Export (0) Print
Expand All

Understanding Policy Rule Settings

 

Applies to: Office 365 Enterprise, Live@edu, Forefront Online Protection for Exchange

Topic Last Modified: 2012-06-14

In the Policy Rule Settings pane, you can set the scope, actions, and parameters to be applied to the specified match expressions for items such as email headers, sender/recipient, or message subject/body.

If you have multiple policy rules and a different domain scope among them, you will only be able to filter your search when you use the Search box if you include the @ symbol in front of the domain name.

Policy rule settings include the following:

  • Domain Scope: this setting lets you select the domains to which the policy rules should apply.

  • Traffic Scope: this setting lets you specify whether the rules apply to inbound, outbound, or if the policy rule should be disabled.

  • Action: this setting lets you specify the action that should be applied to the match criteria, such as header value.

  • Policy action related settings:

    • Redirect address: this is an option of the Redirect policy action.

    • BCC address: this is an option of the Deliver with BCC policy action.

    • Attachment Download: this is an option of the Quarantine policy action.

    • Message release: this is an option of the Quarantine policy action.

    • Test mode options: Add X-Header and Modify Subject: these are options of the Test policy action.

  • Expiration date: this setting lets you assign an optional expiration date to any policy rule.

  • Description: this setting lets you add a summary of the rule.

See the Policy Filter Actions, Expiration Date, and Description sections in this topic for important additional information about these settings. For more information about Administration Center Policy Rules, see Policy Rules. For more information about how policy rules settings are processed, see Understanding Policy Rule Processing.

The following sections describe the options that you can select in the Action area of the Policy Rule Settings pane, both for inbound and outbound policy filters. A rule can perform either inbound policy filter actions or outbound policy filter actions on a message.

Actions for inbound policy rules apply to incoming messages for recipients for a specific domain scope. The table that is shown here describes the options that are available in the Action section of the Policy Rule Settings pane, actions that the Filtering service can take on inbound messages that match any of the expressions or options specified in a policy filtering rule.

 

Action Description

Decrypt

Decrypts messages that are replies to encrypted message, which was originally sent from your company using the encryption service.

Allow

Ensures that a message will not be blocked as spam or by other policy rules. Messages will still be processed by virus engines and policy decryption filters as applicable.

Reject

Rejects all inbound messages that match any of the expressions specified.

Quarantine

Moves inbound messages that match any of the expressions specified in the Quarantine. The original recipient will not receive the message.

Redirect

Allows inbound messages that match to be redirected to a new email address. The original recipient will not receive the message. If messages are redirected, the new recipient will be able to view the original addressees if they are included in the To line of the message. When you select this action, you are prompted to enter the email address where the message should be redirected.

Deliver with Bcc

Allows inbound messages that match to be delivered to the intended recipient, and a blind carbon copy (Bcc) sent to a separate new email address. Any message that uses this Bcc option will add one message to the delivery report.

Test

Allows the administrator to test individual policy reject rules. If a policy rule action is set to “Test”, all email messages that are matched by the policy rule will be marked with a non-customizable X-Header or a Subject line.

The X-Header option adds the default X-Header that displays X-PolicyTest: This message was filtered by <RuleID>. The subject line option adds [Filter Test: P<Rule ID>] to the beginning of the message subject line. Rule ID is correlated with the policy rule ID that you have created for the Test policy.

Actions for outbound policy rules apply to outgoing messages from senders for a specific domain scope. The table that is shown here describes the options that are available in the Action section of the Policy Rule Settings pane, actions that the Hosted Filtering service can take on outbound messages that match any of the expressions or options specified in a policy filtering rule.

 

Action Description

Reject

Rejects all outbound messages that match the policy rule options.

Redirect

Allows outbound messages that match to be redirected to a new email address. The original recipient will not receive the message. If messages are redirected, the new recipient will be able to view the original addressees if they are included in the To line of the message. When you select this action, you are prompted to enter the email address where the message should be redirected.

Deliver

Allows outbound messages that match to be delivered to the intended recipient, with a Bcc sent to a separate new email address. Any message that uses this Bcc option will add one message to the delivery report.

NoteNote:
In the Administration Center, you can create detailed Bcc policy rules. When using the Bcc action for outbound policy rules, you can specify originating IP addresses, sender domains, and sender email addresses as options.

Encrypt

Encrypts messages upon sending. Rules can be set to encrypt outbound mail based on subject keywords, message keywords, or common expressions in addition to sender IP address, sender and recipient domain, or email address.

Force TLS

Enforces transport layer security (TLS) between your outbound mail transfer agent (MTA) and your recipient’s MTA. When you configure this Policy Rule, the Force TLS restrictions are applied to matching outgoing emails and are enforced across your whole domain.

ImportantImportant:
If the recipient server certificate is expired, self-signed, or not valid, the TLS connection will not be established and the message will be deferred.
If a TLS connection cannot be established between your outbound services and the recipient’s messaging environment, the message will be deferred for 24 hours. If message delivery fails, a bounce message will be sent to the sender. In order to receive the bounce message, your server must have a valid, known certificate.
If the Enable Opportunistic TLS for unspecified recipients box is unchecked, outbound messages will not be bifurcated. This means that authenticated Transport Layer Security (TLS) will be enforced for the delivery of all recipients on the message, where any of the recipients match the Policy Filter rule and the recipient mail transfer agent (MTA) is configured to accept TLS-based connections (including valid public certificates). If one of the recipients has an MTA that does not support TLS connections, then the message to this recipient will be rejected. Checking this box will still enforce authenticated TLS on the recipient who matches the rule, but also allows all other recipients to be transmitted using Opportunistic TLS if all attempts to enforce TLS fail. The Forefront Online Protection for Exchange (FOPE) service will always use the highest level of encryption available for transmission of the messages and if not available will step down.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft