September 1, 2017

Office 365 - Exchange Online: Allow specific External Domian Users to send emails to Distribution Groups

Problem Statement:
We came across a requirement to create a Distribution Group where -
1. Users from internal organization can send emails to this Distribution Group.
2. External Users ONLY from partner organization domain can send emails to this Distribution Group.

Distribution Groups in Exchange Online provides a functionality to restrict External Users to send emails. But here, in this case, we need to allow users from one External Domain (let's say domain is demowork.xyz) to send emails to Distribution Group.

Domain based sender filtering is NOT directly available when we create the Distribution Group, but we can achieve this requirements by creating a Transportation Rule in Exchange Online.

Resolution:
We can use Transportation Rule to restrict a Distribution Group to receive emails from internal organization and specific external domain only. Steps to create a new Distribution Group/Distribution List(DL) and configure the Transportation Rule for sender domain restriction are summarized below:

A. Create Distribution Group:
1. Login to Exchange Control Panel (ECP).
2. Navigate to "Recipients" -> "Groups".
3. Click "+" icon and select "Distribution Group".
4. Click "To create a new distribution group, click here" option (as highlighted in below screenshot) from newly opened window:

5. Populate the required information to create new group:
  • Display Name: Desired Group Name (We will name this as "Helpdesk" in this example).
  • Alias: Desired Group Alias Name (We will keep this as "Helpdesk" in this example).
  • Email Address: Desired email address for group (In this example, it is like "helpdesk@binaryrepublik.com")
  • Add Owners and Members of the group as needed.
  • Select Group Membership options as needed. We will select "Closed" for both the options - (1) Choose whether owner approval is required to join the group. (2) Choose whether the group is open to leave.
  • Click "Save".
6. This newly created Distribution Group by default accepts emails only from senders within organization. So, we need to apply a change for this Distribution Group to accept emails from Outside of organization. In order to enable this -
  • Select this Distribution Group and Click Edit icon.
  • Go to "Delivery Management" in newly opened window.
  • Select "Senders inside and outside of my organization" option and click "Save".
7. Now, we have a group created that accepts emails for senders from inside and outside organization (any sender from any domain).

Now, We have to create a Transportation Rule to restrict this Distribution Group to receive emails only from senders inside organization and from specific partner domain (e.g. demowork.xyz).

B. Create Transportation Rule:
1. Go to Exchange Control Panel -> Mail Flow -> Rules.
2. Click "+" icon and select "Create a new rule".
3. Click "More Options" at bottom of the newly opened window.
4. Furnish the information to create new rule -
  • Name: Meaningful name for the rule (e.g. - Helpdesk Restriction)
  • Apply this rule if -> select "The message..." -> "To or Cc box contains this person".
  • Select newly created DL and click OK. (In this example, we will select "Helpdesk").
  • Do the following -> "Block the message..." -> "Reject the message and include an explanation". Specify the desired explanation like "This email address is only for specific people. You are not allowed to send emails to this address" and click OK.
  • Click "add exception" under "except if" section.
  • Select "The sender..." -> "domain is"
  • Add internal organization domain (in this example, binaryrepublik.com) and partner domain (in this example, demowork.xyz) and click OK. Basically, here we need to define domains of allowed senders.
5. Click "Save".

The Distribution Group & Transportation Rule is configured.

Conclusion:
This way, using Transportation Rule, we can allow a Distribution Group in Exchange Online to receive emails only from senders of specific domain(s).

If you have any questions you can reach out our SharePoint Consulting team here.

7 comments:

  1. Hi,

    Great post, thank you. Is there a way to add specific external emails to this rule? Would adding the external email address as a contact and then putting that contact into the exception work?

    Thank you,
    Charles

    ReplyDelete
    Replies
    1. Hi Charles,

      Yes, you can add external email address as contact and have this contact configured as exception. This will work. Thank you!

      Delete
  2. I did this and I can still message the distro list from my yahoo address. Not sure what is wrong here.

    ReplyDelete
    Replies
    1. Hi Steve,

      You can trace the message from "Exchange Control Panel -> Mail Flow -> Message Trace" and verify if the Transport Rule was executed when message was received from your yahoo address.

      Delete
  3. How to reject in BCC as your method is applied to cc and to only

    ReplyDelete
    Replies
    1. Hello,

      In this case, you can use "Any recipient..." -> "address includes any of these words" condition. Here, you can define the email address of DL.

      Delete
    2. I have set the rule up like this and it still blocks messages when I send them to and cc but bcc still can send through. Would their be another way to block BCC from going to the DL?

      Delete