Why Email Auto-Forwarding to External Recipients is Disabled

Overview

SMU has disabled automatic email forwarding in Exchange Online to external recipients. This decision aligns with industry best practices and compliance requirements to protect sensitive data and reduce the risk of data exfiltration.

Why Disable Auto-Forwarding?

  1. Prevent Data Leakage
    Auto-forwarding can inadvertently send confidential or regulated information outside the organization without proper oversight.

  2. Reduce Phishing and Account Compromise Risks
    Attackers often configure auto-forwarding rules after compromising accounts to silently exfiltrate data..

  3. Monitoring
    Disabling auto-forwarding ensures that email traffic remains within monitored tools, improving phishing and spam incident detection.

What users may experience

1. Inbox rules that forward email externally will not work

Users can still create inbox rules that attempt to forward messages to an external email address (for example, a personal Gmail account), but the forwarded message will not be delivered. 

2. Non‑Delivery Report (NDR) or bounce message

When an automatic forwarding attempt is blocked, the system generates a Non‑Delivery Report (NDR). The message is not rejected by the external recipient; it is blocked by the organization’s outbound policy.

Typical error text may include:

“550 5.7.520 Access denied, Your organization does not allow external forwarding.”

This NDR behavior is expected when forwarding is disabled.

3. Mailbox‑level forwarding is also blocked

If forwarding was configured by an administrator or  end user at the mailbox level (sometimes called SMTP or mailbox forwarding), those messages are also blocked.

Limited Exceptions

Exceptions may be granted under the following conditions:

  • Vendor or Partner Integration
    When a business-critical process requires forwarding to a trusted external domain.

  • Shared Service Accounts
    Accounts used for automated workflows that need forwarding for operational continuity.

  • Regulatory or Legal Requirements
    Specific compliance scenarios where forwarding is mandated by law or contractual obligation.

Approval Process

  • Submit a request via the EIT Helpdesk.
  • Provide justification, external recipient details, and risk mitigation measures.
  • Approval requires a review from EIT Security.
  • Exceptions will be time-bound and reviewed periodically.

Additional Notes

  • Forwarding within the organization (internal domains) remains unaffected.
  • Users can still manually forward individual emails when necessary.
  • Outlook does not display an error when the rule is created. The rule may appear enabled and valid, but messages will silently fail and generate an NDR when triggered.
Was this helpful?
0 reviews
Print Article