In 2026, email remains the main entry point for cyber attacks and one of the most common causes of accidental data leaks in organizations. Threats such as phishing, impersonation attempts, malware attachments, unencrypted sensitive information, and missing legal or policy disclaimers frequently pass through email systems.
Microsoft 365 Mail Flow Rules, also known as transport rules, provide IT teams with direct control over organizational email. These rules enable administrators to inspect, filter, modify, redirect, or block messages before they arrive in user inboxes, supporting email security and internal policy requirements.
Most Microsoft 365 tenants have mail flow rules either missing completely, left in test mode, or unchanged since the initial setup. These gaps often create opportunities for security incidents.
This guide provides the exact steps to implement, configure, and maintain Microsoft 365 Mail Flow Rules to protect organizational email, maintain policy requirements, and block threats at the transport layer before they enter user inboxes.
Contents
- 1 What Mail Flow Rules Control
- 2 1. Understand the Four Parts of a Mail Flow Rule
- 3 2. Review Your Current Mail Flow Rules First
- 4 3. Implement Outbound Data Protection Rules
- 5 Step 4: Configure Notifications
- 6 4. Set Up Executive Identity Protection
- 7 5. Block Dangerous Attachments at the Transport Layer
- 8 6. Add Mandatory Email Disclaimers
- 9 7. Control Spam Filtering for Trusted Senders
- 10 8. Test, Apply, and Monitor
- 11 Improve Your Microsoft 365 Email Security with Netstager Technologies
- 12 Our Mail Flow Rule Services Include
- 13 Post-Deployment Requirements
What Mail Flow Rules Control
Mail flow rules evaluate every email before it is delivered and apply automated actions based on administrator-configured conditions. This differs from inbox rules, which run after a message already arrives in a user mailbox.
Organizations implement these rules for purposes such as:
- Blocking dangerous attachments before they reach end users
- Detecting and flagging impersonation attempts
- Adding legal disclaimers to outbound messages
- Allowing trusted internal systems to bypass spam filtering
- Sending specific emails for manager approval before they are delivered
- Modifying spam scoring based on sender reputation or message content
Mail flow rules run within Exchange Online and apply to all mailboxes in the tenant. Every rule uses the same three-part structure:
1. Understand the Four Parts of a Mail Flow Rule
Every mail flow rule has four parts. Understanding these clearly from the beginning prevents mistakes and unexpected results.
1) Conditions — When the rule applies
Conditions determine when the rule runs. The rule checks each email and looks for the conditions configured by the administrator.
Examples of conditions include:
- Sender identity
- Recipient address
- Subject line content
- Attachment type
- Message size
If multiple conditions are configured, all conditions must match for the rule to run.
2) Exceptions — When the rule should not apply
Exceptions prevent the rule from running even when the conditions match. If an email matches the conditions and also matches an exception, the rule will not apply.
Examples of exceptions include:
- Specific internal users
- Trusted applications or systems
- Partner domains
3) Actions — What the rule does
Actions determine what happens to the email when the conditions match.
Common actions include:
- Block the message
- Encrypt the message
- Redirect the message
- Add a disclaimer
- Change the spam score
- Require manager approval
- Add recipients to BCC
Multiple actions can run within the same rule.
4) Properties — How the rule operates
Properties control how the rule runs within the system.
These settings include:
- Priority (which rule runs first)
- Active or inactive dates
- Test mode or enforce mode
- Stop processing additional rules after this rule runs
2. Review Your Current Mail Flow Rules First
Before creating new rules, review the rules that are already configured. Many organizations have rules created by previous administrators, temporary changes, or quick fixes that remain in the system.
- Sign in to the Exchange Admin Center at admin.exchange.microsoft.com
- Navigate to Mail flow → Rules
This section displays all mail flow rules configured for your organization.
Check each rule carefully to understand how it is configured and whether it is still needed.
For every rule, review the following:
- Rule mode
Confirm whether the rule is set to Enforce or Test mode. Rules in Test mode only record matches and do not apply the configured actions. - Expiry date
Check whether the rule includes an expiration date that has already passed. Rules past their expiry date remain inactive. - Priority order
Mail flow rules run in order of priority. Rules with lower numbers run first. Incorrect ordering can cause rules to interact in unexpected ways. - Business relevance
Confirm that the rule still matches your organization’s current users, systems, and policy requirements.
This review verifies that existing mail flow rules are active, correctly ordered, and aligned with your organization’s current requirements.
- Go to Reports → Mail flow
- Open the Exchange Transport Rule report
This report shows how often each rule matched during the selected time period.
Use this information to identify:
- Rules with zero matches for 60+ days
- Rules that trigger far more often than expected
Both situations may indicate configuration problems or rules that are no longer necessary.
3. Implement Outbound Data Protection Rules
This rule type addresses a common risk: sensitive information sent to external recipients without protection.
Examples include:
- Payroll spreadsheets
- Client contracts
- Patient records
- Financial reports
- Internal financial or legal documents
Assign a clear and specific name.
