How to Configure Mail Flow Rules, Disclaimers, and Email Security in Exchange Online (2025 Update)
Microsoft 365 Exchange Online provides powerful Mail Flow (Transport) Rules to help administrators manage, secure, and monitor the movement of emails. Using these features, organizations can block unwanted messages, enforce compliance policies, and protect against data leaks or phishing attacks.
Below is a detailed, updated guide (2025) covering the most common configurations:
1. Create Transport Rules (Mail Flow Rules)
Purpose
Transport rules allow Exchange administrators to control how emails are processed based on conditions, actions, and exceptions. These rules are often used to:
- Block, redirect, or quarantine specific emails.
- Append disclaimers to messages.
- Enforce security or compliance requirements such as data loss prevention (DLP).
Configuration Steps
Exchange Admin Center (EAC)
- Go to Exchange Admin Center.
- Navigate to Mail flow → Rules and click + Add a rule.
- Configure your rule:
- Name: e.g., “Block External Payroll Emails”.
- Conditions: Define triggers (sender domain, subject keywords, recipient type).
- Actions: Choose what happens (block, redirect, notify, quarantine).
- Exceptions: Add any allowed users or groups if necessary.
- Save the rule and test it using sample emails.
PowerShell
# Connect to Exchange Online
Connect-ExchangeOnline
# Create a transport rule to block external emails with "confidential" in the subject
New-TransportRule -Name "Block Confidential External" `
-SubjectContainsWords "confidential" `
-SentToScope NotInOrganization `
-RejectMessageReasonText "External forwarding of confidential emails is blocked."
Validation
- Send test emails containing the condition keywords.
- Review Mail Flow > Message Trace in the EAC to verify enforcement.
Best Practices
- Start with audit mode to test rules before enforcement.
- Document all rules to prevent overlaps or conflicts.
- Review and update rules quarterly.
Use Case
A finance department blocks all external emails containing the keyword “Payroll” in the subject line to prevent sensitive data from leaving the organization.
2. Configure Email Disclaimers (Advanced)
Purpose
Email disclaimers automatically attach legal, informational, or compliance-related text to outgoing emails. Common examples include GDPR notices or confidentiality statements.
Configuration Steps
Exchange Admin Center (EAC)
- Navigate to Mail flow → Rules → + (Apply disclaimers).
- Configure the rule:
- Scope: Apply to all outgoing messages or specific groups.
- Action: Append disclaimer text (supports HTML).
- Exceptions: Exclude internal messages or specific domains.
- Save and test the disclaimer by sending external emails.
PowerShell
# Connect to Exchange Online
Connect-ExchangeOnline
# Create a disclaimer rule
New-TransportRule -Name "Company Disclaimer" `
-SentToScope NotInOrganization `
-ApplyHtmlDisclaimerText "Confidential: For authorized recipients only." `
-ApplyHtmlDisclaimerFallbackAction Wrap
Validation
- Send a test email externally to confirm the disclaimer appears properly.
- Check that HTML formatting displays correctly in Outlook and Outlook Web App.
Best Practices
- Keep the disclaimer short and professional.
- Use consistent branding (fonts, logo colors).
- Avoid using client-side signatures for organization-wide disclaimers.
Use Case
The legal department enforces a confidentiality notice for all external communications, automatically appended through a transport rule.
3. Block External Forwarding for Security
Purpose
Prevent users from automatically forwarding company emails to external addresses, reducing the risk of data exfiltration and unauthorized sharing.
Configuration Steps
Exchange Admin Center (EAC)
- Go to Mail flow → Rules → + Add rule.
- Set Condition: Apply to messages sent outside the organization.
- Action: Reject message or notify sender.
- Save and test the rule.
PowerShell
# Connect to Exchange Online
Connect-ExchangeOnline
# Disable automatic forwarding for all mailboxes
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
Validation
- Attempt to auto-forward an internal email externally; it should fail.
- Verify forwarding settings are cleared using
Get-Mailbox.
Best Practices
- Allow forwarding exceptions for approved domains only.
- Monitor Message Trace for policy compliance.
Use Case
Prevent employees from forwarding financial reports to personal email addresses, reducing the risk of data leakage.
4. Configure Anti-Malware and Anti-Phishing Policies
Purpose
Defend your organization against malware, phishing, and spam using Microsoft Defender for Office 365 or Exchange Online Protection.
Configuration Steps
Microsoft 365 Security & Compliance Center
- Navigate to Threat Management → Policy → Anti-spam / Anti-malware.
- Configure options:
- Block or quarantine malicious emails.
- Enable detection for high-confidence phishing.
- Manage safe sender and blocked sender lists.
- Apply to all users or specific groups.
PowerShell
# Connect to Exchange Online
Connect-ExchangeOnline
# Create a custom anti-malware policy
New-MalwareFilterPolicy -Name "Custom AntiMalware" -Action DeleteMessage -NotifyAdmin $true
Validation
- Send simulated phishing or malware emails using Microsoft’s attack simulation tools.
- Review quarantine reports and Security Dashboard for detection logs.
Best Practices
- Combine policies with Safe Links and Safe Attachments features.
- Regularly review reports and adjust thresholds.
- Train users on recognizing phishing attempts.
Use Case
An organization blocks all emails containing executable attachments to reduce ransomware infection risks.
5. Manage Safe Sender and Blocked Sender Lists
Purpose
Fine-tune spam filtering by specifying trusted (safe) and blocked (unwanted) senders or domains. Helps ensure legitimate emails are delivered while spam is rejected.
Configuration Steps
Exchange Admin Center (EAC)
- Navigate to Protection → Spam filter → Edit policy.
- Add entries under Allowed senders/domains and Blocked senders/domains.
- Save and assign the policy to users or groups.
PowerShell
# Connect to Exchange Online
Connect-ExchangeOnline
# Add blocked sender domain
Set-HostedContentFilterPolicy -Identity "Default" -BlockedSendersAndDomains @{Add="malicious.com"}
# Add safe sender domain
Set-HostedContentFilterPolicy -Identity "Default" -AllowedSendersAndDomains @{Add="trustedpartner.com"}
Validation
- Emails from blocked senders should go to quarantine.
- Emails from safe senders should reach the inbox directly.
Best Practices
- Keep the lists short and relevant — avoid large wildcard entries.
- Update regularly to adapt to new vendors or threats.
- Review logs for false positives.
Use Case
Trusted vendors’ domains are added to the safe sender list to ensure invoices are received, while spammy domains are blocked to reduce junk mail.
Final Recommendations
- Audit before enforcing: Always start with a monitoring period.
- Document every rule and policy: Helps in troubleshooting and compliance.
- Automate reviews: Schedule quarterly audits for rules and spam filters.
- Educate users: Security awareness reduces phishing success rates.
- Leverage Microsoft 365 Defender: Centralized management and visibility.
