Microsoft recently changed its default outbound spam filter policy (Automatic – System-controlled) in Exchange Online to block per default external email forwarding.

Automatic – System-controlled: This is the default setting. This setting is now the same as Off. When this setting was originally introduced, it was equivalent to On. Over time, thanks to the principles of secure by default, this setting was gradually changed to Off for all customers. For more information, see this blog post.


You can use outbound spam filter policies to control automatic forwarding to external recipients. Three settings are available:

  • Automatic – System-controlled: This is the default setting. This setting is now the same as Off. When this setting was originally introduced, it was equivalent to On. Over time, thanks to the principles of secure by default, this setting was gradually changed to Off for all customers. For more information, see this blog post.
  • On: Automatic external forwarding is allowed and not restricted.
  • Off: Automatic external forwarding is disabled and will result in a non-delivery report (also known as an NDR or bounce message) to the sender.

Source: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-worldwide


So when a user is forwarding inbound emails to an external email address like below the user john.doe@braintesting.net is forwarding emails to its private email address john.doe@matrixpost-lab.de. By default the message will from now on not forwarded anymore to external addresses.

Further the user mailbox where the forwarding is enabled, here john.doe@braintesting.net, will get in case of an incoming message a Non-Delivery Report (NDR) send from Microsoft 365 to its mailbox with the following error message:

Remote Server returned ‘550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance.


Also in the Message trace logs you will find something like this.

Error: ‎550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)‎

250 2.1.5 RESOLVER.MSGTYPE.AF; handled AutoForward addressed to external recipient


To allow external email forwarding you need to adjust the Anti-spam outbound policy (Default) as follows.

https://security.microsoft.com
Policies & rules –> Threat policies –> Anti-spam


Click on Edit protection settings


By default here is Automatic – System-controlled enabled which is from now on the same as Off – Forwarding is disabled.

So to enable external email forwarding switch to On – Forwarding is enabled.



Links

Control automatic external email forwarding in Microsoft 365
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-worldwide

Configure outbound spam filtering in EOP
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy?view=o365-worldwide