Example: Block unencrypted outbound financial data
This step creates a rule to protect sensitive outbound information.
Configure the rule with the following conditions.
Recipient location: Outside the organization
The rule checks whether the email is being sent to someone outside your Microsoft 365 tenant. Internal messages between employees are ignored.
Message content: Sensitive information patterns
The rule scans the message body and attachments for sensitive data patterns.
Examples include:
- Credit card numbers
- National ID numbers
- Bank or financial account numbers
- Contract terms or legal language
These conditions identify messages that contain sensitive information and are being sent externally.
Select how Microsoft 365 should handle the message when the rule conditions match.
| Message Handling Option | Purpose |
|---|---|
| Block the message and notify the sender | Prevents the email from being sent and informs the sender that sensitive information cannot be transmitted externally without protection. |
| Apply Microsoft Purview Message Encryption | Encrypts the email so sensitive information remains protected while the message is delivered to the external recipient. |
| Send the message for manager approval | Routes the message to a manager or designated approver before the email can be sent. Useful for financial, legal, or confidential communications. |
| Generate an incident report | Records the event for review by security or compliance teams while the message continues to its destination. |
These options decide how the message is processed when sensitive outbound content is detected.
Step 4: Configure Notifications
Write a clear message explaining why the email was blocked, encrypted, or routed for approval.
This notification tells the sender what happened and why the message was modified.
4. Set Up Executive Identity Protection
This rule addresses a critical risk: emails that appear to be sent by internal roles or teams (CEO, finance director, or IT department) but originate from external sources. These messages often target employees with requests such as fund transfers, password resets, or urgent approvals.
Assign a clear name.
Example: Flag external emails using internal sender names
This step creates a rule to detect misleading sender identity.
Configure the rule with the following conditions:
Sender location: Outside the organization
Checks if the email originates from an external source.
Sender display name matches internal roles or users
Add names such as:
- CEO name
- Finance director
- IT manager / IT support
This detects emails where the name looks internal, but the email address is different.
Optional (additional check): Sender domain matches your organization’s domain
Example: yourdomain.com
This can detect cases where your domain name is used in the sender address but the message is not internal.
These conditions identify emails that look like internal messages but are sent from outside sources.
A. Add a warning to the subject line
Example: [EXTERNAL SENDER WARNING]
A clear alert visible before opening the email.
B. Add a warning banner to the email body (HTML disclaimer)
Displays a colored warning message at the top of the email.
This is clearly visible and does not affect subject lines or email threads.
C. Send a copy to the security team
The message is shared for review.
D. Quarantine the message
The email is held for IT review before delivery.
These options specify what happens to the message after the rule conditions match.
Send a test email to an internal mailbox from an external address using a display name matching a CEO, finance director, or IT department.
Example:
Display Name: John Smith (CEO)
Email: [email protected]
Confirm that the warning, redirect, or quarantine is applied.
This step confirms the rule is working as expected.
Expert Tip: This rule targets display name spoofing, where an attacker uses a legitimate external email address but changes the sender name to match someone inside your organization.
Default spam filters rely on domain reputation and volume patterns.
This rule checks whether the display name and actual sender address do not match, which is common in targeted attacks.
5. Block Dangerous Attachments at the Transport Layer
This rule addresses a key risk: malicious files reaching end users through email attachments before security controls respond. Ransomware and other threats are still commonly delivered through attachments.
Assign a clear name.
Example: Block high-risk inbound attachment types
This step creates a rule to restrict risky file types.
Under the rule conditions, select:
Add the following file extensions:
- dll
- vbs
- ps1
- bat
- cmd
- jar
- js
- wsf
- hta
- msi
- scr
- pif
Create an additional rule for:
Password-protected files cannot be scanned for content and are commonly used to deliver malware.
These conditions identify emails that contain high-risk attachments.
Block the message and notify the sender
Use a clear message such as:
This action prevents risky attachments from reaching users.
Add exceptions for users or groups that require these file types for legitimate purposes.
Examples include:
- IT teams sending software packages
- Internal systems that distribute application files
This keeps necessary business processes running without interruption.
Expert Tip: Microsoft 365 checks file types based on actual file content, not just the file extension. Renaming a malicious file (for example, changing .exe to .pdf) does not bypass detection.
Some file types such as:
- .jar (Java archive)
- .rar (self-extracting archives)
- .obj files
may not be classified as executable by default. Add these to your block list if they are not required in your organization.
6. Add Mandatory Email Disclaimers
This rule addresses a key requirement: organizations in finance, healthcare, and legal sectors must include specific text in outbound emails.
Manual application depends on users and cannot be validated during audits.
Assign a clear name.
Example: Add disclaimer to all outbound email
This step creates a rule to add required text to outgoing messages.
This applies the rule only to external emails.
Configure the rule with the following:
Recipient location: Outside the organization
This applies the rule only to external emails.
Apply to all messages
No content-based conditions are required.
