Chasing Email Forwarding: Who’s Forwarding Email Outside Office 365?

Tony Redmond

by Tony Redmond on 7/7/2016

Share this:

Article Details

Date Revised:

Applies to:
EAC, email forwarding, Exchange Online, mail redirect, Office 365, OWA, PowerShell, transport rules

If users forward email from their Office 365 mailbox, it might lead to some compliance issues or information leakage. Users might not be aware of the lurking issues and simply see forwarding as a way to have their work mail show up in their personal email account. Clear policies governing the use of email forwarding, good communication, and some tweaks to Office 365 can help solve the problem.

A recent question from an Office 365 administrator said that they had discovered that many users in their tenant had email forwarding enabled to an external address and asked how other companies dealt with the situation. By default, Exchange Online allows users to forward their email to anywhere they choose. On the surface, this is a useful feature because it allows individuals to consolidate messages from multiple sources in their preferred email service. Most email systems support similar functions. For instance, all email sent to my Gmail and addresses end up in my Office 365 mailbox.

From a compliance perspective, email forwarding can create huge issues. One big reason why companies want information to remain in Exchange Online mailboxes is to make sure that mail that contains important corporate information or intellectual property is indexed and discoverable and therefore available for compliance purposes. Allowing email to be forwarded to Gmail, Yahoo Mail, or any other external email service can remove all trace of messages from Office 365. Information leakage or loss of intellectual capital are not popular phrases in the CIO lexicon.

Exchange Online supports two methods to forward email from a mailbox. The methods use different mailbox attributes, but both instruct the transport service to redirect messages to another SMTP address with the option to also deliver a copy to the original mailbox.

  • The ForwardingSmtpAddress attribute is set by a user through OWA options (Figure 1) or when an administrator sets email forwarding for an account through the Office 365 Admin Center. Setting the ForwardingSmtpAddress attribute is the preferred approach within Office 365. Obviously, because the mailbox owner is able to set up email forwarding through OWA, if an administrator creates a forward for a mailbox, its existence is known to the mailbox owner.
  • The ForwardingAddress attribute can be set by an administrator through the Exchange Administration Center (EAC – edit the mailbox properties and set the forwarding address through Mailbox Features > Mail Flow > Delivery Options) or by running the Set-Mailbox cmdlet. This redirect is invisible to the mailbox owner.

A big difference between the two attributes is that ForwardingSmtpAddress supports any valid SMTP address, including those belonging to external domains. ForwardingAddress only supports addresses that are known to the tenant, including mail-enabled contacts pointing to external addresses. It is possible for a mailbox to populate the two forwarding attributes with different SMTP addresses. When this happens, Exchange Online will forward copies of all inbound messages to both addresses.

Going forward, Microsoft has indicated that the ForwardingSmtpAddress attribute should be used whenever possible. Administrators can set the ForwardingAddress attribute through PowerShell, but the belief is that administrator-controlled forwarding of email is better accomplished through a transport rule rather than applying blocks on individual mailboxes. For instance, transport rules allow exceptions to be granted to allow some people to use email forwarding and not others and can ensure that any mail that is forwarded is suitably protected using Office 365 Message Encryption or by the application of an appropriate Information Rights Management template. It is probable that Microsoft will deprecate the ForwardingAddress attribute at some time in the future and then remove it from Exchange Online.

Using OWA to set up email forwarding

Figure 1: How a user sets up email forwarding through OWA Options

Outlook doesn’t support the ability to set email forwarding in the same way as OWA does. Instead, users can create a rule to forward mail. However, rules can’t be used to forward email to external addresses, so the problem of leaking information through rules doesn’t arise.

Setting Up Email Forwarding in the Office 365 Admin Center

To set up email forwarding for a mailbox from the Office 365 Admin Center, select the mailbox from the Active Users view. When the user properties are displayed, click on the Email Forwarding option. The Email Forwarding status displays “None” when a forwarding address is not set or “Applied” when one exists.

Figure 2 shows the Email Forwarding option being set for a mailbox. The “Forward all email sent to this mailbox” switch must be set to On before an SMTP address can be input. No validation is performed to ensure that the SMTP address belongs to a valid account. Note the switch to determine whether copies of inbound messages are delivered to the mailbox in addition to being forwarded. When set, the forwarding address is written into the mailbox’s ForwardingSmtpAddress attribute and any value found in the ForwardingAddress attribute is cleared. The choice of whether to keep a copy of forwarded email is recorded in the DeliverToMailboxAndForward property.

As you can see, the administrator is warned that “the mailbox owner will be able to view and change these forwarding settings” (because they can see the redirect address through OWA Options). If the need exists to hide forwarding, the administrator should use EAC or PowerShell to set up the redirect through the ForwardingAddress attribute.

Setting up email forwarding in the Office 365 Admin Center

Figure 2: Updating email forwarding for a mailbox through the Office 365 Admin Center

All of the administrative interfaces flag warnings if redirect addresses are detected in both attributes. You can see the warning flagged by the Office 365 Admin Center in Figure 2. The Office 365 Admin Center will insist on removing the redirect contained in the ForwardingAddress attribute before it will update the email forwarding settings for a mailbox. By comparison, the Set-Mailbox cmdlet will allow you to continue with two redirects.

