Your Organization Does Not Allow External Forwarding? Fix Now
If you are someone who just saw a cryptic message that says “550 5.7.520 Access Denied, Your organization does not allow external forwarding,” and don’t know what to do? Stop worrying. This guide will explain exactly why you see this error and how to bypass this email forwarding limitation.
If you are an end user, you must understand one thing: this sudden roadblock is a planned occurrence set up by your IT team. This crucial security feature inside M365 is there to protect your company’s critical communication.
As an Exchange Administrator myself, I have witnessed firsthand the security risks that unregulated email forwarding poses. That is why Microsoft keeps forwarding to external recipients off by default.
However, what happens if there is a legitimate business need? Microsoft anticipated this requirement and has built in a mechanism that can temporarily remove this security barrier/add an external email ID as a legitimate recipient. Both these changes are done at the admin level with little to no end-user involvement.
Before we start undoing the security, let us see why it is there in the first place.
Why Do You See the “Your Organization Does Not Allow External Forwarding” Message?
This is not like any other regular brick wall users encounter in their day-to-day work. The “Access Denied” message is a special filter that is, in fact, an indication that your organization’s outbound spam filter is working.
The main reason why any organization chooses to use this service is, first and foremost, security. No company wants its internal memos leaked. Moreover, if a hacker ever gets access to an employee’s mailbox, one of the first things they do is set up a silent forwarding rule. This hidden rule sends a copy of all emails that you exchange to a remote server, from where more sophisticated social engineering-style attacks can be launched.
A forwarding blocker aims to prevent this. So, instead of manually toggling settings, the best thing you can do as a regular user is get in touch with the IT department and explain the reason why you want external forwarding. If your reason is genuine, you might be allied to add your personal ID as a legitimate recipient for certain messages.
Let us witness an opposing scenario where there is no restriction on email forwarding. It will help you understand the risks.
Real Risks of Allowing Filter-Less External Forwarding
From a security standpoint, an extra forwarding without strict controls is a high-risk setup
Data Leakage: If forwarding is allowed for anyone and everyone, it could create instances where even those emails are shared that users weren’t supposed to.
Compliance Violations: Uncontrolled forwarding can lead to violations of data protection laws like HIPAA and GDPR.
Reputational Damage: If an official company account is used to send spam mail, it may lead to domain-wide blacklisting.
Your Organization Does Not Allow External Forwarding? See How Admins Fix it
Admins should not alter the default policy; instead, make a new one. Here is how it’s done:
Step 1. First, log in to the Microsoft Defender portal.
Step 2. Then go to Email & collaboration > Policies & rules > Threat policies > Anti-spam.
Step 3. Click Create policy > Outbound.
Step 4. Name the policy and specify users/groups.
Step 5. Under Protection settings, set Automatic forwarding rules to On – Forwarding is enabled.
Step 6. Finally, create a policy.
The PowerShell Alternative
For those of us who prefer the speed of the command line, PowerShell is the way to go. Users can get their admin to fix the “Your Organization Does Not Allow External Forwarding” issue, but first, make sure you connect to Exchange Online PowerShell.
Step 1. Create the new policy with this command:
New-HostedOutboundSpamFilterPolicy -Name "External Forwarding Allowed - Finance Team" -AdminDisplayName "Policy to allow forwarding for the Finance Team" -AutoForwardingMode On
Step 2. Next, create the rule to apply this new policy to the right people:
New-HostedOutboundSpamFilterRule -Name "Apply Forwarding Policy to Finance Team" -HostedOutboundSpamFilterPolicy "External Forwarding Allowed - Finance Team" -SentToMemberOf "FinanceTeamDistributionGroup@yourdomain.com"
(Just be sure to replace the group email with your actual target group.)
Creating a Copy of Exchange Online Conversations Without Forwarding
Sometimes users want to forward emails, not because they want to share information, but to create a secondary copy of conversations that is accessible even without an internet connection.
Forwarding does work, but there is a better way in which admins can perform this task for all users in an organization simultaneously. The SysTools Exchange Export Tool is an excellent option for all such use cases. It allows admins to construct an offline copy of all conversations without the security risks of live forwarding. Try the demo today.
You can learn more advanced tips about on-premise Exchange Server in our articles on how to export an Exchange mailbox to a PST file and convert an offline EDB file to a PST.
Conclusion
Here, we saw exactly what needs to be done by the admin if users complain about the “your organization does not allow external forwarding” message. As this is a security message, arbitrarily disarming the M365 cloud is probably not the best idea. Admission should instead make users understand the importance of forwarding blockers. If push comes to shove, you can make a new policy and add it to the relevant users.