These settings apply the disclaimer to all outbound emails sent outside the organization.
Write the disclaimer in HTML format.
Include:
- Organization name
- Confidentiality statement
- Required legal or regulatory text
This adds the required message to outgoing emails.
If the disclaimer cannot be added (for example, in encrypted or signed emails), set the fallback action to: Wrap
This places the original message inside a new email that includes the disclaimer.
Do not use Ignore. This skips the disclaimer for certain messages, including encrypted emails where the disclaimer may still be required.
Expert Tip: To avoid repeated disclaimers in long email threads, add an exception:
Except if the subject contains a unique phrase from your disclaimer
This prevents the same disclaimer text from appearing multiple times in replies and forwards.
7. Control Spam Filtering for Trusted Senders
This rule addresses a common issue: business emails such as vendor invoices, partner communication, and system alerts landing in the Junk folder due to strict spam filtering.
Assign a clear name.
Example: Trusted sender — bypass spam filtering
This step creates a rule for approved senders.
Be specific. Do not apply this to entire domains.
Use:
Sender email address matches a specific verified address
or
Sender IP address matches a verified IP range
These conditions limit the rule to known and approved sources.
Go to:
This setting delivers the message directly to the inbox without spam filtering.
Check existing rules for any that allow messages through without filtering based on full domains instead of specific senders.
This is a common misconfiguration. If an account in that domain is taken over, emails from that account will be delivered directly to inboxes without filtering.
Spam Confidence Level (SCL) Reference
| SCL Value | Result |
|---|---|
| -1 | Delivered directly to inbox without spam filtering |
| 0–4 | Processed through standard spam filtering |
| 5–6 | Sent to Junk Email folder |
| 7–9 | Sent to quarantine |
This table shows how different SCL values affect message handling.
Expert Tip: Do not use SCL -1 for full domains. Use it only for:
• Specific verified email addresses
• Confirmed IP ranges (such as printers, scanners, or monitoring systems)
Review these rules regularly to confirm that only approved senders are included.
8. Test, Apply, and Monitor
This step addresses a common issue: rules created correctly but never confirmed to work, or rules that stop working due to changes over time.
Start every new rule in Test mode without Policy Tips.
Send test emails that:
- Should trigger the rule
- Should not trigger the rule
Check the results in Activity Explorer under Microsoft Purview.
This step confirms that the rule works as expected.
After confirming correct results over 2–4 weeks, update the rule mode to Enforce.
This activates the rule for all matching emails.
- Go to Reports → Mail flow
- Open the Exchange Transport Rule report
Review this report regularly.
Look for:
Rules with zero matches
These rules are not being triggered. Check whether the conditions are correct or if the rule is no longer needed.
Rules with a sudden increase in matches
A sharp increase may indicate incorrect configuration or unusual activity that needs attention.
Rules nearing expiry date
Review these rules and decide whether they should be extended, updated, or removed.
This review keeps rule activity visible and controlled.
Mail flow rules require regular review.
Check your full rule list:
- After organizational changes (new teams, vendors, or IT staff changes)
- When new policy or regulatory requirements apply
- After any email-related security incident
- At least once every 6 months
This keeps rules accurate and aligned with current requirements.
Improve Your Microsoft 365 Email Security with Netstager Technologies
Configuring mail flow rules in Microsoft 365 is simple, but maintaining them in a growing organization requires continuous attention. Email protection depends on understanding your organization’s data flow, policy requirements, and how rules are applied in daily operations.
In many cases, issues are not caused by missing rules, but by rules that are left in test mode, incorrectly configured, outdated, or no longer aligned with current business needs.
Netstager Technologies, your authorized Microsoft 365 partner in Kerala, handles the full scope of mail flow rule implementation, from initial review through setup, validation, and ongoing support.
Our Mail Flow Rule Services Include
- Full Rule Audit
Review of all existing rules to identify gaps, conflicts, inactive rules, and unclear configurations.
- Security Rule Implementation
Setup of key protections such as identity-based attack detection, attachment restrictions, and outbound data controls.
- Policy and Regulatory Alignment
Configuration of disclaimer rules, controlled email routing, and alignment with GDPR, HIPAA, and applicable data protection requirements.
- Ongoing Review and Updates
- Ongoing Review and Updates
Scheduled or as-needed review of rule activity, priority order, and updates based on business or policy changes.
- Microsoft Purview DLP Integration
Alignment of mail flow rules with DLP policies so email controls and data protection policies work together.
Post-Deployment Requirements
Even after implementation, organizations need to manage:
- Rule Updates
Changes in staff, vendors, or tools require updates to existing rules.
- Expiry Tracking
Rules with end dates may become inactive without visibility.
- Rule Conflicts
New rules added over time can override or interfere with existing configurations.
- Licensing Changes
Changes in Microsoft 365 plans can affect rule functionality if certain features are no longer available.
To start, migrate, or maintain your business’s Microsoft 365 services, contact Netstager Technologies at +91 844 844 0112 or email [email protected].
