code: '5.7.1'
Except if recipients's address domain portion belongs to any of these domains: 'xyz.com'

Rule Idea is to block all external mail forwardings except the ones directed to the domain xyz.com. 

______________________________________________

Another rule testing i performed:

Apply this rule if

Is sent to 'Outside the organization' and sender's address domain portion belongs to any of these domains: 'localdomain.com'

Do the following

Set audit severity level to 'Medium' and reject the message and include the explanation 'external forwarding is not allowed' with the status code: '5.7.1'

Except if

recipients's address domain portion belongs to any of these domains: 'xyz.com'.

 

Unfortunately this is not working and if i create mailbox-based rules that forward to mails lets say to gmail and to xyz.com both , the mails get dropped with explanation:
Reason: [{LED=250 2.1.5 RESOLVER.MSGTYPE.AF; handled AutoForward addressed to external recipient};{MSG=};{FQDN=};{IP=};{LRT=}] 

For both cases i made sure the auto forwarding is enabled under "anti spam" rules in the security admin center. 

I receive in the mail flow logs messaged dropped for a mail located in xyz.com and in gmail.com. 

The forwarding configured in outlook on a mail from localdomain.com is intended to auto forward messages to a mail address in gmail.com and in xyz.com, where they mails should arrive.

 

I am wondering what would be the correct policy in order to being able to except particular ext domain/ext mailbox. 
Another approach i found is to disable the auto fwd globally and to enable it for particular users only, but unfortunately can not be limited to whom the mailbox can forward and this is not useful solution for us. 

Regards
Sofia

exchange online
No RepliesBe the first to reply

Resources