Exchange transport rule examples
Real-world transport rule patterns — external-sender warnings, encryption triggers, blocking, and compliance scenarios.
Exchange transport rules (mail flow rules) act on every message passing through Microsoft 365 — incoming, outgoing, internal. They're a powerful admin tool but also easy to misuse. Looking at real-world examples grounds the concept.
External-sender warning
Probably the most common transport rule — prepend a warning to incoming external emails:
Condition: sender is outside the organisation, AND recipient is inside.
Action: prepend the message body with HTML:
<p style="background-color:#fef8db; padding:10px; border:1px solid #e0c46c;">
⚠️ <strong>External Email</strong>: This message originated from outside the organisation.
Don't click links or open attachments unless you trust the sender.
</p>
Helps users recognise suspicious phishing emails that imitate internal communications. Minor visual cost; meaningful security uplift.
Auto-encrypt for sensitive content
Detect sensitive content and apply Office 365 Message Encryption (OME) automatically:
Condition: outbound message contains Sensitive Information Type "Credit Card Number" with confidence >= 75% AND count >= 3.
Action: apply Encrypt-Only OME template.
Result: an employee sends an email with credit card data to an external recipient; Microsoft 365 wraps it in OME automatically; recipient opens in the secure portal.
Block specific senders
Block messages from a specific external domain or sender:
Condition: sender domain is spam-domain.com.
Action: delete the message without notifying anyone (or, more politely, reject with a custom rejection message).
Better than maintaining a manual block list per user; centralised and audited.
Append legal disclaimer
The classic legal-compliance use case:
Condition: message is sent outside the organisation.
Action: append HTML disclaimer with required regulatory language and corporate contact info.
Used widely in financial services, legal firms, healthcare. Often the only transport rule on a tenant.
Journal selected senders for compliance
For specific user populations subject to regulatory recording (traders, brokers, advisors):
Condition: sender is in security group "Compliance Recording".
Action: BCC to compliance journaling mailbox journal@yourcompany.com.
Preserves a complete copy of regulated users' email independent of mailbox actions. Pair with third-party journaling archive.
Restrict large attachments
Condition: any attachment is greater than 25 MB.
Action: reject with custom rejection message: "Large attachments must use OneDrive / SharePoint sharing links rather than email attachments. Please upload to OneDrive and share a link instead."
Reduces email storage growth and forces better collaboration patterns.
Honeyspot for compromised accounts
A more advanced pattern — detect impossible internal patterns:
Condition: an outbound message has both an internal From address and an external Reply-To header that doesn't match (a common BEC indicator).
Action: alert administrators and put the message in quarantine.
Catches a class of compromised-account behaviour.
Operational considerations
- Order matters — rules evaluate top to bottom; the first match (per category) usually wins.
- Test in audit mode first — every rule has audit mode that logs without acting.
- Don't over-rely on rules for security — they're brittle and add latency.
- Document each rule with purpose and owner — undocumented rules outlive their usefulness.
- Monitor rule processing time — slow rules slow all mail flow.
- Sensitive Information Types in conditions are limited — they don't have the same precision as full DLP policies. For complex content-based actions, use Purview DLP instead of transport rules.
For tenants with significant compliance or security requirements, transport rules are an important tool. Used surgically; never abused.