OWA Protect - Do Not Forward details

New Contributor

Greetings Folks,


Just trying to get a better understanding of DNF with our Office 365 setup. I finally found this link, which explained a lot, but what I am still stuck on is if the the DNF rules only apply to other users within our domain.


In other words, if I am sending from my @example.com account to another @example.com user, the DNF rule makes sense, we don't want the message to leave our organization (@example.com).


If I send an email from my @example.com email to a @contoso.com email address and apply the DNF policy, it seems the recipient at @contoso.com cannot even open the message. Is that the expected behavior? As in, the DNF rule disallows the message from leaving @example.com's organization, so by sending the message to @contoso.com, the rule is doing what it's supposed to and not allowing the recipient to open?


I guess this leads to a more basic question of, is the default DNF rule usable for recipients outside our organization?


( I'll apologize if this has been covered before, but I've been searching for the last 2 hours for clarification and couldn't find anything. Any clarification will be appreciated! :) )

4 Replies

Depends on the type of recipient and the "flavor" of DNF you currently have setup. The way RMS works, the client (Outlook) needs to contact the server (Azure RMS) to obtain a "license" which is used to decrypt the message. In order to do so, the client will pass along the user credentials, and obviously the user needs to be able to authenticate against Office 365. This is not possible for a @gmail.com account for example, for such scenarios you can use the new "O365 message encryption" feature, which works seamlessly for external recipients as well by using a "proxy" portal. Read more about it here: https://support.office.com/en-us/article/set-up-new-office-365-message-encryption-capabilities-built...

@Vasil Michev, thank you for your response.  In looking through our account, I believe we have basic RMS setup.  I was testing both DNF and Protect -> Encrypt options from within the web client.


I believe we've tracked down where the issue was with one of our customers given the information.


The only remaining think that I'd be curious about from anyone, is if it's possible to change the default behavior of the Protect button in the web client.  By default, it does DNF, I have several requests to modify it (if possible) to Encrypt instead.


Is anyone aware if this is possible to change?

Afaik you cannot modify this.

I presumed that was the case, but I figured I'd check.  Thank you very much, your info was greatly appreciated! :)