{
	"id": "d2c1c8b1-6c06-49ac-b4dc-a20b9f8d7058",
	"created_at": "2026-04-06T00:13:49.625544Z",
	"updated_at": "2026-04-10T13:11:55.776932Z",
	"deleted_at": null,
	"sha1_hash": "fe433692b9c65f9c21c6bf47a6c8b6ca8a47746c",
	"title": "Mail flow rules (transport rules) in Exchange Online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72854,
	"plain_text": "Mail flow rules (transport rules) in Exchange Online\r\nBy AshaIyengar21\r\nArchived: 2026-04-05 23:19:11 UTC\r\nIn cloud-based organizations, you can use Exchange mail flow rules (also known as transport rules) to identify and\r\ntake action on messages that flow through your organization.\r\nMail flow rules are similar to the Inbox rules that are available in Outlook and Outlook on the web (formerly\r\nknown as Outlook Web App). The main difference is that the mail flow rules take action on messages while they're\r\nin transit, and not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions,\r\nexceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\r\nThis article explains the components of mail flow rules, and how they work.\r\nFor steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For each rule, you have the\r\noption of enforcing it, testing it, or testing it and notifying the sender. For more information about the testing\r\noptions, see Test mail flow rules in Exchange Online and Policy Tips (not available in the Built-in security add-on\r\nfor on-premises mailboxes).\r\nFor summary and detail reports about messages that matched mail flow rules, see Use mail protection reports to\r\nview data about malware, spam, and rule detections.\r\nA mail flow rule is made of conditions, exceptions, actions, and properties:\r\nConditions: Identify the messages that you want to apply the actions to. Some conditions examine\r\nmessage header fields (for example, the To, From, or Cc fields). Other conditions examine message\r\nproperties (for example, the message subject, body, attachments, message size, or message classification).\r\nMost conditions require you to specify a comparison operator (for example, equals, doesn't equal, or\r\ncontains) and a value to match.\r\nFor more information about mail flow rule conditions in Exchange Online, see Mail flow rule conditions\r\nand exceptions (predicates) in Exchange Online.\r\nExceptions: Optionally, identify the messages that the actions shouldn't apply to. The same message\r\nidentifiers that are available in conditions are also available in exceptions. Exceptions override conditions\r\nand prevent the rule actions from being applied to a message, even if the message matches all of the\r\nconfigured conditions.\r\nActions: Specify what to do to messages that match the conditions in the rule, and that don't match any of\r\nthe exceptions. There are many actions available, such as rejecting, deleting, or redirecting messages,\r\nadding additional recipients, adding prefixes in the message subject, or inserting disclaimers in the message\r\nbody.\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 1 of 7\n\nFor more information about mail flow rule actions that are available in Exchange Online, see Mail flow\r\nrule actions in Exchange Online.\r\nProperties: Specify other rules settings that aren't conditions, exceptions, or actions, for example, when the\r\nrule should be applied, whether to enforce or test the rule, and the time period when the rule is active.\r\nFor more information, see the Mail flow rule properties section in this article.\r\nNote\r\nIf you create a rule without conditions and exceptions, the rule action is applied to all messages. This result can\r\nhave unintended consequences. For example, if the rule action is to delete the message, removing the conditions\r\nand exceptions could cause the rule to delete all inbound and outbound messages for the entire organization.\r\nThe following table shows how multiple conditions, condition values, exceptions, and actions are handled in a\r\nrule:\r\nComponent Logic Comments\r\nMultiple\r\nconditions\r\nAND\r\nA message must match all the conditions in the rule. If you need to match one\r\ncondition or another, use separate rules for each condition. For example, if you\r\nwant to add the same disclaimer to messages with attachments and messages\r\nthat contain specific text, create one rule for each condition. In the EAC, you can\r\neasily copy a rule.