Mail flow rules (transport rules) in Exchange Online
Article
In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can use mail flow rules (also known as transport rules) to identify and take action on messages that flow through your organization.
Mail flow rules are similar to the Inbox rules that are available in Outlook and Outlook on the web (formerly known as Outlook Web App). The main difference is that the mail flow rules take action on messages while they're in transit, and not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.
For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For each rule, you have the option of enforcing it, testing it, or testing it and notifying the sender. For more information about the testing options, see Test mail flow rules in Exchange Online and Policy Tips (not available in standalone EOP).
A mail flow rule is made of conditions, exceptions, actions, and properties:
Conditions: Identify the messages that you want to apply the actions to. Some conditions examine message header fields (for example, the To, From, or Cc fields). Other conditions examine message properties (for example, the message subject, body, attachments, message size, or message classification). Most conditions require you to specify a comparison operator (for example, equals, doesn't equal, or contains) and a value to match.
Exceptions: Optionally, identify the messages that the actions shouldn't apply to. The same message identifiers that are available in conditions are also available in exceptions. Exceptions override conditions and prevent the rule actions from being applied to a message, even if the message matches all of the configured conditions.
Actions: Specify what to do to messages that match the conditions in the rule, and that don't match any of the exceptions. There are many actions available, such as rejecting, deleting, or redirecting messages, adding additional recipients, adding prefixes in the message subject, or inserting disclaimers in the message body.
Properties: Specify other rules settings that aren't conditions, exceptions, or actions, for example, when the rule should be applied, whether to enforce or test the rule, and the time period when the rule is active.
If you create a rule without conditions and exceptions, the rule action is applied to all messages. This result can have unintended consequences. For example, if the rule action is to delete the message, removing the conditions and exceptions could cause the rule to delete all inbound and outbound messages for the entire organization.
Multiple conditions, exceptions, and actions
The following table shows how multiple conditions, condition values, exceptions, and actions are handled in a rule:
Component
Logic
Comments
Multiple conditions
AND
A message must match all the conditions in the rule. If you need to match one condition or another, use separate rules for each condition. For example, if you want to add the same disclaimer to messages with attachments and messages that contain specific text, create one rule for each condition. In the EAC, you can easily copy a rule.
One condition with multiple values
OR
Some conditions allow you to specify more than one value. The message must match any one (not all) of the specified values. For example, if an email message has the subject "Stock price information", and the The subject includes any of these words condition is configured to match the words "Contoso" or "stock", the condition is satisfied because the subject contains at least one of the specified values.
Multiple exceptions
OR
If a message matches any one of the exceptions, the actions aren't applied to the message. The message doesn't have to match all the exceptions.
Multiple actions
AND
Messages that match a rule's conditions get all the actions that are specified in the rule. For example, if the actions Prepend the subject of the message with and Add recipients to the Bcc box are selected, both actions are applied to the message.
Keep in mind that some actions (for example, the Delete the message without notifying anyone action) prevent subsequent rules from being applied to a message. Other actions (for example, the Forward the message action) don't allow additional actions.
You can also set an action on a rule so that when that rule is applied, subsequent rules aren't applied to the message.
Mail flow rule properties
The following table describes the rule properties that are available in mail flow rules:
Property name in the EAC
Parameter name in PowerShell
Description
Priority
Priority
Indicates the order in which the rules are applied to messages. The default priority is based on when the rule is created (older rules have a higher priority than newer rules, and higher priority rules are processed before lower priority rules).
You can change the rule priority in the EAC by moving the rule up or down in the list of rules. In the PowerShell, you set the priority number (0 is the highest priority).
For example, if you have one rule to reject messages that include a credit card number, and another one requiring approval, you'll want the reject rule to happen first, and other rules stopped from being applied.
Sets the severity level of the incident report and the corresponding entry that's written to the message tracking log. Valid values are DoNotAudit, Low, Medium, and High.
Mode
Mode
You can specify whether you want the rule to start processing messages immediately, or whether you want to test rules without affecting the delivery of the message, with or without Policy Tips.
