SOLVED

Allow only specific domain to email a distribution group

Copper Contributor

I'd like to allow only a specific external sender domain to send email to our distribution group (DG) in M365.  (The DG is actually a mail-enabled security group synced from AD.)  I see that a mail-flow rule doesn't process until after the DG is expanded, so can't match the DG as the recipient.  I see that the DG has an attribute dLMemSubmitPerms to specify who's permitted to send to the group, but I think that is only for objects in AD and wouldn't be able to use an external domain?  When I try to modify dLMemSubmitPerms I get an error anyway.

So how can this be done?

6 Replies
You can use a mail flow rule with "includes any of these recipients in the To or Cc box" condition.

@Vasil Michev - I already tried a mail-flow rule and it didn't work; and then I found the reason why:

 

"Note - If the Mail flow rule is configured to check for the recipient where the recipient is a distribution group, the rule won't be matched. When the message is sent to a distribution group, the group will be resolved to distinct users of that group before reaching Mail flow rules and instead, will check every member of a group."

From <https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-ex...>

And I'm telling you that it depends on the condition used. The note you quoted applies to specific conditions only.
I don't see "includes any of these recipients in the To or Cc box" condition. I only see options for word match or text pattern and I've tried both.
best response confirmed by JeffRyer (Copper Contributor)
Solution

I figured out a way. Using a mail flow rule where the header contains "To" of the distribution group. And have it block those messages, and an exception of the domains to allow. 

@Vasil Michev , thanks for the clue. 

Here is a screenshot of the rule :smile:

Rule_Mailflow.png

 

1 best response

Accepted Solutions
best response confirmed by JeffRyer (Copper Contributor)
Solution

I figured out a way. Using a mail flow rule where the header contains "To" of the distribution group. And have it block those messages, and an exception of the domains to allow. 

@Vasil Michev , thanks for the clue. 

View solution in original post