\r\nOne condition\r\nwith multiple\r\nvalues\r\nOR\r\nSome conditions allow you to specify more than one value. The message must\r\nmatch any one (not all) of the specified values. For example, if an email\r\nmessage has the subject \"Stock price information\", and the The subject\r\nincludes any of these words condition is configured to match the words\r\n\"Contoso\" or \"stock\", the condition is satisfied because the subject contains at\r\nleast one of the specified values.\r\nMultiple\r\nexceptions\r\nOR\r\nIf a message matches any one of the exceptions, the actions aren't applied to the\r\nmessage. The message doesn't have to match all the exceptions.\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 2 of 7\n\nComponent Logic Comments\r\nMultiple actions AND\r\nMessages that match a rule's conditions get all the actions that are specified in\r\nthe rule. For example, if the actions Prepend the subject of the message with\r\nand Add recipients to the Bcc box are selected, both actions are applied to the\r\nmessage.\r\nKeep in mind that some actions (for example, the Delete the message without\r\nnotifying anyone action) prevent subsequent rules from being applied to a\r\nmessage. Other actions (for example, the Forward the message action) don't\r\nallow additional actions.\r\nYou can also set an action on a rule so that when that rule is applied, subsequent\r\nrules aren't applied to the message.\r\nThe following table describes the rule properties that are available in mail flow rules:\r\nProperty name in\r\nthe EAC\r\nParameter name in PowerShell Description\r\nPriority Priority\r\nIndicates the order in which the rules are applied\r\nto messages. The default priority is based on when\r\nthe rule is created (older rules have a higher\r\npriority than newer rules, and higher priority rules\r\nare processed before lower priority rules).\r\nYou can change the rule priority in the EAC by\r\nmoving the rule up or down in the list of rules. In\r\nthe PowerShell, you set the priority number (0 is\r\nthe highest priority).\r\nFor example, if you have one rule to reject\r\nmessages that include a credit card number, and\r\nanother one requiring approval, you'll want the\r\nreject rule to happen first, and other rules stopped\r\nfrom being applied.\r\nFor more information, see Set the priority of a\r\nmail flow rule.\r\nSeverity SetAuditSeverity\r\nSets the severity level of the incident report and\r\nthe corresponding entry that's written to the\r\nmessage tracking log. Valid values are\r\nDoNotAudit, Low, Medium, and High.\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 3 of 7\n\nProperty name in\r\nthe EAC\r\nParameter name in PowerShell Description\r\nMode Mode\r\nYou can specify whether you want the rule to start\r\nprocessing messages immediately, or whether you\r\nwant to test rules without affecting the delivery of\r\nthe message, with or without Policy Tips.\r\nPolicy Tips present a brief note in Outlook or\r\nOutlook on the web that provides information\r\nabout possible policy violations to the person\r\nthat's creating the message.\r\nFor more information about the modes, see Test\r\nmail flow rules in Exchange Online.\r\nActivate this rule\r\non the following\r\ndate\r\nDeactivate this\r\nrule on the\r\nfollowing date\r\nActivationDate\r\nExpiryDate\r\nSpecifies the date range when the rule is active.\r\nOn checkbox\r\nselected or not\r\nselected\r\nNew rules:Enabled parameter on\r\nthe New-TransportRule cmdlet.\r\nExisting rules: Use the Enable-TransportRule or Disable-TransportRule cmdlets.\r\nThe value is displayed in the\r\nState property of the rule.\r\nYou can create a disabled rule and enable it when\r\nyou're ready to test it. Or, you can disable a rule\r\nwithout deleting it to preserve the settings.\r\nDefer the\r\nmessage if rule\r\nprocessing\r\ndoesn't complete\r\nRuleErrorAction\r\nYou can specify how the message should be\r\nhandled if the rule processing can't be completed.\r\nBy default, the rule will be ignored, but you can\r\nchoose to resubmit the message for processing.\r\nMatch sender\r\naddress in\r\nmessage\r\nSenderAddressLocation\r\nIf the rule uses conditions or exceptions that\r\nexamine the sender's email address, you can look\r\nfor the value in the message header, the message\r\nenvelope, or both.\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 4 of 7\n\nProperty name in\r\nthe EAC\r\nParameter name in PowerShell Description\r\nStop processing\r\nmore rules\r\nStopRuleProcessing\r\nThis element is an action for the rule, but it looks\r\nlike a property in the EAC. You can choose to stop\r\napplying additional rules to a message after a rule\r\nprocesses a message.