Policy Tips present a brief note in Outlook or Outlook on the web that provides information about possible policy violations to the person that's creating the message.
New rules:Enabled parameter on the New-TransportRule cmdlet. Existing rules: Use the Enable-TransportRule or Disable-TransportRule cmdlets.
The value is displayed in the State property of the rule.
You can create a disabled rule and enable it when you're ready to test it. Or, you can disable a rule without deleting it to preserve the settings.
Defer the message if rule processing doesn't complete
RuleErrorAction
You can specify how the message should be handled if the rule processing can't be completed. By default, the rule will be ignored, but you can choose to resubmit the message for processing.
Match sender address in message
SenderAddressLocation
If the rule uses conditions or exceptions that examine the sender's email address, you can look for the value in the message header, the message envelope, or both.
Stop processing more rules
StopRuleProcessing
This element is an action for the rule, but it looks like a property in the EAC. You can choose to stop applying additional rules to a message after a rule processes a message.
Comments
Comments
You can enter descriptive comments about the rule.
How mail flow rules are applied to messages
All messages (except NDRs) that flow through your organization are evaluated against the enabled mail flow rules in your organization. Rules are processed in the order listed on the Mail flow > Rules page in EAC, or based on the corresponding Priority parameter value in the PowerShell.
Each rule also offers the option of stopping to processing more rules when the rule is matched. This setting is important for messages that match the conditions in multiple mail flow rules (which rule do you want applied to the message? All? Just one?).
Differences in processing based on message type
There are several types of messages that pass through an organization. The following table shows which messages types can be processed by mail flow rules:
Type of message
Can a rule be applied?
Regular messages: Messages that contain a single rich text format (RTF), HTML, or plain text message body, or a multipart or alternative set of message bodies.
Yes
Message Encryption: Messages encrypted by Message Encryption in Microsoft 365 or Office 365. For more information, see Encryption.
Rules can always access envelope headers and process messages based on conditions that inspect those headers.
For a rule to inspect or modify the contents of an encrypted message, you need to verify that transport decryption is enabled.
Rules can only access envelope headers and process messages based on conditions that inspect those headers.
Rules with conditions that require inspection of the message's content, or actions that modify the message's content can't be processed.
RMS protected messages: Messages that had an Active Directory Rights Management Services (AD RMS) or Azure Rights Management (RMS) policy applied.
Rules can always access envelope headers and process messages based on conditions that inspect those headers.
For a rule to inspect or modify the contents of an RMS-protected message, you need to verify that transport decryption is enabled by setting the TransportDecryptionSetting to Mandatory or Optional using the Set-IRMConfiguration cmdlet.
Clear-signed messages: Messages that have been signed but not encrypted.
Yes
Anonymous messages: Messages sent by anonymous senders.
Yes
Read reports: Reports that are generated in response to read receipt requests by senders. Read reports have a message class of IPM.Note*.MdnRead or IPM.Note*.MdnNotRead.
Yes
System-generated messages
System-generated messages don't get processed by your organization's mail flow rules (or transport rules). Some of the messages that aren't processed by mail flow rules are:
Non-Delivery report (NDR) generated by Exchange. The NDRs created by non-Exchange service won't be detected as NDR by Exchange Mail flow rules, and the coresponding Mail flow rules conditions/exceptions won't be matched.
Messages sent to the arbitration mailbox (like approval request notification).
Recall messages.
Journal report.
What else should I know?
The Version or RuleVersion property value for a rule isn't important in Exchange Online.
After you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to be applied to messages.
You can create a transport rule to bypass EOP and allow mail to flow without delay from internal senders such as scanners, faxes, and other trusted sources that send attachments that are known to be safe. Don't bypass filtering for all internal messages; in this situation, a compromised account could send malicious content.
History and changes to mail flow rules aren't maintained; so, you can't revert mail flow rules back to previous states.
This module examines how to manage Safe Attachments in your Microsoft 365 tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102