September 1, 2017

Office 365 - Exchange Online: Allow specific External Domian Users to send emails to Distribution Groups

Problem Statement:
We came across a requirement to create a Distribution Group where -
1. Users from internal organization can send emails to this Distribution Group.
2. External Users ONLY from partner organization domain can send emails to this Distribution Group.

Distribution Groups in Exchange Online provides a functionality to restrict External Users to send emails. But here, in this case, we need to allow users from one External Domain (let's say domain is demowork.xyz) to send emails to Distribution Group.

Domain based sender filtering is NOT directly available when we create the Distribution Group, but we can achieve this requirements by creating a Transportation Rule in Exchange Online.

Resolution:
We can use Transportation Rule to restrict a Distribution Group to receive emails from internal organization and specific external domain only. Steps to create a new Distribution Group/Distribution List(DL) and configure the Transportation Rule for sender domain restriction are summarized below:

A. Create Distribution Group:
1. Login to Exchange Control Panel (ECP).
2. Navigate to "Recipients" -> "Groups".
3. Click "+" icon and select "Distribution Group".
4. Click "To create a new distribution group, click here" option (as highlighted in below screenshot) from newly opened window:

5. Populate the required information to create new group:
  • Display Name: Desired Group Name (We will name this as "Helpdesk" in this example).
  • Alias: Desired Group Alias Name (We will keep this as "Helpdesk" in this example).
  • Email Address: Desired email address for group (In this example, it is like "helpdesk@binaryrepublik.com")
  • Add Owners and Members of the group as needed.
  • Select Group Membership options as needed. We will select "Closed" for both the options - (1) Choose whether owner approval is required to join the group. (2) Choose whether the group is open to leave.
  • Click "Save".
6. This newly created Distribution Group by default accepts emails only from senders within organization. So, we need to apply a change for this Distribution Group to accept emails from Outside of organization. In order to enable this -
  • Select this Distribution Group and Click Edit icon.
  • Go to "Delivery Management" in newly opened window.
  • Select "Senders inside and outside of my organization" option and click "Save".
7. Now, we have a group created that accepts emails for senders from inside and outside organization (any sender from any domain).

Now, We have to create a Transportation Rule to restrict this Distribution Group to receive emails only from senders inside organization and from specific partner domain (e.g. demowork.xyz).

B. Create Transportation Rule:
1. Go to Exchange Control Panel -> Mail Flow -> Rules.
2. Click "+" icon and select "Create a new rule".
3. Click "More Options" at bottom of the newly opened window.
4. Furnish the information to create new rule -
  • Name: Meaningful name for the rule (e.g. - Helpdesk Restriction)
  • Apply this rule if -> select "The message..." -> "To or Cc box contains this person".
  • Select newly created DL and click OK. (In this example, we will select "Helpdesk").
  • Do the following -> "Block the message..." -> "Reject the message and include an explanation". Specify the desired explanation like "This email address is only for specific people. You are not allowed to send emails to this address" and click OK.
  • Click "add exception" under "except if" section.
  • Select "The sender..." -> "domain is"
  • Add internal organization domain (in this example, binaryrepublik.com) and partner domain (in this example, demowork.xyz) and click OK. Basically, here we need to define domains of allowed senders.
5. Click "Save".

The Distribution Group & Transportation Rule is configured.

Conclusion:
This way, using Transportation Rule, we can allow a Distribution Group in Exchange Online to receive emails only from senders of specific domain(s).

If you have any questions you can reach out our SharePoint Consulting team here.

15 comments:

  1. Hi,

    Great post, thank you. Is there a way to add specific external emails to this rule? Would adding the external email address as a contact and then putting that contact into the exception work?

    Thank you,
    Charles

    ReplyDelete
    Replies
    1. Hi Charles,

      Yes, you can add external email address as contact and have this contact configured as exception. This will work. Thank you!

      Delete
  2. I did this and I can still message the distro list from my yahoo address. Not sure what is wrong here.

    ReplyDelete
    Replies
    1. Hi Steve,

      You can trace the message from "Exchange Control Panel -> Mail Flow -> Message Trace" and verify if the Transport Rule was executed when message was received from your yahoo address.

      Delete
  3. How to reject in BCC as your method is applied to cc and to only

    ReplyDelete
    Replies
    1. Hello,

      In this case, you can use "Any recipient..." -> "address includes any of these words" condition. Here, you can define the email address of DL.

      Delete
    2. I have set the rule up like this and it still blocks messages when I send them to and cc but bcc still can send through. Would their be another way to block BCC from going to the DL?

      Delete
    3. Is there any way to also cover the BCC field? The option of "address includes any of these words" does not seem to apply to distribution groups, so is ineffective.

      Delete
  4. For the rule reject with explanation, the NDR is received for each member in the group, instead of only group email address

    ReplyDelete
    Replies
    1. Hi Rajeev,

      In your scenario - did you send email from a Group Email Address which is outside the organization?

      Delete
  5. After the customized reject message, the NDR includes the standard "bar graph" image, then "Couldn't deliver to the following recipients: user1@domain.com, user2@domain.com ... " which thus makes the recipients of the group publically known. Would be easy for someone to then just email them directly.

    ReplyDelete
  6. I see two issues here: the bounce NDR "A custom mail flow rule created by an admin at ... has blocked your message" then lists all the distribution group members "user1@domain.com, user2@domain.com". So whoever didn't have permission to send to the group now knows all of the members' emails addys. Note that this isn't true for a basic "only domain members can be senders" rule NDR. The other fail is that "Apply this rule if -> select "The message..." -> "To or Cc box contains this person"" means that if the sender is sending "To: group@domain.com, director@domain.com" (and isn't allowed to send to the group but is otherwise unrestricted), then *neither* the Group nor the Director will get the email.

    ReplyDelete
    Replies
    1. Do you have any solutions to the problems you listed? I agree that it is not preferable for the bounce-back to display this info.

      Delete
    2. Select 'Delete the message without notifying the recipient or sender' in the rule.

      Delete
    3. The problems mentioned here are bad:
      1. The sent report to the people not belonging to the whitelisted domains, will see all the mail addresses belonging to the distribution list. If it is a spammer, then congrats, he got this data quite easy. The only way of preventing this is to block the message without notifying anyone.

      2. The BCC field can be used to pass this rule. Unfortunately, if you use the "Any recipient..." -> "address includes any of these words" as somebody mentioned it, doesn't work. It seems that BCC isn't included on the mail headers, so, it won't never match.

      The only solution would be to enable the distribution list with only the domains you want there. So, no need to enable it for all external domains. This Transportation rule looks to me like a workaround for something that Microsoft does not have. And the worst: the workaround can be passed.

      Delete