On July 21, 2020 you might have received this notification in your Office 365 Message Center to plan for an Office 365 change by August 28, 2020. People who are not aware can search their Message Center or refer MS Roadmap here.
Microsoft is updating their anti-spam policies to control the way automated external email forwarding works in O365 tenants. Currently, external forwarding through SMTP forwarding or inbox rules are enabled by default at the tenant level. As per the latest notification starting September 1, 2020 automatic forwarding will be disabled by default. So, the emails that are forwarded externally will be blocked and the sender will receive a non-delivery report (NDR). However please note, Exchange transport rules are exempted from this change.
Organizations who do not want to enable external forwarding do not have to make any change as all those emails being forwarded through SMTP forwarding or inbox rules will be blocked by default with this new change.
For Organizations who wish to continue auto-forward emails externally please do the following:
1) Find out which users or how many emails are being auto-forwarded through the SMTP forwarding and inbox rules in the organization. This can be identified by referring the Auto-forwarded messages report in the Mail flow Dashboard of the O365 Security and Compliance Center.
Once you have identified the users and number of emails going outside control this by doing the next two steps.
2) On the O365 Security and Compliance Center, navigate to Threat management -> Policy. Under Policies, lookout for Anti-spam settings. Select the default Outbound spam filter policy that will be always ON.
Click on Edit Policy -> Automatic forwarding. From the drop-down list under Automatic forwarding enabled make sure On – Forwarding is enabled is selected.
If the current setting is Automatic – System-controlled, after the change the forwarded emails will be blocked.
3) Now, click on Create an Outbound policy under Anti-spam settings. A new policy is being created to have more granular options for the auto-forwarding configuration.
Similar to step 2, under Auto forwarding select the setting On – Forwarding is enabled from drop-down list.
Next, under the Applied to section select either of the below three conditions as per your organization’s requirement. Either you can add your entire domain (along with other accepted domains), restrict to specific users only or add all the allowed users to a group.
You can also add any exceptions if required and save the policy. For detailed explanation refer here.
It is important to note that custom policies will always have higher priority when compared to the default policies.
Anish Sam Johnes 