Mail Flow Rule Mark External Mail

New Mail Flow Rule

Hello Folks. To filter mails for certain criteria like sender, recipients, domain, header-information and more it makes sense to create a new Mail Flow Rule ( former Transport Rule ) and associate it with an action of your choice.

You could, for example, use a Mail Flow Rule to pretend [EXT] to the subject when a mail comes from an external sender or you could use a rule to classify emails with certain header-information as SPAM and move them to the user’s Junk-Mail folder.

Ok, let’s get into it. In this example we will create a rule that tags mails from external senders with [EXT]:

> Login to your Exchange Control Panel ( ECP ) with an administrative account.
The URL should be like that: https://YourExchangeURL/ecp
> Or click here to create a new Mail Flow Rule via PowerShell

1 -Create a new Mail Flow Rule via ECP:

> In ECP navigate to mail flow > rules and click the + icon. Choose Create a new rule.
New Mail Flow Rule
The Drop-Down offers several templates for new rules.
We won’t use them here since we want to create a new Mail Flow Rule from scratch.

Specify the name and criteria of the new Mail Flow Rule:

We will create a rule which pretends [EXT] to the message subject when a mail comes from a sender outside of your organization.

> Specify the name of the rule
> Click More options
Name Mail Flow Rule

For an Exchange environment hosting a single tenant:

> Under Apply this rule if choose The sender… > is external/internal
> Set it to Outside the organization
> Add another condition
> Choose The recipient… > domain is
> Add the domain for which you want to mark external mails
> Under Do the following… choose Prepend the subject of the message with…
> Enter your preferred tag ( e.g. [EXT] )

Mail Flow Rule Single Org

> Further down set Match sender address in message to > Envelope
Mail Flow Rule matches envelope

For a multi-tenant Exchange environment:

Exchange considers a sender to be external if:
• The sender’s email address isn’t in an accepted domain.
• The sender’s email address is in an accepted domain that’s configured as an external relay domain.

In a multi-tenant environment where tenants send mails between each other, the sender will not be considered as an external sender from the recipient’s point of view since the sender’s domain is an accepted domain. This means we cannot use the same conditions as we have used in a single-tenant environment.

> Under Apply this rule if choose The sender… > address matches any of these text patterns
> Enter @ as a specified word or phrase
> Add another condition
> Choose The recipient… > domain is
> Add the domain for which you want to mark external mails
> Under Do the following… choose Prepend the subject of the message with…
> Enter your preferred tag ( e.g. [EXT] )
> Under Except if choose The sender > domain is
> Enter one or more domains you don’t want to be marked as an external sender

Mail Flow Rule multi-tenant
> Further down set Match sender address in message to > Envelope
Mail Flow Rule matches envelope

2 -Create a new Mail Flow Rule using PowerShell:

For an Exchange environment hosting a single tenant

Create a new Mail Flow Rule using the New-TransportRule cmdlet with the following parameters:

New-TransportRule -Name “Mark mails from external” -FromScope NotInOrganization -RecipientDomainIs testlab.local -SenderAddressLocation Envelope -PrependSubject “[EXT]” -Enabled $True

A Short explanation of the used parameters:

-Name:
The name of the rule

-FromScope:
Sets the scope to mails from external. This means mails from sender domains that are not in AcceptedDomains of the Exchange organization or are defined as an External Relay Domain.

-RecipientDomainIs:
The recipient domain you want to mark external mails for.

-SenderAddressLocation:
Set to Envelope to advise Exchange to fetch the sender’s address from the mail-header and not from the from field. Since the from field contains the visual address it can be prone to spoofing attempts. To make sure the real sender’s is address used in the rule use Envelope.

-PrependSubject:
Specify some patterns or words which will be prepended to the subject to tag external mails.

-Enabled:
Activates the rule. If you just want to set up the rule without activating it set the value to $False

For a multi-tenant Exchange environment
Create a new Rule with the parameters below:

New-TransportRule -Name “Mark mails from external” -FromAddressMatchesPatterns “@” -RecipientDomainIs testlab.local -ExceptIfSenderDomainIs testlab.local -PrependSubject “[EXT]” -SenderAddressLocation Envelope -Enabled $True

A Short explanation of the used parameters:

-Name:
The name of the rule.

-FromAddressMatchesPattern:
To catch all mails we give it a common pattern that can be found in all SMTP addresses.

-RecipientDomainIs:
The recipient domain you want to mark external mails for.

-ExcepIfSenderDomainIs:
An exception for your own domain makes sure that your internal mails ( means within the domain you specify here. Not within the Exchange organization! ) will not be marked.

-PrependSubject:
Specify some patterns or words which will be prepended to the subject to tag external mails.

-SenderAddressLocation:
Set to Envelope to advise Exchange to fetch the sender’s address from the mail-header and not from the from field. Since the from field contains the visual address it can be prone to spoofing attempts. To make sure the real sender’s address is used in the rule use Envelope.

-Enabled:
Activates the rule. If you just want to set up the rule without activating it set the value to $False

3 - Summary:

The 1st Mail Flow Rule, which can be used in a single-tenant environment, is triggered when Exchange detects the senders’ domain as a domain that is outside of the Exchange organization.
This means that the senders’ domain is not listed in Accepted Domains or is not configured as an External Relay Domain on the Exchange server.

The 2nd rule, which can be used in a multi-tenant environment ( and also in single-tenant environments ), considers mails from all senders as external emails since the parameter -FromAddressMatchesPattern is filled with the value “@” which matches every SMTP address in the envelope.

This is another fact that underlines the importance to set -SenderAddressLocation to Envelope. We have seen visual sender addresses in the FROM field where just a name without @ was displayed. ( only in mails where a malicious sender pretends to be someone out of the recipients’ organization. Spoofing. )

And here the results:

Mail Flow Rule External

With the parameter -ExceptIfSenderDomainIs filled with your recipient domain emails from your domain to your domain ( internal mails ) will not be tagged as external mails.

Find a description on the conditions here: Mail flow rule conditions

Have a nice day!
 

Leave a Reply

Your email address will not be published. Required fields are marked *