Auto-Forwarding from Exchange. Now there’s a subject that has been beat to death. We all know how it works and it has certainly been documented enough don’t you think?
Posts from Tim and others are worthy reads. My goal here is to simply put all of this together and maybe point out some things you may not know.
There have traditionally been two options to forward from Exchange: Outlook Rules or Administrator-enabled forwarding.
- Outlook Rules: End users have 3 options as illustrated in the image below. Of course, only one can be chosen, but I have checked all three to point them out. Additionally, you can select an existing user from the GAL or contacts or enter a SMTP address ad-hoc. Regardless of which option in the rule is selected, the messages will be delivered to the user’s inbox.
2. Administrator enabled Auto-Forwarding:
This is done using EAC or Exchange Powershell.
In EAC, under Delivery options for the Mailbox.
Note here that the recipient has to exist in the Address Book.
With Powershell and set-mailbox, you have additional options:
The ForwardingAddress parameter specifies a forwarding address for messages that are sent to this mailbox. A valid value for this parameter is a recipient in your organization. You can use any value that uniquely identifies the recipient.
The ForwardingSmtpAddress parameter specifies a forwarding SMTP address for messages that are sent to this mailbox. Typically, you use this parameter to specify external email addresses that aren’t validated.
Set-Mailbox -Identity "John Woods" -DeliverToMailboxAndForward $true -ForwardingSMTPAddress email@example.com
Note the important difference and the ability to include *or* exclude delivery to the mailbox.
How messages are delivered and forwarded is controlled by the DeliverToMailboxAndForward parameter.
- DeliverToMailboxAndForward is
$true Messages are delivered to this mailbox and forwarded to the specified recipient.
- DeliverToMailboxAndForward is
$false Messages are only forwarded to the specified recipient. Messages aren’t delivered to this mailbox.
Office 365 Outlook Web Access adds an additional wrinkle here. End-users have access to a trimmed down version of the administrator forwarding option.
This is not an Outlook rule, but similar to :
Set-Mailbox -Identity “John Woods” -DeliverToMailboxAndForward $true -ForwardingSMTPAddress firstname.lastname@example.org
Of course, Office 365 users can still create rules for forward in Outlook as well.
Why you may not want to forward to external recipients
- Data leaks, typically unnoticed, to mailboxes you do not control.
- A forwarding rule could create a mail loop between your org and another.
- Forwarded messages could land your sending IP addresses on block lists.
- Forwarding could bypass your data retention requirements. *
Things you may not know about forwarding
*Outlook forwarding rules allow the message to bypass the sent items. Yep, that’s right. The rule is server-based and handled at the transport level. The messages will be in their inbox, but not the sent items folder . You can verify this with a message trace. The source context of the forwarded messages will be Transport Rule Agent. The exception to this is if the rule is run manually against existing messages. Those forwarded messages will be in the sent items. The header of each will look similar to this
If you are a Office 365 customer or run Exchange 2016 on-premises, you can mitigate this loophole.
A forward rule and a redirect rule do essentially the same thing except the forwarded message will not have a FW: in the header to indicate to the recipient that the message was forwarded. It will appear to have come directly from the original sender. Well, that’s at least what the official documentation says. From my experience, that is not entirely true. The FW: may not be in the header, but a recipient will be able to see the message was routed through another mail system. It may show “on behalf” or “via” your organization ( Google does this). And of course, if they check the internet headers, the real path will be revealed. Some recipient mail systems may even reject messages forwarded like this. If the administrator sets forwarding at the mailbox level or a 365 user sets via OWA, it is essentially a redirect.
Preventing user auto-forwarding
- Block at the remote domain level: Set-RemoteDomain -Identity ExternalDomain -AutoForwardEnabled:$FALSE. This will stop the Outlook forwarding rules.
- For granular control, use a transport rule to prevent by group or user. Otherwise, block the default remote domain for auto-forwarding as above. This will also stop Outlook forwarding rules.
- Remove the ability for end-users to auto-forward in Office 365 OWA.
So there you have it. A compilation of the best of forwarding articles with some auto-tuning from me .
My recommendation: Block all auto-forwarding at all levels for users. Leave it to the professionals – your messaging administrators who can enable auto-forwarding at the server level.
I can’t think of too many business requirements for auto-forwarding, but I am sure there are out there. I hope this little update helps you understand it some more.