\r\nComments Comments\r\nYou can enter descriptive comments about the\r\nrule.\r\nAll messages (except NDRs) that flow through your organization are evaluated against the enabled mail flow rules\r\nin your organization. Rules are processed in the order listed on the Mail flow \u003e Rules page in EAC, or based on\r\nthe corresponding Priority parameter value in the PowerShell.\r\nEach rule also offers the option of stopping to processing more rules when the rule is matched. This setting is\r\nimportant for messages that match the conditions in multiple mail flow rules (which rule do you want applied to\r\nthe message? All? Just one?).\r\nThere are several types of messages that pass through an organization. The following table shows which messages\r\ntypes can be processed by mail flow rules:\r\nType of message Can a rule be applied?\r\nRegular messages: Messages that contain a\r\nsingle rich text format (RTF), HTML, or plain\r\ntext message body, or a multipart or\r\nalternative set of message bodies.\r\nYes\r\nMessage Encryption: Messages encrypted\r\nby Message Encryption in Microsoft 365 or\r\nOffice 365. For more information, see\r\nEncryption.\r\nRules can always access envelope headers and process\r\nmessages based on conditions that inspect those headers.\r\nFor a rule to inspect or modify the contents of an encrypted\r\nmessage, you need to verify that transport decryption is\r\nenabled.\r\nYou can also create a rule that automatically decrypts\r\nencrypted messages. For more information, see Define rules\r\nto encrypt email messages.\r\nS/MIME encrypted messages Rules can only access envelope headers and process\r\nmessages based on conditions that inspect those headers.\r\nRules with conditions that require inspection of the\r\nmessage's content, or actions that modify the message's\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 5 of 7\n\nType of message Can a rule be applied?\r\ncontent can't be processed.\r\nRMS protected messages: Messages that had\r\nan Active Directory Rights Management\r\nServices (AD RMS) or Azure Rights\r\nManagement (RMS) policy applied.\r\nRules can always access envelope headers and process\r\nmessages based on conditions that inspect those headers.\r\nFor a rule to inspect or modify the contents of an RMS-protected message, you need to verify that transport\r\ndecryption is enabled by setting the\r\nTransportDecryptionSetting to Mandatory or Optional\r\nusing the Set-IRMConfiguration cmdlet.\r\nClear-signed messages: Messages that have\r\nbeen signed but not encrypted.\r\nYes\r\nAnonymous messages: Messages sent by\r\nanonymous senders.\r\nYes\r\nRead reports: Reports that are generated in\r\nresponse to read receipt requests by senders.\r\nRead reports have a message class of\r\nIPM.Note*.MdnRead or\r\nIPM.Note*.MdnNotRead .\r\nYes\r\nSystem-generated messages don't get processed by your organization's mail flow rules (or transport rules). Some\r\nof the messages that aren't processed by mail flow rules are:\r\nNon-Delivery report (NDR) generated by Exchange. The NDRs created by non-Exchange service won't be\r\ndetected as NDR by Exchange Mail flow rules, and the corresponding Mail flow rules\r\nconditions/exceptions won't be matched.\r\nMessages sent to the arbitration mailbox (like approval request notification).\r\nJournal report.\r\nThe Version or RuleVersion property value for a rule isn't important in Exchange Online.\r\nAfter you create or modify a mail flow rule, it can take up to 30 minutes for the new or updated rule to be\r\napplied to messages.\r\nYou can create a transport rule to bypass email protection filtering and allow mail to flow without delay\r\nfrom internal senders such as scanners, faxes, and other trusted sources that send attachments that are\r\nknown to be safe. Don't bypass filtering for all internal messages; in this situation, a compromised account\r\ncould send malicious content.\r\nHistory and changes to mail flow rules aren't maintained; so, you can't revert mail flow rules back to\r\nprevious states.\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 6 of 7\n\nSource: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nhttps://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
	],
	"report_names": [
		"mail-flow-rules"
	],
	"threat_actors": [],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe433692b9c65f9c21c6bf47a6c8b6ca8a47746c.pdf",
		"text": "https://archive.orkl.eu/fe433692b9c65f9c21c6bf47a6c8b6ca8a47746c.txt",
		"img": "https://archive.orkl.eu/fe433692b9c65f9c21c6bf47a6c8b6ca8a47746c.jpg"
	}
}