Here’s an example of using the Set-Mailbox cmdlet to set a forwarding address for a mailbox. In this instance, the DeliverToMailboxAndForward property is set to $True to instruct Exchange Online to forward a copy of any inbound messages to the supplied address and keep a copy in the mailbox.

[PS] C:\> Set-Mailbox -Identity "Andy Ruth" -ForwardingSmtpAddress 
 -DeliverToMailboxAndForward $True

Finding Users with Email Forwarding Set

The Office 365 Admin Center doesn’t provide a report or other method to readily identify users who are forwarding their email. Commercial products such as Cogmotive Reports include a report to identify the miscreants, but you don’t need to buy a third-party reporting product for Office 365 just to get this information as it’s easily acquired with PowerShell. In this example, we’ll only look for mailboxes that potentially use an external address as a forwarding destination.

[PS] C:\> Get-Mailbox -RecipientTypeDetails UserMailbox –Filter {ForwardingSmtpAddress –ne $Null -or ForwardingAddress -ne $Null} | Format-Table DisplayName, ForwardingSmtpAddress, ForwardingAddress - AutoSize

A quick browse of the data should be enough to identify the real problems. An obvious example that would cause concern is where people forward email to a domain owned by a competitor. In reality, that doesn’t happen too often and when it does, those people are usually quickly removed from their position. The more likely problem is where email is forwarded to a personal email account.

Set Out a Policy and Implement Through Technology

It’s easy to extract information and locate problems, but what do you do next? The answer is best found in a policy-driven approach based on user education and enforcement. Users need to understand why the company does not want forwarding to happen and enforcement follows up if users continue to offend. The first task is therefore to create and communicate a policy to users.

Enforcement assists by identifying mailboxes with forwarding set. It’s easy to do this by running a suitable script periodically (some companies do this daily, others weekly). The data that is gathered is then used to approach users with a polite request that they should disable their forwarding and give the reasons why this is necessary. A phone call is better than email (for obvious reasons).

If the user ignores the request, another script might be invoked to turn off the forwarding. This is easily done by setting ForwardingSmtpAddress to $Null.

[PS] C:\> Set-Mailbox -Identity "User who is not listening" -ForwardingSmtpAddress $Null

Users who persistently keep on forwarding email against policy create a problem that technology cannot solve. HR and management processes must swing into place to address the problem with the user and make sure that it won’t reoccur. If it does, then clearly the person can’t take a hint and that leads to further consequences.

Organization-Level Blocks

If you don’t want the bother of checking for user forwarding on a regular basis, you can block forwarding to all external domains or selected external domains. When forwarding to external domains is blocked, the user or an administrator can still attempt to set up forwarding for a mailbox, but when the time comes to deliver new messages, Exchange Online will detect that the block is in place, ignore the forward, and deliver to the original mailbox. EAC or the Office 365 Admin Center don’t flag the issue, but PowerShell signals a warning (Figure 3).

Using PowerShell you can list domains blocked for email forwarding

Figure 3: PowerShell flags that an external domain is blocked for forwarding

To block forwarding to a specific external domain, you first create an object for that domain and then amend the properties of the domain object. For example, these commands block forwarding to Gmail.

[PS] C:\> New-RemoteDomain -DomainName "*" -Name ""
[PS] C:\> Set-RemoteDomain -Identity "" -AutoForwardEnabled $False

It’s usually preferable to take a granular approach to blocking as good business reasons might exist for some forwarding activity to occur. For instance, to forward messages to an external domain belonging to another part of the company. But if the need arises, here’s how to block forwarding to all external domains.

[PS] C:\> Get-RemoteDomain | Set-RemoteDomain –AutoForwardEnabled $False

As mentioned earlier, transport rules can also be used to block forwarded messages from reaching their destination (here’s an example how to implement such a rule). Although transport rules provide the most flexible solution to processing messages, the interaction between different rules can become complex and great care needs to be taken to ensure that rules don’t interfere with each other. This is especially true when rules are generated automatically for features such as Data Loss Prevention (DLP) or Supervisory Review policies. Testing is therefore required to ensure that you deploy one or more rules to block forwarding without impacting other rules.

Overall, Exchange Online is flexible enough to offer a number of ways to approach the problem of email forwarding. The best approach is to figure out exactly what is needed to support the company’s policy on email forwarding and then run some trials as necessary to settle on the most appropriate technical solution.

Technology sometimes flounders on the rock of user intransigence. In this case, even if users really want to forward their email outside Office 365, ways and means exist to impose technical blocks. However, those blocks won’t be really effective unless you can clearly enunciate the business logic and rationale for controlling email forwarding. Composing and communicating a suitable policy might just be the biggest challenge you have to face.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Topic: Security

Sign in with

Or register

  • try this:
    Get-Mailbox -ResultSize unlimited | Where-Object ForwardingSmtpAddress -NE $null | select DisplayName,UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward | Out-GridView
  • The Powershell script to find all forwards has an extra space between the dash and AutoSize at the end of the script that needs to be removed.